Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

WinFixer infection - HiJack this log posted [RESOLVED]


  • This topic is locked This topic is locked

#1
huffdaddy

huffdaddy

    New Member

  • Member
  • Pip
  • 6 posts
Hi,

I've recently gotten a case of WinFixer that I can't seem to get rid of. I've run through all of the suggested fixes here prior to posting the logfile from HiJack This, with the exception of using McAfee VirusScan as opposed to the other virus/trojan programs listed. Here is my logfile after running the fixes:

Logfile of HijackThis v1.99.1
Scan saved at 12:30:48 AM, on 9/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\huffman.RCC_NT\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.rti.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smbusiness.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\$NtUninstallKB899587$\ctask.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120762498526
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {8BA1621C-F6E9-47C5-A55D-2F4BAB913B2B} (Avatier Cached Password Control) - https://password.rti...hedCredUtil.cab
O16 - DPF: {AF32F794-D1C1-11D2-AC8D-00A0C999560F} (PixDocView.DocumentView) - http://edms.rti.org/...de/mxview51.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RCC_NT.RTI.ORG
O17 - HKLM\Software\..\Telephony: DomainName = RCC_NT.RTI.ORG
O17 - HKLM\System\CCS\Services\Tcpip\..\{9792FA73-AAD1-476F-A548-5B157B4A9CD3}: Domain = rti.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RCC_NT.RTI.ORG
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = RCC_NT.RTI.ORG
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: ctask - C:\WINDOWS\$NtUninstallKB899587$\ctask.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Thanks for your help...great site you're running here!

Alan
  • 0

Advertisements


#2
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello Alan and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

You have the dreaded Vundo infection. Let’s see what we can do with the first sweep.

I note that you are running HijackThis from Desktop; please create a new folder for it (for example C:\Program Files\Hijackthis\Hijackthis.exe) and move the programme into it. It is very important you do this before anything else since backup files can be deleted if they are not within their own folder!

Firstly could you please disable Spyware Doctor from running during the fix, it may just hinder our attempts to change anything.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • Please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\$NtUninstallKB899587$\ctask.dll
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED: O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\$NtUninstallKB899587$\ctask.dll
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
    O20 - Winlogon Notify: ctask - C:\WINDOWS\$NtUninstallKB899587$\ctask.dll
  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#3
huffdaddy

huffdaddy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Crusty-

Thanks for your help. I've run the sequence as requested, and HiJack This and vundofix logs are attached.

Logfile of HijackThis v1.99.1
Scan saved at 11:46:11 AM, on 9/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.rti.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smbusiness.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120762498526
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {8BA1621C-F6E9-47C5-A55D-2F4BAB913B2B} (Avatier Cached Password Control) - https://password.rti...hedCredUtil.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AF32F794-D1C1-11D2-AC8D-00A0C999560F} (PixDocView.DocumentView) - http://edms.rti.org/...de/mxview51.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RCC_NT.RTI.ORG
O17 - HKLM\Software\..\Telephony: DomainName = RCC_NT.RTI.ORG
O17 - HKLM\System\CCS\Services\Tcpip\..\{9792FA73-AAD1-476F-A548-5B157B4A9CD3}: Domain = rti.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{BAEC89D3-662D-4DCB-B81B-B22DE51D82B8}: Domain = rti.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{BAEC89D3-662D-4DCB-B81B-B22DE51D82B8}: NameServer = 152.5.128.21,152.5.128.19
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RCC_NT.RTI.ORG
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = RCC_NT.RTI.ORG
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 180 'smss.exe'
Threads [184][188][192]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 816 'explorer.exe'
Killing PID 816 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 252 'winlogon.exe'
File Deleted sucessfully.


The lines starting with O2 and O8 in the HiJack This scan were not listed, the O16 and O20 lines were checked and removed as you instructed. How are we doing now?

Thanks again!

Alan
  • 0

#4
huffdaddy

huffdaddy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Crusty-

Here is the ActiveScan log that I forgot to add to the previous post


Incident Status Location

Virus:Exploit/iFrame Disinfected C:\Documents and Settings\huffman\Application Data\Mozilla\Profiles\default\qz5z2n54.slt\Mail\mail.triad.rr.com\Inbox[~000120.@x@]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\huffmanold\Application Data\Mozilla\Profiles\default\qz5z2n54.slt\Mail\mail.triad.rr.com\Inbox[~000120.@x@]
Virus:Trj/Pakes.AV Disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP303\A0042164.dll
Virus:Trj/Agent.AJK Disinfected C:\WINDOWS\SYSTEM32\nnnnn.dll


Thanks again,

Alan
  • 0

#5
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Well that looks really good.

Now for the acid test. Please set your system to show all files; please see here if you're unsure how to do this.

Please use SEARCH and find all instances of this file name. It will have differing suffixes or file extensions to it for example BAK or INI or TMP etc.

Please delete all instances of it, but tell me what you found and where you found it.

The file name is: ksatc
  • 0

#6
huffdaddy

huffdaddy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Crusty-

Getting back to you late, but I've checked for the files. Found one, a configuration settings file in C:\WINDOWS\$NtUninstallKB899587$. Deleted it as instructed.

How are we feeling now?

Thanks,

Alan
  • 0

#7
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Alan

I am not happy until I see proof positive that those backward files are gone. Let's have a look beneath the surface.

Download:WinPFind

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Restart in Safe Mode

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder.

Restart normally and post the contents of WinPFind.txt
  • 0

#8
huffdaddy

huffdaddy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Crusty-

Back again with the latest fix log...here's the WinPFind log

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/29/2002 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
PECompact2 8/4/2005 9:31:38 PM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2005 9:31:38 PM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 12:56:38 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 12:56:46 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/29/2002 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 10:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\HOSTS


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/8/2005 9:02:26 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
9/8/2005 9:00:48 PM S 880 C:\WINDOWS\CSC\00000001
9/8/2005 9:00:48 PM S 187168 C:\WINDOWS\CSC\00000002
7/24/2005 11:15:40 PM S 192 C:\WINDOWS\CSC\d1\00000050
8/29/2005 8:42:34 PM S 1216 C:\WINDOWS\CSC\d1\00000070
9/6/2005 11:25:14 PM S 1344 C:\WINDOWS\CSC\d1\000011C8
9/6/2005 11:25:16 PM S 2112 C:\WINDOWS\CSC\d1\000012B0
9/8/2005 8:49:52 PM S 6848 C:\WINDOWS\CSC\d1\00001450
9/6/2005 11:25:30 PM S 2752 C:\WINDOWS\CSC\d1\00001518
9/8/2005 8:49:56 PM S 8256 C:\WINDOWS\CSC\d1\00001548
9/8/2005 8:49:56 PM S 16960 C:\WINDOWS\CSC\d1\000015D0
9/6/2005 11:25:34 PM S 1088 C:\WINDOWS\CSC\d1\00001618
9/6/2005 11:25:48 PM S 3136 C:\WINDOWS\CSC\d1\00001688
9/6/2005 11:31:16 PM S 1088 C:\WINDOWS\CSC\d1\000016C8
9/8/2005 8:49:56 PM S 192 C:\WINDOWS\CSC\d1\000016D8
9/8/2005 8:49:52 PM S 4928 C:\WINDOWS\CSC\d2\000011D9
9/8/2005 8:49:52 PM S 2368 C:\WINDOWS\CSC\d2\00001211
9/6/2005 11:25:16 PM S 320 C:\WINDOWS\CSC\d2\00001289
9/6/2005 11:25:16 PM S 1088 C:\WINDOWS\CSC\d2\00001299
9/6/2005 11:25:16 PM S 320 C:\WINDOWS\CSC\d2\000012A1
9/8/2005 8:49:52 PM S 704 C:\WINDOWS\CSC\d2\000012B9
9/8/2005 8:49:52 PM S 2624 C:\WINDOWS\CSC\d2\00001311
9/8/2005 8:49:52 PM S 9024 C:\WINDOWS\CSC\d2\00001329
9/6/2005 11:25:26 PM S 1600 C:\WINDOWS\CSC\d2\00001449
9/6/2005 11:25:26 PM S 192 C:\WINDOWS\CSC\d2\00001491
9/8/2005 8:49:54 PM S 1472 C:\WINDOWS\CSC\d2\000014F1
9/6/2005 11:25:32 PM S 320 C:\WINDOWS\CSC\d2\000015B9
9/6/2005 11:25:34 PM S 1600 C:\WINDOWS\CSC\d2\00001611
9/6/2005 11:30:48 PM S 6336 C:\WINDOWS\CSC\d2\000016C1
9/8/2005 8:49:56 PM S 192 C:\WINDOWS\CSC\d2\000016D9
9/8/2005 9:00:30 PM S 192 C:\WINDOWS\CSC\d3\0000003A
9/8/2005 9:00:30 PM S 192 C:\WINDOWS\CSC\d3\0000007A
9/6/2005 11:25:14 PM S 8896 C:\WINDOWS\CSC\d3\000011EA
9/6/2005 11:25:18 PM S 832 C:\WINDOWS\CSC\d3\00001302
9/6/2005 11:25:22 PM S 2240 C:\WINDOWS\CSC\d3\000013B2
9/6/2005 11:25:24 PM S 576 C:\WINDOWS\CSC\d3\0000143A
9/8/2005 9:00:30 PM S 960 C:\WINDOWS\CSC\d3\00001512
9/6/2005 11:25:34 PM S 6464 C:\WINDOWS\CSC\d3\00001642
9/6/2005 11:25:36 PM S 320 C:\WINDOWS\CSC\d3\00001672
9/6/2005 11:46:36 PM S 320 C:\WINDOWS\CSC\d3\000016DA
9/6/2005 11:46:36 PM S 2880 C:\WINDOWS\CSC\d4\00000013
9/7/2005 11:38:58 AM S 1088 C:\WINDOWS\CSC\d4\0000007B
9/6/2005 11:25:20 PM S 3648 C:\WINDOWS\CSC\d4\0000134B
9/6/2005 11:25:22 PM S 1856 C:\WINDOWS\CSC\d4\000013A3
9/8/2005 8:49:52 PM S 320 C:\WINDOWS\CSC\d4\000013AB
9/8/2005 8:49:52 PM S 3264 C:\WINDOWS\CSC\d4\000013CB
9/6/2005 11:25:24 PM S 2880 C:\WINDOWS\CSC\d4\000013E3
9/6/2005 11:25:24 PM S 704 C:\WINDOWS\CSC\d4\00001433
9/8/2005 8:49:52 PM S 1856 C:\WINDOWS\CSC\d4\00001493
9/6/2005 11:25:26 PM S 192 C:\WINDOWS\CSC\d4\0000149B
9/6/2005 11:25:28 PM S 1344 C:\WINDOWS\CSC\d4\000014EB
9/6/2005 11:46:36 PM S 3136 C:\WINDOWS\CSC\d4\0000153B
9/8/2005 8:49:56 PM S 2368 C:\WINDOWS\CSC\d4\000015BB
9/8/2005 8:49:56 PM S 2752 C:\WINDOWS\CSC\d4\00001663
9/6/2005 11:46:36 PM S 320 C:\WINDOWS\CSC\d4\000016E3
9/8/2005 9:00:30 PM S 320 C:\WINDOWS\CSC\d5\0000119C
9/6/2005 11:25:14 PM S 1088 C:\WINDOWS\CSC\d5\000011D4
9/6/2005 11:25:16 PM S 1984 C:\WINDOWS\CSC\d5\0000128C
9/8/2005 8:49:52 PM S 576 C:\WINDOWS\CSC\d5\000012A4
9/6/2005 11:25:18 PM S 320 C:\WINDOWS\CSC\d5\000012C4
9/6/2005 11:25:18 PM S 832 C:\WINDOWS\CSC\d5\00001324
9/6/2005 11:25:20 PM S 1856 C:\WINDOWS\CSC\d5\00001364
9/6/2005 11:25:22 PM S 18240 C:\WINDOWS\CSC\d5\0000136C
9/6/2005 11:25:22 PM S 1088 C:\WINDOWS\CSC\d5\000013AC
9/8/2005 8:49:54 PM S 5824 C:\WINDOWS\CSC\d5\0000146C
9/8/2005 8:49:54 PM S 1728 C:\WINDOWS\CSC\d5\000014E4
9/6/2005 11:25:30 PM S 3264 C:\WINDOWS\CSC\d5\00001524
9/6/2005 11:25:30 PM S 1344 C:\WINDOWS\CSC\d5\00001534
9/6/2005 11:25:32 PM S 832 C:\WINDOWS\CSC\d5\000015B4
9/6/2005 11:25:34 PM S 4800 C:\WINDOWS\CSC\d5\0000162C
9/8/2005 8:49:56 PM S 320 C:\WINDOWS\CSC\d5\00001674
9/8/2005 9:00:30 PM S 29248 C:\WINDOWS\CSC\d6\0000119D
9/8/2005 8:49:52 PM S 3392 C:\WINDOWS\CSC\d6\0000127D
9/6/2005 11:25:16 PM S 832 C:\WINDOWS\CSC\d6\00001295
9/6/2005 11:25:18 PM S 1984 C:\WINDOWS\CSC\d6\0000131D
9/6/2005 11:25:26 PM S 4928 C:\WINDOWS\CSC\d6\0000143D
9/8/2005 8:49:54 PM S 5568 C:\WINDOWS\CSC\d6\0000149D
9/6/2005 11:25:26 PM S 2368 C:\WINDOWS\CSC\d6\000014D5
9/6/2005 11:25:32 PM S 9664 C:\WINDOWS\CSC\d6\0000157D
9/6/2005 11:25:32 PM S 1344 C:\WINDOWS\CSC\d6\000015AD
9/8/2005 8:49:56 PM S 3392 C:\WINDOWS\CSC\d6\0000161D
9/6/2005 11:25:48 PM S 2368 C:\WINDOWS\CSC\d6\0000167D
9/6/2005 11:25:48 PM S 832 C:\WINDOWS\CSC\d6\000016BD
9/6/2005 11:32:10 PM S 2496 C:\WINDOWS\CSC\d6\000016CD
9/6/2005 11:46:36 PM S 1984 C:\WINDOWS\CSC\d6\000016DD
9/8/2005 9:00:30 PM S 960 C:\WINDOWS\CSC\d7\00000036
9/6/2005 11:25:14 PM S 1344 C:\WINDOWS\CSC\d7\000011CE
9/6/2005 11:25:16 PM S 576 C:\WINDOWS\CSC\d7\0000129E
9/8/2005 8:49:52 PM S 8256 C:\WINDOWS\CSC\d7\000012C6
9/6/2005 11:25:18 PM S 1600 C:\WINDOWS\CSC\d7\00001316
9/6/2005 11:25:24 PM S 1984 C:\WINDOWS\CSC\d7\0000140E
9/6/2005 11:25:26 PM S 9664 C:\WINDOWS\CSC\d7\000014AE
9/8/2005 9:00:30 PM S 832 C:\WINDOWS\CSC\d7\00001516
9/6/2005 11:25:32 PM S 320 C:\WINDOWS\CSC\d7\00001546
9/6/2005 11:25:32 PM S 1472 C:\WINDOWS\CSC\d7\000015C6
9/6/2005 11:25:36 PM S 832 C:\WINDOWS\CSC\d7\0000166E
9/6/2005 11:25:48 PM S 1216 C:\WINDOWS\CSC\d7\00001676
9/8/2005 8:49:56 PM S 3520 C:\WINDOWS\CSC\d7\00001696
8/29/2005 8:42:34 PM S 576 C:\WINDOWS\CSC\d8\00000057
9/6/2005 11:25:14 PM S 3392 C:\WINDOWS\CSC\d8\0000126F
9/6/2005 11:25:22 PM S 2880 C:\WINDOWS\CSC\d8\000013D7
9/6/2005 11:25:24 PM S 1856 C:\WINDOWS\CSC\d8\000013EF
9/8/2005 8:49:52 PM S 7232 C:\WINDOWS\CSC\d8\000013F7
9/8/2005 8:49:52 PM S 3520 C:\WINDOWS\CSC\d8\00001417
9/6/2005 11:25:24 PM S 448 C:\WINDOWS\CSC\d8\00001437
9/6/2005 11:25:26 PM S 192 C:\WINDOWS\CSC\d8\0000148F
9/6/2005 11:25:48 PM S 320 C:\WINDOWS\CSC\d8\0000168F
7/19/2005 7:18:10 PM S 18913 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896727.cat
9/8/2005 9:02:14 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
9/8/2005 9:04:00 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
9/8/2005 9:02:28 PM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
9/8/2005 9:04:32 PM H 102400 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
9/8/2005 9:02:32 PM H 1134592 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
8/11/2005 10:07:46 AM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
9/7/2005 8:33:54 AM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0DW9G5U1\desktop.ini
9/7/2005 8:33:54 AM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IDWRSHOP\desktop.ini
9/7/2005 8:33:54 AM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SBOD8RGB\desktop.ini
9/7/2005 8:33:54 AM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W9GBUPKF\desktop.ini
9/8/2005 9:00:58 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Broadcom Corporation 5/14/2003 7:47:38 PM 815104 C:\WINDOWS\SYSTEM32\B57exp.cpl
Dell Computer Corporation 7/9/2004 4:41:00 PM 983040 C:\WINDOWS\SYSTEM32\BCMWLCPL.CPL
Microsoft Corporation 8/4/2004 12:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 2/20/2003 4:42:34 PM 229487 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/4/2004 12:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/4/2004 12:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\NWC.CPL
Microsoft Corporation 8/4/2004 12:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 9/23/2004 7:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
SigmaTel Inc. 4/9/2003 11:13:02 PM 81920 C:\WINDOWS\SYSTEM32\STAC97.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/4/2004 12:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 6/27/2004 3:50:00 AM 55296 C:\WINDOWS\SYSTEM32\CCM\SMSCFGRC.cpl
Microsoft Corporation 6/27/2004 3:50:00 AM 13312 C:\WINDOWS\SYSTEM32\CCM\SMSPDM.cpl
Microsoft Corporation 6/27/2004 3:50:00 AM 55808 C:\WINDOWS\SYSTEM32\CCM\SMSRAP.cpl
Microsoft Corporation 6/27/2004 3:50:00 AM 233472 C:\WINDOWS\SYSTEM32\CCM\clicomp\RemCtrl\smsrc.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\DLLCACHE\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/3/2002 2:36:04 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
4/6/2004 9:15:06 AM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/3/2002 2:26:20 PM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI

Checking files in %USERPROFILE%\Startup folder...
9/3/2002 2:36:04 PM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %USERPROFILE%\Application Data folder...
9/3/2002 2:26:20 PM HS 62 C:\Documents and Settings\Administrator\Application Data\DESKTOP.INI

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\OfficeScan NT
{AF4F7471-FCFB-11d0-80B6-0080C838D5F9} = C:\Program Files\Trend Micro\OfficeScan Client\tmdshell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\VirusScan\shext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\VirusScan\shext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\OfficeScan NT
{AF4F7471-FCFB-11d0-80B6-0080C838D5F9} = C:\Program Files\Trend Micro\OfficeScan Client\tmdshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\VirusScan\shext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7327C09-B521-4EDB-8509-7D2660C9EC98}
Viewpoint Toolbar BHO = C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{F8AD5AA5-D966-4667-9DAF-2561D68B2012} = Viewpoint Toolbar : C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ATIModeChange Ati2mdxx.exe
PCTVOICE pctspk.exe
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
DadApp C:\Program Files\Dell\AccessDirect\dadapp.exe
Dell QuickSet C:\Program Files\Dell\QuickSet\QuickSet.exe
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
iTunesHelper C:\Program Files\iTunes\iTunesHelper.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
ShStatEXE "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
McAfeeUpdaterUI "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ckpNotify
= ckpNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.5 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/8/2005 9:12:36 PM


What say ye now?

Thanks, as always

Alan
  • 0

#9
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Congratulations! your new log is clean. :tazz: Just a little bit more to do to prevent further infection.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
AD-AWARE PERSONAL – A fine free malware detector and removal programme
SPYBOT S&D – Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS FREE EDITION - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one (Windows XP has a built-in firewall).

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one antispyware programmes for “on demand” scanning, having two or more antivirus systems is not recommended as they may well interfere with each other.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep your Windows, antispyware and antivirus updated. :)

Happy safe surfing Alan!
  • 0

#10
huffdaddy

huffdaddy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Crusty you are the man. Many thanks for your help and direction.

Keep fighting the good fight!

Alan
  • 0

#11
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
You are very welcome to the help.

I will try to continue fighting malware.

I'll leave this thread open for a few days in case of misfortune.
  • 0

#12
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP