Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

WinFixer Popups... please help.


  • Please log in to reply

#1
spaceyjane

spaceyjane

    Member

  • Member
  • PipPip
  • 11 posts
Hi... thanks for being here! I've read the forum instructions before posting this, along with the posts of others in order to try and repair their systems from this awful "WinFixer" popup annoyance, and I beg of your help also! Earlier today I ran the Symantic "FixVundo" twice, but later this evening, another popup.

Here is my HJL from minutes ago: (I hope I'm doing this right)

Logfile of HijackThis v1.99.1
Scan saved at 9:46:10 PM, on 11/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.mywa...idebar.jsp?p=DE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - C:\WINDOWS\system32\ssqrp.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133368111156
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: ssqrp - C:\WINDOWS\system32\ssqrp.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe



I'm praying and crossing all my fingers and toes that you can help me fix this!
Thanks in advance for your time! I am at your mercy!
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi spaceyjane and Welcome to GeekstoGo!

Go here
http://www.billsway.com/vbspage/

Scroll down the page
and download the "Registry Search Tool"

Unzip RegSrch.zip to the desktop

Double click on RegSrch.vbs

If you get a warning from your Anti Virus please ignore it and allow this to run.

When it starts, you will be prompted to enter a search phrase.

Enter this into the search phrase--> ATLDistrib Object

Do a seperate search for this entry--> 3FE36807-69ED-45D1-B9BE-85C0E3F75B6A


Now,please Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Restart Normal and Post the results of WinPFind and the BillsWay Registry Search.
  • 0

#3
spaceyjane

spaceyjane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
First, thank you so much for taking time to help me! I greatly, beyond measure, appriciate your time and effort! Many many sincere thanks!

Okie-dokie, after doing what you asked, here are my results:

To the RegSrch, the first search phrase resulted in "No instances of "ALTDistrib Object" found"

To the second search phrase, "11 Instances were found..." with the following log file:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "3FE36807-69ED-45D1-B9BE-85C0E3F75B6A" 12/1/2005 10:38:49 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLDistrib.ATLDistrib\CLSID]
@="{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLDistrib.ATLDistrib.1\CLSID]
@="{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A}\InprocServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A}\ProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A}\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A}\TypeLib]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A}\VersionIndependentProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A}]

[HKEY_USERS\S-1-5-21-3019735459-1950715647-583337187-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A}]

[HKEY_USERS\S-1-5-21-3019735459-1950715647-583337187-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A}\iexplore]

---------------

Then, the WinpFind in safe mode yeilded this log file...

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PTech 11/30/2005 3:14:18 PM 505272 C:\WINDOWS\setupapi.log

Checking %System% folder...
PEC2 8/4/2004 4:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 11/4/2005 4:27:24 PM 534280 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 11/10/2005 9:17:18 PM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 11/10/2005 9:17:18 PM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 4:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 4:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/4/2004 4:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 8/30/2005 3:30:38 PM 962672 C:\WINDOWS\SYSTEM32\drivers\VsapiNT.sys
aspack 8/30/2005 3:30:38 PM 962672 C:\WINDOWS\SYSTEM32\drivers\VsapiNT.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
12/1/2005 10:41:52 AM S 2048 C:\WINDOWS\bootstat.dat
11/18/2005 9:05:30 PM H 0 C:\WINDOWS\inf\oem10.inf
11/30/2005 9:51:04 AM H 0 C:\WINDOWS\inf\oem13.inf
11/6/2005 7:57:14 AM RHS 71564 C:\WINDOWS\pchealth\helpctr\PackageStore\package_10.cab
11/6/2005 7:54:02 AM RHS 7166 C:\WINDOWS\pchealth\helpctr\PackageStore\package_7.cab
11/6/2005 7:55:40 AM RHS 7351 C:\WINDOWS\pchealth\helpctr\PackageStore\package_8.cab
11/6/2005 7:56:40 AM RHS 21378 C:\WINDOWS\pchealth\helpctr\PackageStore\package_9.cab
11/30/2005 9:14:46 AM HS 326305 C:\WINDOWS\system32\prqss.bak1
11/30/2005 9:15:14 PM HS 348365 C:\WINDOWS\system32\prqss.bak2
12/1/2005 10:48:32 AM HS 348725 C:\WINDOWS\system32\prqss.ini
11/30/2005 9:14:32 AM HS 557108 C:\WINDOWS\system32\ssqrp.dll
11/29/2005 6:48:06 PM HS 27661 C:\WINDOWS\system32\vtuts.dll
10/5/2005 8:33:38 PM S 12849 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896424.cat
10/4/2005 6:17:40 PM S 21737 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
12/1/2005 10:41:58 AM H 16384 C:\WINDOWS\system32\config\default.LOG
12/1/2005 10:42:10 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
12/1/2005 10:41:54 AM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
12/1/2005 10:43:40 AM H 1024 C:\WINDOWS\system32\config\software.LOG
12/1/2005 10:42:24 AM H 1024 C:\WINDOWS\system32\config\system.LOG
11/18/2005 9:44:10 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
11/18/2005 9:05:40 PM S 1047 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
11/18/2005 9:05:40 PM S 1370 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
11/18/2005 9:05:40 PM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
11/18/2005 9:05:40 PM S 194 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
11/6/2005 7:50:20 AM HS 2128 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt
11/6/2005 8:03:04 AM HS 24 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Protect\CREDHIST
11/6/2005 8:03:04 AM HS 388 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Protect\S-1-5-21-3019735459-1950715647-583337187-1003\3d573c0c-5291-41a9-8377-7beeaf7d7e1e
11/6/2005 8:03:04 AM HS 24 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Protect\S-1-5-21-3019735459-1950715647-583337187-1003\Preferred
11/6/2005 8:12:38 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
11/6/2005 8:14:12 AM H 3231804 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IconCache.db
11/6/2005 8:14:20 AM H 262144 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
11/6/2005 8:14:20 AM H 1024 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
11/18/2005 9:03:08 PM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
11/18/2005 9:03:08 PM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
11/18/2005 9:03:08 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
11/18/2005 9:03:08 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
11/18/2005 9:03:08 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8YVUS3XI\desktop.ini
11/18/2005 9:03:08 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ENKMOYX5\desktop.ini
11/18/2005 9:03:08 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SS26NO6K\desktop.ini
11/18/2005 9:03:08 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VQZ54DOG\desktop.ini
11/18/2005 9:03:06 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\0a7f2d05-0072-488c-bb75-5b3cb294d400
11/18/2005 9:03:06 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\26ddc2b5-de5b-4d5f-8b96-5b6afc77e24b
11/18/2005 9:03:06 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\76a78674-48ab-4541-97ef-65a61ff089a4
11/18/2005 9:03:06 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
12/1/2005 10:41:04 AM H 6 C:\WINDOWS\Tasks\SA.DAT
11/18/2005 9:05:00 PM HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
11/18/2005 9:05:00 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
11/18/2005 9:05:00 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\4PEZSHMJ\desktop.ini
11/18/2005 9:05:00 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\8DY345UR\desktop.ini
11/18/2005 9:05:00 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\K5YFKD2J\desktop.ini
11/18/2005 9:05:00 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S1AFW1YV\desktop.ini

Checking for CPL files...
Microsoft Corporation 8/4/2004 4:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Windows ® 2000 DDK provider 2/23/2004 2:16:08 PM 28160 C:\WINDOWS\SYSTEM32\EnHFCPL.CPL
Microsoft Corporation 8/4/2004 4:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 4/5/2005 6:22:04 PM 77824 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
InstallShield Software Corporation7/27/2004 3:50:48 PM 73728 C:\WINDOWS\SYSTEM32\ISUSPM.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 11/19/2003 4:48:12 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Intel® Corporation 12/9/2004 12:44:58 PM 77824 C:\WINDOWS\SYSTEM32\PRApplet.cpl
RealNetworks, Inc. 11/6/2005 8:05:12 AM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/10/2004 12:04:12 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
11/20/2005 5:19:24 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/10/2004 11:57:42 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
11/6/2005 8:12:58 AM H 0 C:\Documents and Settings\All Users\Application Data\gwseh.dat

Checking files in %USERPROFILE%\Startup folder...
8/10/2004 12:04:12 PM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/10/2004 11:57:42 AM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\Internet Security 12\Tmdshell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\Internet Security 12\Tmdshell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A}
ATLDistrib Object = C:\WINDOWS\system32\ssqrp.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}
= C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}
DriveLetterAccess = C:\WINDOWS\system32\dla\tfswshx.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\system32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SoundMAXPnP C:\Program Files\Analog Devices\Core\smax4pnp.exe
IgfxTray C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds C:\WINDOWS\system32\hkcmd.exe
Persistence C:\WINDOWS\system32\igfxpers.exe
SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
IntelMeM C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
RealTray C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
dla C:\WINDOWS\system32\dla\tfswctrl.exe
ISUSPM Startup C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
ISUSScheduler "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
DMXLauncher C:\Program Files\Dell\Media Experience\DMXLauncher.exe
pccguide.exe "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
EnvyHFCPL C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe
vptray C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup
OE_OEM "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
NeroHomeFirstStart C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxdev.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
= C:\WINDOWS\system32\NavLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqrp
= C:\WINDOWS\system32\ssqrp.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 12/1/2005 10:48:51 AM


----------------------------------

any furthere help and assistance you can give me will be more than wonderful! Thank you again for your time and help!

smiles!
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Ok,Im gonna ask for several different favors then begin what I hope will be the beginning to the end of your problems.

Make sure Windows is Showing Hidden Files
http://www.bleepingc...al62.html#winxp

1.BillsWay Reg Search--> We got the returns for the CLSID,I also need the returns for--> ATLDistrib
I think I asked for it in the worng text last time.

2.Right Click the desktop and Select New-> Folder-> Name it VunUp.

3.Now I need you to navigate to these 2 locations

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData

As you get to the contents of each of these folders-> Go up and Click Edit-> Select All-> Edit-> Copy

Then go to the new folder on the desktop-> Right Click inside it and Select Paste,this will copy the contents of the 2 folders into the new folder on the desktop.

I need you to email me that new folder,I will PM you with my email address.

4.Last favor to ask-> Download this program:

Submit Files Packer
http://www.safer-net...g/files/sfp.zip

Highlight the entries listed below in bold and right-click,then select Copy.

C:\WINDOWS\setupapi.log
C:\WINDOWS\system32\prqss.bak1
C:\WINDOWS\system32\prqss.bak2
C:\WINDOWS\system32\prqss.ini
C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\vtuts.dll


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example Monster.cab).

Then go to:
http://www.bleepingc...mit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.


Beginning of hopeful end in next reply,if you run into any problems with any of these request,feel free to PM me or just disregard,I dont want you to spend any extreme overtime in these request.
  • 0

#5
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\ssqrp.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\prqss.*
    This will be the vundo filename spelt backwards. For example, if the vundo dll was vundo.dll you would enter odnuv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - C:\WINDOWS\system32\ssqrp.dll

    O20 - Winlogon Notify: ssqrp - C:\WINDOWS\system32\ssqrp.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#6
spaceyjane

spaceyjane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thanks Cretemonster! I've sent both request, and am now off to do SafeMode and VundoFix.exe ..... crossing all my extremities, including toes and fingers in hopes that this will be fruitful! : )

be back soon to give update.
  • 0

#7
spaceyjane

spaceyjane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Whelp... ok. Here's the news.

The ActiveScan results are:
Incident Status Location
Virus:Eicar.Mod Not disinfected C:\Program Files\Trend Micro\Internet Security 12\tmhelp.chm[Test_virus.htm]

Next... it my recent HJT shows this:

Logfile of HijackThis v1.99.1
Scan saved at 7:33:56 PM, on 12/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.mywa...idebar.jsp?p=DE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - C:\WINDOWS\system32\ssqrp.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133368111156
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: ssqrp - C:\WINDOWS\system32\ssqrp.dll (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

-----------------------------------

now, the other VundoFix.txt is this:
VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\ssqrp.dll

The second filepath entered was C:\WINDOWS\system32\prqss.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 136 'smss.exe'

Killing PID 752 'explorer.exe'
Killing PID 752 'explorer.exe'
Killing PID 752 'explorer.exe'


Killing PID 208 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\ssqrp.dll Deleted sucessfully.
C:\WINDOWS\system32\prqss.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------




So Cretemonster... how'd I do? What do you think about this virus? Guess I should run Norton?

Thanks again for all your help! You're the best!
smiles!
  • 0

#8
spaceyjane

spaceyjane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Doh! It's a "test-virus"... got it.

Anyway, when you get time, let me know how everything else looks, then if it's all fine, I look forward to hearing how to button things back up. :tazz:

You rock Mike! Thank you so much for your help! You've been so generous!
  • 0

#9
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Looks like Vundo has left the House!! :tazz:

Now lets finish cleaning you up.

Not sure if you allready did it but I need to see the results of the BillsWay Reg Search for this entry

ATLDistrib

If you havent done that yet,please do,so we can get the registry cleaned up.


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet

O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - C:\WINDOWS\system32\ssqrp.dll (file missing)

O20 - Winlogon Notify: ssqrp - C:\WINDOWS\system32\ssqrp.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Next,go back into Safe Mode and Scan with WinPFind again.

Restart Normal and post the results of the WinPFind Scan and the Reg Search Results.
  • 0

#10
spaceyjane

spaceyjane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Great Mike! Thanks so much!! Riddance Vundo!

So... did the RegSrch, to which resulted in:

"No instance of "ALTDistrib" found"

Next, ran HJT, checked the boxes, closed all other windows, and "Fixed Checked".

Then, went to Safe Mode, ran WinPFind again, which yielded this log:

----------------------------------------------------------------

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/4/2004 4:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 11/4/2005 4:27:24 PM 534280 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 11/10/2005 9:17:18 PM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 11/10/2005 9:17:18 PM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 4:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 4:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/4/2004 4:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 8/30/2005 3:30:38 PM 962672 C:\WINDOWS\SYSTEM32\drivers\VsapiNT.sys
aspack 8/30/2005 3:30:38 PM 962672 C:\WINDOWS\SYSTEM32\drivers\VsapiNT.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
12/2/2005 9:31:38 AM S 2048 C:\WINDOWS\bootstat.dat
11/18/2005 9:05:30 PM H 0 C:\WINDOWS\inf\oem10.inf
11/30/2005 9:51:04 AM H 0 C:\WINDOWS\inf\oem13.inf
11/6/2005 7:57:14 AM RHS 71564 C:\WINDOWS\pchealth\helpctr\PackageStore\package_10.cab
11/6/2005 7:54:02 AM RHS 7166 C:\WINDOWS\pchealth\helpctr\PackageStore\package_7.cab
11/6/2005 7:55:40 AM RHS 7351 C:\WINDOWS\pchealth\helpctr\PackageStore\package_8.cab
11/6/2005 7:56:40 AM RHS 21378 C:\WINDOWS\pchealth\helpctr\PackageStore\package_9.cab
11/29/2005 6:48:06 PM HS 27661 C:\WINDOWS\system32\vtuts.dll
10/5/2005 8:33:38 PM S 12849 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896424.cat
10/4/2005 6:17:40 PM S 21737 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
12/2/2005 9:31:30 AM H 8192 C:\WINDOWS\system32\config\default.LOG
12/2/2005 9:31:50 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
12/2/2005 9:31:40 AM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
12/2/2005 9:32:12 AM H 98304 C:\WINDOWS\system32\config\software.LOG
12/2/2005 9:31:44 AM H 905216 C:\WINDOWS\system32\config\system.LOG
11/18/2005 9:44:10 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
11/18/2005 9:05:40 PM S 1047 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
11/18/2005 9:05:40 PM S 1370 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
11/18/2005 9:05:40 PM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
11/18/2005 9:05:40 PM S 194 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
11/6/2005 7:50:20 AM HS 2128 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt
11/6/2005 8:03:04 AM HS 24 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Protect\CREDHIST
11/6/2005 8:03:04 AM HS 388 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Protect\S-1-5-21-3019735459-1950715647-583337187-1003\3d573c0c-5291-41a9-8377-7beeaf7d7e1e
11/6/2005 8:03:04 AM HS 24 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Protect\S-1-5-21-3019735459-1950715647-583337187-1003\Preferred
11/6/2005 8:12:38 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
11/6/2005 8:14:12 AM H 3231804 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IconCache.db
11/6/2005 8:14:20 AM H 262144 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
11/6/2005 8:14:20 AM H 1024 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
11/18/2005 9:03:08 PM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
11/18/2005 9:03:08 PM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
11/18/2005 9:03:08 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
11/18/2005 9:03:08 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
11/18/2005 9:03:08 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8YVUS3XI\desktop.ini
11/18/2005 9:03:08 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ENKMOYX5\desktop.ini
11/18/2005 9:03:08 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SS26NO6K\desktop.ini
11/18/2005 9:03:08 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VQZ54DOG\desktop.ini
11/18/2005 9:03:06 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\0a7f2d05-0072-488c-bb75-5b3cb294d400
11/18/2005 9:03:06 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\26ddc2b5-de5b-4d5f-8b96-5b6afc77e24b
11/18/2005 9:03:06 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\76a78674-48ab-4541-97ef-65a61ff089a4
11/18/2005 9:03:06 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
12/2/2005 9:30:50 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 4:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Windows ® 2000 DDK provider 2/23/2004 2:16:08 PM 28160 C:\WINDOWS\SYSTEM32\EnHFCPL.CPL
Microsoft Corporation 8/4/2004 4:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 4/5/2005 6:22:04 PM 77824 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
InstallShield Software Corporation7/27/2004 3:50:48 PM 73728 C:\WINDOWS\SYSTEM32\ISUSPM.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 11/19/2003 4:48:12 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Intel® Corporation 12/9/2004 12:44:58 PM 77824 C:\WINDOWS\SYSTEM32\PRApplet.cpl
RealNetworks, Inc. 11/6/2005 8:05:12 AM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 4:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/10/2004 12:04:12 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
11/20/2005 5:19:24 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/10/2004 11:57:42 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
11/6/2005 8:12:58 AM H 0 C:\Documents and Settings\All Users\Application Data\gwseh.dat

Checking files in %USERPROFILE%\Startup folder...
8/10/2004 12:04:12 PM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/10/2004 11:57:42 AM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\Internet Security 12\Tmdshell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\Internet Security 12\Tmdshell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}
= C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}
DriveLetterAccess = C:\WINDOWS\system32\dla\tfswshx.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\system32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SoundMAXPnP C:\Program Files\Analog Devices\Core\smax4pnp.exe
IgfxTray C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds C:\WINDOWS\system32\hkcmd.exe
Persistence C:\WINDOWS\system32\igfxpers.exe
SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
IntelMeM C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
RealTray C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
dla C:\WINDOWS\system32\dla\tfswctrl.exe
ISUSPM Startup C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
ISUSScheduler "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
DMXLauncher C:\Program Files\Dell\Media Experience\DMXLauncher.exe
pccguide.exe "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
EnvyHFCPL C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe
vptray C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup
OE_OEM "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
NeroHomeFirstStart C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxdev.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
= C:\WINDOWS\system32\NavLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 12/2/2005 9:37:23 AM


-------------------------------------------------------------
:tazz:

So... what's your opinion? Is Vundo definetly gonners?

You've been so helpful, I appriciate you so much, especially knowing that in your real life you have many responsibilities and concerns, so the fact that you would share yourself with me while life goes on around you, I am touched and greatful!!!! More than words can express!

smiles,
m
  • 0

Advertisements


#11
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Thank You for those kind words,thats exactly what Motivates me to do this! :tazz:


Now lets finish getting this PC cleaned up and set you on good path to safer surfing.


Go back to Safe Mode and be sure Windows is Showiing Hidden Files
http://www.bleepingc...al62.html#winxp


Locate and Delete these 2 files

C:\WINDOWS\system32\vtuts.dll

C:\Documents and Settings\All Users\Application Data\gwseh.dat


Restart Normal and Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#12
spaceyjane

spaceyjane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
alrighty Mike... I've done all on your latest request, deleted the two files in Safe Mode, then on restart, my scan using Kaspersky revealed that I have 4 viruses with 7 infected files (which appear to be in quarentine), here is the text file that I saved, it reads:

---------------------------------------------
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, December 02, 2005 17:42:23
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 2/12/2005
Kaspersky Anti-Virus database records: 162936
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 96368
Number of viruses found: 4
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 7749 sec

Infected Object Name - Virus Name
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\9A.tmp/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\9A.tmp/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\9A.tmp Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\9B.tmp/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\9B.tmp/Counter.class Infected: Trojan.Java.ClassLoader.h
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\9B.tmp/Parser.class Infected: Trojan.Java.ClassLoader.d
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\9B.tmp Infected: Trojan.Java.ClassLoader.d

Scan process completed.
----------------------------------------------------------

What say you my friend?

smiles,
m
  • 0

#13
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Looks like a clean machine to me.

Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/...2002/hosts2.htm

Disable System Restore
http://service1.syma...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup!

Go ahead and remove any of the tools downloaded that are of no use anymore!

Post back and let me know how things are?
  • 0

#14
spaceyjane

spaceyjane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thanks Mike! K, now can you tell me what the WinHelp2002 Host files are? Also, do you mean to enable System Restore? Also, how exactly should I configure Msconfig?? I don't know what the settings are supposed to be at, or if I even changed them when we began all this :tazz:

Sorry to sound less than bright, but I think I need to get some more coffee and hope you'll explain. *insert cheesy lame grin here*

Thanks again Mike, YOU ROCK!
smiles,
m
  • 0

#15
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Dont let the Hosts File bother ya,just download the Zip as you would any other folder.

Right Click the zip and select Extract All.

Now you should see a new folder,inside is a file labeled HOSTS

Right Click it and Select Copy.

Navigate to C:\Windows\System32\Drivers\ETC

Open the ETC folder and Right Click inside it,select Paste and when the small windows pops up confirming you want to replace the existing Hosts File,click YES.

Basically,this will prevent the Browser from connecting to some very unwanted sites.

If system restore was allready disabled,then you can leave it be for now.

Msconfig allows you to manipulate the programs that load at startup,basically my AV,Firewall and Keyboard are all that startup with my PC.

You have to use trial and error to find your own way,anything that can be disabled in Msconfig,can easily be renabled by reversing the procedure.

Say for instance you go to Start-> Run-> Type in Msconfig and click OK.

Your presented with a Window that has 4 or 5 tabs at the top.

One is labeled Startup.

Under that tab you will see a listing of programs that load at startup,the check in the box beside each entry means its enabled and will load at startup,if its unchecked it will not load at startup.

Here is one that is for sure not needed and you can experiment by disabling it

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP