Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Another WinFixer2005 victim [RESOLVED]


  • This topic is locked This topic is locked

#1
scottmetal666

scottmetal666

    Member

  • Member
  • PipPip
  • 34 posts
As stated in the topic, I have that nasty winfixer thing. My wife said she went into the registry and deleted something with 'winfixer' in it (flinch), and this actually has resulted in the program not able to install, but it appears now 4 times in the taskbar on each start-up, attempting to install. I have run all the malware removal, automated programs suggested, and have sp1a (I'm fairly sure of this, or at least sp2 before these problems ocurred. Here's my HiJack this log:

Logfile of HijackThis v1.99.1
Scan saved at 11:16:39 PM, on 8/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\UWFX5LP_0001_0715NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0721NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\WINDOWS\System32\n?tdde.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\sdpasvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\nrpn\osoa.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\PROGRA~1\mcafee.com\mps\POPUPK~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_1_6_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0715] "C:\WINDOWS\Downloaded Program Files\CONFLICT.8\UWFX5LP_0001_0715NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0721] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0721NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0802] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0803] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [Bkgfrxbp] C:\WINDOWS\System32\n?tdde.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Ncao] C:\Program Files\nrpn\osoa.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZSzeb029
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...oad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net...tivex/AXSAL.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123713466406
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {885BB46A-3F1E-44C3-A01B-A7D9260CC98B} (InstallShield Update Service Setup Player) - http://updates.insta...AB/dwusplay.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,19/mcgdmgr.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...463/mcfscan.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} -
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\theresa\Local Settings\Temporary Internet Files\Content.IE5\8TKLQ7OX\cwshredder[1].exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Any help would be much appreciated. Thx in advance! :tazz:
  • 0

Advertisements


#2
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi scott and welcome to GeeksToGo! My name is Excal and I will be helping you.

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go to The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "UWFX5LP_0001_0802NetInstaller.exe"
  • Put a link to this geeks to go topic in the description box, and my name.
  • Then next to the file box. at the bottom, click the "browse" button, then navigate to this file:

    • C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe
  • Press "Open".
  • Click "Post".


DOWNLOAD PROGRAMS


Please download Nailfix from Here
please do NOT run it yet.

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.


THE FIX


Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Once in Safe Mode, please double-click on
Nailfix.exe on your desktop. Click next, then finished. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

5. Now open and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

6. Close all browsers, windows and unneeded programs.

7. Open HiJack and do a scan.

8. Put a Check next to the following items:

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0715] "C:\WINDOWS\Downloaded Program Files\CONFLICT.8\UWFX5LP_0001_0715NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0721] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0721NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0802] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0803] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Bkgfrxbp] C:\WINDOWS\System32\n?tdde.exe
O4 - HKCU\..\Run: [Ncao] C:\Program Files\nrpn\osoa.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} -
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


9. click the Fix Checked box

10. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

MyWebSearch

11. Please remove the following folders using Windows Explorer (if present):

C:\Program Files\MyWebSearch
C:\Program Files\nrpn


12. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\Downloaded Program Files\CONFLICT.8\UWFX5LP_0001_0715NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0721NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe
C:\WINDOWS\dinst.exe


13. Run the program CleanUp!

14. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

15. Please post an Active scan log , Ewido Scan log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#3
scottmetal666

scottmetal666

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Thx for the quick response Excal.

The file UWFX5LP_0001_0802NetInstaller.exe does not appear in the directory C:\WINDOWS\Downloaded Program Files when I browse using the Spy Killer forum as you instructed. Please advise as to my next course of action.

EDIT: I double checked the instructions for viewing hidden files and I have everything checked correctly. One exception to these instructions is that there is no Yes option to select as indicated.

Edited by scottmetal666, 18 August 2005 - 07:00 PM.

  • 0

#4
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Go ahead with the rest of the fix, thanks anyways :)

:tazz:

Excal
  • 0

#5
scottmetal666

scottmetal666

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hey, I ran the fix routine thru to normal mode and the [bleep] WinFixer2005 is gone so far! :tazz: Some of the things to check in the HJT log weren't there though ::shrugs::

I used the link to the ActiveScan website, but that program seems sorta lame, and suspect, to me. You sure that's something you need? I can't even check the progress on it, let alone do a complete system scan. I can try again later if it's necessary, plus uploading the ewido and new HJT logs too.

I also want to take this time to say that I WILL DONATE SOMETHING SOON!!! It may be a pittance, but I;ve done it before for other sites, and'll do it again! Thx so far Excal, you rule ! \m/
  • 0

#6
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hey Scott,

but that program seems sorta lame, and suspect, to me


Panda Software runs Activescan, its a trusted scanner :) I have had probally at least 500 people use it, no problems. I use it my self :) Its a very thorough scan.

YOu can try one of these if you feel more comfortable with them :)

HouseCall
Kaspersky

You can post the ewido and HIjackthis b4 the scan if you like :ph34r:

Thanks,

:tazz:

Excal
  • 0

#7
scottmetal666

scottmetal666

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
WinFixer2005 has reappeared.. :) This thing is vicious it seems....

Here's new HJT logs Excal:


Logfile of HijackThis v1.99.1
Scan saved at 12:59:21 AM, on 8/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\n?tdde.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\sdpasvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\nrpn\osoa.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5LP_0001_0803NetInstaller.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\PROGRA~1\mcafee.com\mps\POPUPK~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_1_6_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0803] "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5LP_0001_0803NetInstaller.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [Bkgfrxbp] C:\WINDOWS\System32\n?tdde.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Ncao] C:\Program Files\nrpn\osoa.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZSzeb029
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...oad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net...tivex/AXSAL.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123713466406
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {885BB46A-3F1E-44C3-A01B-A7D9260CC98B} (InstallShield Update Service Setup Player) - http://updates.insta...AB/dwusplay.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,19/mcgdmgr.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...463/mcfscan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\theresa\Local Settings\Temporary Internet Files\Content.IE5\8TKLQ7OX\cwshredder[1].exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe

The ewido txt log I had saved to the Desktop disappeared after reboot at some point. I sowre I had it saved, but I guess not. I will have to wait until next scan as this takes alotta time! Unless, you know what directory the scans are saved in by default, that might work.

Anyways, same old WinFixer2005, though it's prompting to install again only once, but also using a "bait" window which I hadn't seen lately. Back to the drawing board? :tazz: EDIT: I can run ActiveScan or one of your other suggested 0n-line programs tomorrow and submit a log as well.

Edited by scottmetal666, 18 August 2005 - 11:07 PM.

  • 0

#8
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINDOWS\System32\n?tdde.exe /a h > files.txt
notepad files.txt


Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here along with a new HiJackThis log.

We will get it, no worries :)

:tazz:

Excal
  • 0

#9
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
along with the above post, can you do the following:


Copy everything in the box below and paste it into notepad. Go up to "File > Save As..." and click the drop-down box to change the "Save As Type" to "All Files". Save it as system32.bat on your desktop.


dir %WinDir%\system32\*.exe /a h /s > files2.txt
start notepad files2.txt


Double click system32.bat and when it is ready it will open files.txt
Copy the content of files.txt and paste it here.
  • 0

#10
scottmetal666

scottmetal666

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Here's the requested findfile.bat and system32.bat texts, along with a fresh HJT log:

Volume in drive C has no label.
Volume Serial Number is 4831-BFCC

Directory of C:\WINDOWS\System32

08/04/2004 03:56 AM 111,104 netdde.exe
04/06/2005 08:36 AM 425,984 n?tdde.exe
2 File(s) 537,088 bytes

Directory of C:\Documents and Settings\theresa\Desktop

Volume in drive C has no label.
Volume Serial Number is 4831-BFCC

Directory of C:\WINDOWS\system32

08/04/2004 03:56 AM 183,808 accwiz.exe
08/04/2004 03:56 AM 4,096 actmovie.exe
08/04/2004 03:56 AM 98,304 ahui.exe
08/04/2004 03:56 AM 44,544 alg.exe
08/29/2002 07:00 AM 12,498 APPEND.EXE
08/29/2002 07:00 AM 19,456 ARP.EXE
08/04/2004 03:56 AM 30,208 asr_fmt.exe
08/29/2002 07:00 AM 32,256 ASR_LDM.EXE
08/04/2004 03:56 AM 32,768 asr_pfu.exe
07/29/2005 09:07 PM 73,728 asuninst.exe
08/04/2004 03:56 AM 25,088 at.exe
08/04/2004 03:56 AM 11,264 atmadm.exe
08/29/2002 07:00 AM 11,264 ATTRIB.EXE
08/04/2004 03:56 AM 14,336 auditusr.exe
08/04/2004 03:56 AM 588,800 autochk.exe
08/04/2004 03:56 AM 602,624 autoconv.exe
08/04/2004 03:56 AM 580,608 autofmt.exe
08/04/2004 03:56 AM 11,264 autolfn.exe
08/04/2004 03:56 AM 71,680 blastcln.exe
08/29/2002 07:00 AM 136,704 BOOTCFG.EXE
08/29/2002 07:00 AM 4,608 BOOTOK.EXE
08/29/2002 07:00 AM 5,120 BOOTVRFY.EXE
08/29/2002 07:00 AM 18,432 CACLS.EXE
08/29/2002 07:00 AM 114,688 CALC.EXE
08/29/2002 07:00 AM 80,384 CHARMAP.EXE
08/29/2002 07:00 AM 11,776 CHKDSK.EXE
08/29/2002 07:00 AM 11,264 CHKNTFS.EXE
08/29/2002 07:00 AM 8,192 CIDAEMON.EXE
08/04/2004 03:56 AM 56,320 cipher.exe
08/04/2004 03:56 AM 5,632 cisvc.exe
08/29/2002 07:00 AM 7,680 CKCNV.EXE
08/04/2004 03:56 AM 64,000 cleanmgr.exe
08/04/2004 03:56 AM 20,480 cliconfg.exe
08/04/2004 03:56 AM 102,912 clipbrd.exe
08/04/2004 03:56 AM 33,280 clipsrv.exe
08/04/2004 03:56 AM 388,608 cmd.exe
08/04/2004 03:56 AM 47,104 cmdl32.exe
08/04/2004 03:56 AM 39,936 cmmon32.exe
08/04/2004 03:56 AM 63,488 cmstp.exe
08/29/2002 07:00 AM 15,872 COMP.EXE
08/29/2002 07:00 AM 17,408 COMPACT.EXE
08/04/2004 01:59 AM 9,728 comsdupd.exe
08/04/2004 03:56 AM 27,648 conime.exe
08/29/2002 07:00 AM 8,192 CONTROL.EXE
08/29/2002 07:00 AM 13,824 CONVERT.EXE
08/09/2004 09:27 PM 98,304 cscript.exe
08/04/2004 03:56 AM 6,144 csrss.exe
08/04/2004 03:56 AM 15,360 ctfmon.exe
02/20/2003 06:45 PM 28,672 CTHELPER.EXE
12/13/1999 03:01 AM 44,032 CTSVCCDA.EXE
11/18/1999 03:00 AM 25,088 CTSVCCTL.EXE
08/29/2002 07:00 AM 5,120 DCOMCNFG.EXE
08/04/2004 03:56 AM 30,208 ddeshare.exe
08/29/2002 07:00 AM 20,634 DEBUG.EXE
08/04/2004 03:56 AM 25,088 defrag.exe
08/04/2004 03:56 AM 82,432 dfrgfat.exe
08/04/2004 03:56 AM 104,960 dfrgntfs.exe
08/04/2004 03:56 AM 85,504 diantz.exe
08/04/2004 03:56 AM 163,840 diskpart.exe
08/29/2002 07:00 AM 17,920 DISKPERF.EXE
08/04/2004 03:56 AM 5,120 dllhost.exe
08/29/2002 07:00 AM 4,608 DLLHST3G.EXE
08/04/2004 03:56 AM 224,768 dmadmin.exe
08/04/2004 03:56 AM 15,872 dmremote.exe
08/29/2002 07:00 AM 10,752 DOSKEY.EXE
08/04/2004 01:51 AM 53,840 dosx.exe
08/04/2004 03:56 AM 30,208 dplaysvr.exe
08/04/2004 03:56 AM 18,432 dpnsvr.exe
08/04/2004 03:56 AM 83,456 dpvsetup.exe
08/29/2002 07:00 AM 58,368 driverquery.exe
08/29/2002 07:00 AM 28,112 DRWATSON.EXE
08/29/2002 07:00 AM 45,568 DRWTSN32.EXE
08/13/2003 12:27 PM 28,672 DSentry.exe
08/04/2004 03:56 AM 10,752 dumprep.exe
08/29/2002 07:00 AM 55,296 DVDPLAY.EXE
08/04/2004 03:56 AM 17,920 dvdupgrd.exe
08/04/2004 03:56 AM 180,224 dwwin.exe
08/04/2004 03:56 AM 1,298,432 dxdiag.exe
12/12/2002 12:14 AM 46,592 dxdllreg.exe
08/29/2002 07:00 AM 12,642 EDLIN.EXE
10/21/2002 03:05 PM 20,480 ENSDEF.EXE
08/29/2002 07:00 AM 39,424 ESENTUTL.EXE
08/04/2004 03:56 AM 193,024 eudcedit.exe
08/04/2004 03:56 AM 50,176 eventcreate.exe
08/29/2002 07:00 AM 77,824 eventtriggers.exe
08/29/2002 07:00 AM 8,704 EVENTVWR.EXE
08/29/2002 07:00 AM 8,424 EXE2BIN.EXE
08/29/2002 07:00 AM 15,872 EXPAND.EXE
08/04/2004 03:56 AM 45,568 extrac32.exe
08/29/2002 07:00 AM 882 FASTOPEN.EXE
08/04/2004 03:56 AM 20,992 faxpatch.exe
08/29/2002 07:00 AM 14,848 FC.EXE
08/29/2002 07:00 AM 9,216 FIND.EXE
08/04/2004 03:56 AM 27,136 findstr.exe
08/29/2002 07:00 AM 9,216 FINGER.EXE
08/29/2002 07:00 AM 3,072 FIXMAPI.EXE
08/04/2004 03:56 AM 22,528 fltmc.exe
08/04/2004 03:56 AM 20,992 fontview.exe
08/29/2002 07:00 AM 7,168 FORCEDOS.EXE
08/29/2002 07:00 AM 55,296 FREECELL.EXE
08/04/2004 03:56 AM 193,024 fsquirt.exe
08/29/2002 07:00 AM 56,320 FSUTIL.EXE
08/04/2004 03:56 AM 42,496 ftp.exe
08/04/2004 03:56 AM 143,360 fxsclnt.exe
08/04/2004 03:56 AM 229,376 fxscover.exe
08/29/2002 07:00 AM 11,264 fxssend.exe
08/04/2004 03:56 AM 267,776 fxssvc.exe
08/29/2002 07:00 AM 24,576 GDI.EXE
08/29/2002 07:00 AM 55,296 GETMAC.EXE
08/04/2004 03:56 AM 119,808 gpresult.exe
08/29/2002 07:00 AM 57,344 GPUPDATE.EXE
08/04/2004 03:56 AM 39,424 grpconv.exe
08/29/2002 07:00 AM 14,848 HELP.EXE
08/29/2002 07:00 AM 7,680 HOSTNAME.EXE
08/04/2004 03:56 AM 34,304 ie4uinit.exe
08/04/2004 03:56 AM 114,688 iexpress.exe
08/04/2004 03:56 AM 150,016 imapi.exe
11/03/2004 04:58 PM 32,768 instlsp.exe
08/04/2004 03:56 AM 55,808 ipconfig.exe
08/29/2002 07:00 AM 44,032 IPSEC6.EXE
08/04/2004 03:56 AM 53,248 ipv6.exe
08/04/2004 03:56 AM 23,552 ipxroute.exe
10/16/2003 05:47 PM 24,670 JAVA.EXE
10/16/2003 05:47 PM 28,768 JAVAW.EXE
09/21/2001 07:08 PM 49,152 KILLAPPS.EXE
08/04/2004 01:49 AM 92,224 krnl386.exe
08/29/2002 07:00 AM 9,728 LABEL.EXE
08/29/2002 07:00 AM 29,696 LIGHTS.EXE
08/29/2002 07:00 AM 25,088 LNKSTUB.EXE
08/04/2004 03:56 AM 75,264 locator.exe
08/29/2002 07:00 AM 5,120 LODCTR.EXE
08/04/2004 03:56 AM 103,936 logagent.exe
08/04/2004 03:56 AM 59,392 logman.exe
08/29/2002 07:00 AM 15,360 LOGOFF.EXE
08/04/2004 03:56 AM 514,560 logonui.exe
08/29/2002 07:00 AM 6,144 LPQ.EXE
08/29/2002 07:00 AM 8,192 LPR.EXE
08/04/2004 03:56 AM 13,312 lsass.exe
08/04/2004 03:56 AM 72,704 magnify.exe
08/04/2004 03:56 AM 85,504 makecab.exe
08/29/2002 07:00 AM 39,274 MEM.EXE
08/29/2002 07:00 AM 51,712 MIGPWD.EXE
08/04/2004 03:56 AM 815,104 mmc.exe
08/04/2004 03:56 AM 32,768 mnmsrvc.exe
08/04/2004 03:56 AM 143,360 mobsync.exe
08/29/2002 07:00 AM 8,192 MOUNTVOL.EXE
08/04/2004 03:56 AM 123,392 mplay32.exe
08/29/2002 07:00 AM 22,016 MPNOTIFY.EXE
08/04/2004 03:56 AM 19,968 mqbkup.exe
08/04/2004 03:56 AM 4,608 mqsvc.exe
08/04/2004 03:56 AM 117,248 mqtgsvc.exe
08/29/2002 07:00 AM 12,800 MRINFO.EXE
08/04/2005 09:31 PM 1,449,304 MRT.exe
08/29/2002 07:00 AM 817 MSCDEXNT.EXE
08/04/2004 03:56 AM 6,144 msdtc.exe
08/29/2002 07:00 AM 20,992 MSG.EXE
08/29/2002 07:00 AM 126,976 MSHEARTS.EXE
08/04/2004 03:56 AM 29,184 mshta.exe
03/21/2005 03:00 PM 78,848 msiexec.exe
08/04/2004 03:56 AM 343,040 mspaint.exe
06/26/2000 09:44 AM 53,520 MsPMSPSv.exe
08/29/2002 07:00 AM 6,656 MSSWCHX.EXE
08/04/2004 03:56 AM 12,288 mstinit.exe
08/04/2004 01:59 AM 407,552 mstsc.exe
08/04/2004 03:56 AM 53,760 narrator.exe
08/29/2002 07:00 AM 20,480 NBTSTAT.EXE
08/04/2004 03:56 AM 4,096 nddeapir.exe
08/04/2004 03:56 AM 42,496 net.exe
08/04/2004 03:56 AM 124,928 net1.exe
08/04/2004 03:56 AM 111,104 netdde.exe
08/04/2004 04:02 AM 329,728 netsetup.exe
08/04/2004 03:56 AM 86,016 netsh.exe
08/04/2004 03:56 AM 36,864 netstat.exe
08/29/2002 07:00 AM 7,052 NLSFUNC.EXE
08/04/2004 03:56 AM 69,120 notepad.exe
08/04/2004 03:56 AM 76,800 nslookup.exe
08/04/2004 03:56 AM 1,200,128 ntbackup.exe
03/01/2005 08:34 PM 2,015,232 ntkrnlpa.exe
03/01/2005 08:57 PM 2,135,552 ntoskrnl.exe
08/29/2002 07:00 AM 31,744 NTSD.EXE
08/04/2004 03:56 AM 419,840 ntvdm.exe
10/30/2003 10:06 AM 73,728 nvsvc32.exe
08/29/2002 07:00 AM 3,252 NW16.EXE
08/29/2002 07:00 AM 126,464 NWSCRIPT.EXE
04/06/2005 08:36 AM 425,984 n?tdde.exe
08/04/2004 03:56 AM 32,768 odbcad32.exe
08/04/2004 03:56 AM 69,632 odbcconf.exe
08/04/2004 03:56 AM 67,584 openfiles.exe
08/04/2004 03:56 AM 215,552 osk.exe
08/29/2002 07:00 AM 40,448 OSUNINST.EXE
08/04/2004 03:56 AM 58,368 packager.exe
08/29/2002 07:00 AM 21,504 PATHPING.EXE
08/29/2002 07:00 AM 15,360 PENTNT.EXE
08/04/2004 03:56 AM 15,872 perfmon.exe
08/04/2004 03:56 AM 17,920 ping.exe
08/29/2002 07:00 AM 33,280 PING6.EXE
08/04/2004 03:56 AM 49,152 powercfg.exe
08/29/2002 07:00 AM 9,216 PRINT.EXE
08/04/2004 03:56 AM 109,568 progman.exe
08/04/2004 03:56 AM 50,176 proquota.exe
03/03/2003 05:26 PM 118,784 Prounstl.exe
08/04/2004 03:56 AM 9,216 proxycfg.exe
08/29/2002 07:00 AM 16,896 QAPPSRV.EXE
08/04/2004 03:56 AM 20,480 qprocess.exe
08/29/2002 07:00 AM 22,016 QWINSTA.EXE
08/29/2002 07:00 AM 11,776 RASAUTOU.EXE
08/29/2002 07:00 AM 11,264 RASDIAL.EXE
08/04/2004 03:56 AM 56,832 rasphone.exe
08/04/2004 03:56 AM 35,840 rcimlby.exe
08/04/2004 03:56 AM 21,504 rcp.exe
08/04/2004 03:56 AM 62,464 rdpclip.exe
08/04/2004 03:56 AM 13,824 rdsaddin.exe
08/04/2004 03:56 AM 67,072 rdshost.exe
08/29/2002 07:00 AM 7,168 RECOVER.EXE
08/04/2004 01:48 AM 3,338 redir.exe
08/04/2004 03:56 AM 50,176 reg.exe
08/29/2002 07:00 AM 3,584 REGEDT32.EXE
08/29/2002 07:00 AM 33,792 REGINI.EXE
06/28/2001 01:05 PM 36,864 REGPLIB.EXE
08/04/2004 03:56 AM 11,776 regsvr32.exe
08/29/2002 07:00 AM 4,608 REGWIZ.EXE
08/29/2002 07:00 AM 32,768 RELOG.EXE
08/29/2002 07:00 AM 12,800 REPLACE.EXE
08/29/2002 07:00 AM 9,728 RESET.EXE
08/04/2004 03:56 AM 13,824 rexec.exe
08/29/2002 07:00 AM 19,968 ROUTE.EXE
08/29/2002 07:00 AM 25,600 ROUTEMON.EXE
08/04/2004 03:56 AM 14,848 rsh.exe
08/29/2002 07:00 AM 49,152 RSM.EXE
08/29/2002 07:00 AM 24,576 RSMSINK.EXE
08/29/2002 07:00 AM 49,152 RSMUI.EXE
08/04/2004 03:56 AM 107,520 rsnotify.exe
08/29/2002 07:00 AM 62,976 RSOPPROV.EXE
08/29/2002 07:00 AM 132,608 RSVP.EXE
08/04/2004 03:56 AM 77,312 rtcshare.exe
08/29/2002 07:00 AM 16,384 RUNAS.EXE
08/04/2004 03:56 AM 33,280 rundll32.exe
08/04/2004 03:56 AM 14,336 runonce.exe
08/29/2002 07:00 AM 15,872 RWINSTA.EXE
08/04/2004 03:56 AM 13,312 savedump.exe
08/29/2002 07:00 AM 31,232 SC.EXE
08/04/2004 03:56 AM 95,744 scardsvr.exe
08/04/2004 03:56 AM 121,856 schtasks.exe
08/04/2004 03:56 AM 77,312 sdbinst.exe
08/07/2001 02:27 PM 49,152 SDPASVC.EXE
09/17/2001 02:38 PM 40,960 SDSRVCTL.EXE
08/04/2004 03:56 AM 18,432 secedit.exe
08/04/2004 03:56 AM 108,032 services.exe
08/04/2004 03:56 AM 140,800 sessmgr.exe
08/04/2004 03:56 AM 31,232 sethc.exe
08/04/2004 03:56 AM 23,040 setup.exe
08/29/2002 07:00 AM 11,753 SETVER.EXE
08/29/2002 07:00 AM 9,728 SFC.EXE
08/29/2002 07:00 AM 14,848 SHADOW.EXE
08/29/2002 07:00 AM 882 SHARE.EXE
08/04/2004 03:56 AM 42,496 shmgrate.exe
08/04/2004 03:56 AM 77,824 shrpubw.exe
08/04/2004 03:56 AM 19,456 shutdown.exe
08/04/2004 03:56 AM 70,144 sigverif.exe
08/04/2004 03:56 AM 26,112 skeys.exe
08/04/2004 03:56 AM 32,866 slrundll.exe
08/04/2004 03:56 AM 73,796 slserv.exe
08/04/2004 03:56 AM 8,192 smbinst.exe
08/04/2004 03:56 AM 89,600 smlogsvc.exe
08/04/2004 03:56 AM 50,688 smss.exe
08/04/2004 03:56 AM 131,584 sndrec32.exe
08/29/2002 07:00 AM 138,752 SNDVOL32.EXE
08/29/2002 07:00 AM 56,832 SOL.EXE
08/29/2002 07:00 AM 23,552 SORT.EXE
08/04/2004 03:56 AM 8,192 spdwnwxp.exe
08/04/2004 03:56 AM 538,624 spider.exe
08/04/2004 01:59 AM 12,800 spiisupd.exe
08/04/2004 12:56 AM 11,776 spnpinst.exe
06/10/2005 07:53 PM 57,856 spoolsv.exe
08/29/2002 07:00 AM 9,728 SPRESTRT.EXE
02/24/2005 11:35 PM 22,752 spupdsvc.exe
08/04/2004 03:56 AM 21,504 spupdwxp.exe
08/04/2004 03:56 AM 14,848 stimon.exe
08/29/2002 07:00 AM 9,216 SUBST.EXE
08/04/2004 03:56 AM 14,336 svchost.exe
08/29/2002 07:00 AM 51,200 SYNCAPP.EXE
08/29/2002 07:00 AM 18,896 SYSEDIT.EXE
08/29/2002 07:00 AM 36,864 SYSKEY.EXE
08/04/2004 03:56 AM 105,984 sysocmgr.exe
08/29/2002 07:00 AM 68,096 systeminfo.exe
08/29/2002 07:00 AM 3,072 SYSTRAY.EXE
08/29/2002 07:00 AM 72,192 TASKKILL.EXE
08/29/2002 07:00 AM 72,192 TASKLIST.EXE
08/29/2002 07:00 AM 15,360 TASKMAN.EXE
08/04/2004 03:56 AM 135,680 taskmgr.exe
08/29/2002 07:00 AM 12,288 TCMSETUP.EXE
08/29/2002 07:00 AM 19,456 TCPSVCS.EXE
05/10/2005 07:45 PM 75,776 telnet.exe
08/29/2002 07:00 AM 16,896 TFTP.EXE
08/04/2004 03:56 AM 61,440 tlntadmn.exe
08/04/2004 03:56 AM 78,336 tlntsess.exe
08/04/2004 03:56 AM 73,216 tlntsvr.exe
08/04/2004 03:56 AM 347,136 tourstart.exe
08/04/2004 03:56 AM 259,584 tracerpt.exe
08/04/2004 03:56 AM 12,288 tracert.exe
08/29/2002 07:00 AM 31,744 TRACERT6.EXE
08/29/2002 07:00 AM 14,848 TSCON.EXE
08/04/2004 01:59 AM 44,544 tscupgrd.exe
08/29/2002 07:00 AM 14,848 TSDISCON.EXE
08/29/2002 07:00 AM 16,384 TSKILL.EXE
08/29/2002 07:00 AM 16,896 TSSHUTDN.EXE
08/29/2002 07:00 AM 36,352 TYPEPERF.EXE
08/29/2002 07:00 AM 4,096 UNLODCTR.EXE
08/04/2004 03:56 AM 16,896 upnpcont.exe
08/04/2004 03:56 AM 18,432 ups.exe
08/29/2002 07:00 AM 47,872 USER.EXE
08/04/2004 03:56 AM 24,576 userinit.exe
08/29/2002 07:00 AM 77,891 USRMLNKA.EXE
08/29/2002 07:00 AM 61,508 USRPRBDA.EXE
08/29/2002 07:00 AM 69,700 USRSHUTA.EXE
08/04/2004 03:56 AM 50,176 utilman.exe
08/29/2002 07:00 AM 98,304 VERIFIER.EXE
08/29/2002 07:00 AM 33,792 VSSADMIN.EXE
08/04/2004 03:56 AM 289,792 vssvc.exe
08/29/2002 07:00 AM 1,129 VWIPXSPX.EXE
08/29/2002 07:00 AM 49,664 W32TM.EXE
08/04/2004 03:56 AM 65,536 wextract.exe
08/04/2004 03:56 AM 433,664 wiaacmgr.exe
08/29/2002 07:00 AM 35,328 WINCHAT.EXE
08/29/2002 07:00 AM 8,192 WINHLP32.EXE
08/04/2004 03:56 AM 502,272 winlogon.exe
08/29/2002 07:00 AM 119,808 WINMINE.EXE
08/29/2002 07:00 AM 11,776 WINMSD.EXE
08/29/2002 07:00 AM 2,112 WINSPOOL.EXE
08/04/2004 03:56 AM 5,632 winver.exe
08/29/2002 07:00 AM 77,824 WMPSTUB.EXE
08/29/2002 07:00 AM 2,736 WOWDEB.EXE
08/29/2002 07:00 AM 10,368 WOWEXEC.EXE
08/04/2004 03:56 AM 32,256 wpabaln.exe
08/04/2004 03:56 AM 32,256 wpnpinst.exe
08/29/2002 07:00 AM 5,632 WRITE.EXE
08/04/2004 03:56 AM 13,824 wscntfy.exe
08/09/2004 09:27 PM 114,688 wscript.exe
05/26/2005 04:16 AM 124,184 wuauclt.exe
05/26/2005 04:16 AM 172,312 wuauclt1.exe
08/29/2002 07:00 AM 32,256 WUPDMGR.EXE
08/04/2004 03:56 AM 30,720 xcopy.exe
04/10/2004 12:24 PM 26,112 XPSP1HFM.EXE
343 File(s) 30,610,712 bytes

Directory of C:\WINDOWS\system32\ActiveScan

06/21/2005 04:15 PM 49,152 pavdr.exe
06/10/2005 03:16 PM 6,195 pfdnnt.exe
2 File(s) 55,347 bytes

Directory of C:\WINDOWS\system32\Com

08/04/2004 03:56 AM 9,728 comrepl.exe
08/29/2002 07:00 AM 5,120 COMREREG.EXE
2 File(s) 14,848 bytes

Directory of C:\WINDOWS\system32\dla

08/06/2003 03:04 AM 249,908 tfswcmd.exe
08/06/2003 03:04 AM 114,741 tfswctrl.exe
2 File(s) 364,649 bytes

Directory of C:\WINDOWS\system32\DLLCACHE

08/29/2002 07:00 AM 114,688 calc.exe
08/29/2002 07:00 AM 12,288 cb32.exe
08/04/2004 01:31 AM 480,256 cintsetp.exe
08/29/2002 07:00 AM 5,120 comrereg.exe
08/04/2004 01:31 AM 57,399 cplexe.exe
08/09/2004 09:27 PM 98,304 cscript.exe
08/29/2002 07:00 AM 45,568 drwtsn32.exe
08/04/2004 03:56 AM 1,032,192 explorer.exe
08/29/2002 07:00 AM 11,264 fxssend.exe
08/29/2002 07:00 AM 99,840 helphost.exe
08/29/2002 07:00 AM 73,728 icwtutor.exe
08/04/2004 03:56 AM 93,184 iexplore.exe
08/29/2002 07:00 AM 57,398 imjpdadm.exe
08/04/2004 01:31 AM 307,257 imjpdct.exe
08/04/2004 01:31 AM 155,705 imjpdsvr.exe
08/04/2004 01:31 AM 196,665 imjpinst.exe
08/04/2004 01:31 AM 208,952 imjpmig.exe
08/04/2004 01:32 AM 233,527 imjprw.exe
08/29/2002 07:00 AM 45,109 imjpuex.exe
08/04/2004 01:32 AM 262,200 imjputy.exe
08/29/2002 07:00 AM 59,392 imscinst.exe
08/04/2004 03:56 AM 20,480 inetwiz.exe
08/29/2002 07:00 AM 16,384 isignup.exe
08/29/2002 07:00 AM 126,976 mshearts.exe
03/21/2005 03:00 PM 78,848 msiexec.exe
08/29/2002 07:00 AM 39,936 msinfo32.exe
08/29/2002 07:00 AM 28,160 msoobe.exe
08/29/2002 07:00 AM 35,328 notiflag.exe
08/29/2002 07:00 AM 70,144 pintlphr.exe
08/04/2004 03:56 AM 33,280 rundll32.exe
08/29/2002 07:00 AM 36,864 sapisvr.exe
08/04/2004 03:56 AM 108,032 services.exe
08/29/2002 07:00 AM 47,104 srdiag.exe
08/04/2004 03:56 AM 14,336 svchost.exe
08/29/2002 07:00 AM 44,032 tintlphr.exe
08/29/2002 07:00 AM 455,168 tintsetp.exe
08/29/2002 07:00 AM 3,374,640 tourW.exe
08/29/2002 07:00 AM 16,896 unsecapp.exe
08/29/2002 07:00 AM 12,288 wb32.exe
08/29/2002 07:00 AM 256,192 winhelp.exe
08/04/2004 03:56 AM 502,272 winlogon.exe
08/29/2002 07:00 AM 13,312 winmgmt.exe
08/09/2004 09:27 PM 114,688 wscript.exe
05/26/2005 04:16 AM 124,184 wuauclt.exe
05/26/2005 04:16 AM 172,312 wuauclt1.exe
08/29/2002 07:00 AM 32,256 wupdmgr.exe
08/29/2002 07:00 AM 36,937 zclientm.exe
47 File(s) 9,461,085 bytes

Directory of C:\WINDOWS\system32\IME\CINTLGNT

08/04/2004 01:31 AM 480,256 cintsetp.exe
1 File(s) 480,256 bytes

Directory of C:\WINDOWS\system32\IME\PINTLGNT

08/29/2002 07:00 AM 59,392 IMSCINST.EXE
08/29/2002 07:00 AM 70,144 PINTLPHR.EXE
2 File(s) 129,536 bytes

Directory of C:\WINDOWS\system32\IME\TINTLGNT

08/29/2002 07:00 AM 44,032 TINTLPHR.EXE
08/29/2002 07:00 AM 455,168 TINTSETP.EXE
2 File(s) 499,200 bytes

Directory of C:\WINDOWS\system32\Macromed\Flash

06/09/2004 05:06 PM 99,544 GetFlash.exe
1 File(s) 99,544 bytes

Directory of C:\WINDOWS\system32\Macromed\Shockwave 10

05/19/2005 12:24 PM 58,584 Download.exe
1 File(s) 58,584 bytes

Directory of C:\WINDOWS\system32\NPP

08/04/2004 03:56 AM 15,360 nppagent.exe
1 File(s) 15,360 bytes

Directory of C:\WINDOWS\system32\OOBE

08/29/2002 07:00 AM 28,160 MSOOBE.EXE
08/04/2004 03:56 AM 51,200 oobebaln.exe
2 File(s) 79,360 bytes

Directory of C:\WINDOWS\system32\QuickTime

07/27/2003 12:05 PM 376,832 QTPluginInstaller.exe
07/27/2003 12:05 PM 57,856 QuickTimeUpdateHelper.exe
2 File(s) 434,688 bytes

Directory of C:\WINDOWS\system32\Restore

08/04/2004 03:56 AM 380,416 rstrui.exe
08/29/2002 07:00 AM 47,104 SRDIAG.EXE
2 File(s) 427,520 bytes

Directory of C:\WINDOWS\system32\URTTemp

02/21/2003 07:16 AM 49,152 regtlib.exe
1 File(s) 49,152 bytes

Directory of C:\WINDOWS\system32\USMT

08/04/2004 03:56 AM 103,424 migload.exe
08/04/2004 03:56 AM 240,128 migwiz.exe
08/04/2004 03:56 AM 236,032 migwiz_a.exe
3 File(s) 579,584 bytes

Directory of C:\WINDOWS\system32\WBEM

08/04/2004 03:56 AM 16,384 mofcomp.exe
08/04/2004 03:56 AM 36,864 scrcons.exe
08/29/2002 07:00 AM 16,896 UNSECAPP.EXE
08/04/2004 03:56 AM 116,224 wbemtest.exe
08/29/2002 07:00 AM 13,312 WINMGMT.EXE
08/04/2004 03:56 AM 196,608 wmiadap.exe
08/04/2004 03:56 AM 126,464 wmiapsrv.exe
08/04/2004 03:56 AM 358,912 wmic.exe
08/04/2004 03:56 AM 218,112 wmiprvse.exe
9 File(s) 1,099,776 bytes

Logfile of HijackThis v1.99.1
Scan saved at 9:34:47 PM, on 8/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\n?tdde.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\nrpn\osoa.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\sdpasvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\PROGRA~1\mcafee.com\mps\POPUPK~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_1_6_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0803] "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5LP_0001_0803NetInstaller.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [Bkgfrxbp] C:\WINDOWS\System32\n?tdde.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Ncao] C:\Program Files\nrpn\osoa.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZSzeb029
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...oad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net...tivex/AXSAL.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123713466406
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {885BB46A-3F1E-44C3-A01B-A7D9260CC98B} (InstallShield Update Service Setup Player) - http://updates.insta...AB/dwusplay.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,19/mcgdmgr.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...463/mcfscan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\theresa\Local Settings\Temporary Internet Files\Content.IE5\8TKLQ7OX\cwshredder[1].exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe

Good luck m'friend :tazz:
  • 0

Advertisements


#11
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Scott,

I want to try something. Something is either protecting those entries, or reinstalling them (or u messed up...lol :))

Submit file:

Navigate to this file in windows explorer C:\WINDOWS\System32\netdde.exe

right click on it and choose compress and email

Please email that file to :MalwareremovalATcomcast.net (replace the AT with @)

In the subject, put the name of the file

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please download the attached file(netdde.zip) to your desktop.
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Delete File on Reboot"
  • Navigate to this file - C:\WINDOWS\system32\netdde.exe
  • Double click on that file.
  • HJT asks you if you want to reboot, now. Click "Yes".
after reboot you should have findfile.bat on your desk top. Please run that and post the results. (from post #8)

Don't reboot or shut off your computer until i reply back please.

thanks,

:tazz:

Excal
  • 0

#12
scottmetal666

scottmetal666

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
findfile.bat copy pasted:

Volume in drive C has no label.
Volume Serial Number is 4831-BFCC

Directory of C:\WINDOWS\System32

08/04/2004 03:56 AM 111,104 netdde.exe
04/06/2005 08:36 AM 425,984 n?tdde.exe
2 File(s) 537,088 bytes

Directory of C:\Documents and Settings\theresa\Desktop
  • 0

#13
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
that find.bat log is a new one?



Excal

Edited by Excal, 19 August 2005 - 09:15 PM.

  • 0

#14
scottmetal666

scottmetal666

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
I had the first findfile still on the Desktop. Should I delete that and the other txt/logs from my Desktop and try again?

EDIT: I assumed from the wording of your instructions that the findfile.bat already existing on the Desktop would be overwritten.

Edited by scottmetal666, 19 August 2005 - 09:37 PM.

  • 0

#15
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Not sure if it does, go ahead and delete that one and please do it one more time.
You actually can delete all of them.

Thanks,

:tazz:

Excal
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP