Re: HJT Log - Winfixer 2005 will not stay away in Security http://www.dslreports.com/forum/r14418905 en Sun, 29 Nov 2009 00:05:42 EDT Sun, 29 Nov 2009 00:05:42 EDT Re: HJT Log - Winfixer 2005 will not stay away http://www.dslreports.com/forum/remark,14662484 TheJoker : jimh, in addition, you need to start your own topic if you still need help after that.
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,14662484 Wed, 26 Oct 2005 13:07:56 EDT Re: HJT Log - Winfixer 2005 will not stay away http://www.dslreports.com/forum/remark,14660570 John2g : This works for most people.

»Security »How Do I Remove Trojan Vundo/Winfixer/Virtumonde?]]> http://www.dslreports.com/forum/remark,14660570 Wed, 26 Oct 2005 07:01:01 EDT Re: HJT Log - Winfixer 2005 will not stay away http://www.dslreports.com/forum/remark,14660494 jimh6 : Hello to anyone that can help,

I have been searching google for an answer to the same problem DJCFP had, but I am unable to remove my hard drive to another computer to delete the files that are infected, and continue on with the repair. How do you delete the file (mine is C:\windows\system32\gebcy.dll.

I have tried everything mention by Joker (I think), and i ended up just like DJCFP, but I can go no further without deleting that file (I assume). Here is my HJT file:

Logfile of HijackThis v1.99.1
Scan saved at 5:22:34 AM, on 10/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »goggle.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »goggle.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\System32\gebcy.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: @C:\Program Files\Messenger2\im2_ie_plugin.dll,-4 - {410C30C7-098A-4090-928E-F1D356D34C7F} - C:\Program Files\Messenger2\im2_ie_plugin.dll
O9 - Extra 'Tools' menuitem: Run IM2 Messenger - {410C30C7-098A-4090-928E-F1D356D34C7F} - C:\Program Files\Messenger2\im2_ie_plugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - »pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - »www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »update.microsoft.com/windowsupda···79588218
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »acs.pandasoftware.com/activescan···inst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - »photo.walmart.com/photo/uploads/···ient.cab
O20 - Winlogon Notify: gebcy - C:\WINDOWS\System32\gebcy.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

Thank you in advance for your help.]]> http://www.dslreports.com/forum/remark,14660494 Wed, 26 Oct 2005 06:25:31 EDT Re: HJT Log - Winfixer 2005 will not stay away http://www.dslreports.com/forum/remark,14430191 TheJoker : I recommend clearing all your TEMP files and Recycle Bin now:
Click on Start > Run
In the Run command line, type CLEANMGR
In the windows that opens, you can select a drive (C: is the default), Click OK
On the Disk Cleanup tab, check:
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Temporary Files
Click OK > Yes

Now let's turn off and then restart System Restore. This will delete all your restore points, but it will also prevent you from inadvertently restoring any of the fixes you have just implemented. When you enable the System Restore feature again, the System Restore feature will create a new restore point and then resume monitoring your computer.

To disable and re-enable System Restore:

Go to Start --> Settings --> Control Panel --> System --> System Restore, and check Turn off System Restore on all drives, and select Apply. Now uncheck Turn off System Restore on all drives, select OK, and restart your system.

Now you need to hide the files you un-hid earlier:

Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading unselect "Show hidden files and folders".
Check the "Hide protected operating system files (recommended)" option.
Click Yes to confirm. Click OK.

You need a software firewall. Unless one of those McAfee lines in your log is for a McAfee firewall, I didn't see one in your HijackThis log. Two free firewalls are Zone Alarm from zonelabs.com »www.zonelabs.com/store/content/c···load.jsp or Kerio Personal Firewall available from »www.kerio.com/us/kpf_home.html. There is a tutorial on understanding firewalls at »www.bleepingcomputer.com/forums/···l60.html.

There are several free utilities you can use to help keep malware off your system:

A HOSTS file will prevent Internet Explorer from communicating with sites associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available at »www.mvps.org/winhelp2002/hosts.htm.

IE/SPYAD adds sites associated with ads and spyware to your Internet Restricted Zone and you can download that at »https://netfiles.uiuc.edu/ehowes/www/res···#IESPYAD.

A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster. For real-time protection, there is SpywareGuard. Both are available at »www.javacoolsoftware.com/products.html.

I recommend reading Tony Klein's article How did I get Infected? at »www.computercops.biz/postlite7736-.html
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,14430191 Fri, 23 Sep 2005 20:19:07 EDT Re: HJT Log - Winfixer 2005 will not stay away http://www.dslreports.com/forum/remark,14428642 djcfp : Joker,

I merged the file vundo.reg to my registry and performed Activescan. It appears as if I am good to go. I want to thank you so much for all of your help. I am not used to being on the receiving end of computer tech support, but I had no choice this time as it was so stubborn. This forum and it's members are the best! My hat is off to you Joker!

Here are the results of my Activescan:

Incident Status Location
Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]]]> http://www.dslreports.com/forum/remark,14428642 Fri, 23 Sep 2005 16:20:09 EDT Re: HJT Log - Winfixer 2005 will not stay away http://www.dslreports.com/forum/remark,14427817 TheJoker : That got the file, and you also have successfully "fixed" the two lines in HijachThis. :)

Now you need to locate the vundo.reg file that you previously saved to your Desktop, double click it and allow it to merge with the registry.

I will be looking for the scan results. Good job.
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,14427817 Fri, 23 Sep 2005 14:06:40 EDT Re: HJT Log - Winfixer 2005 will not stay away http://www.dslreports.com/forum/remark,14427668 djcfp : Joker,

Thank you again for all of this help. I had already done the search when you posted this last post. I had also tryed many things to try to get rid of that file (ddcax.dll) to no avail. So with that in mind, this what I did. I once again removed this HDD from the affected machine and installed it in another XP machine as a slave drive. I then searched for ddcax & xacdd and found the following: D:\WINDOWS\SYSTEM32\ddcax.dll & D:\WINDOWS\SYSTEM32\xacdd.ini (which would have been C:\WINDOWS\SYSTEM32\ddcax.dll & C:\WINDOWS\SYSTEM32\xacdd.ini had the drive been in the affected machine as the primary drive)

I then deleted those files (I was able to do this because there was no process trying to use them) Then I reinstalled the HDD in it's machine, booted in the safe mode and ran HJT and checked and fixed the following entries:

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddcax.dll (file missing)

O20 - Winlogon Notify: ddcax - C:\WINDOWS\system32\ddcax.dll (file missing)

I then rebooted the machine and ran HJT. I am currently running activescan and will send you the results after it is through. Here is is the latest HJT log.

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:24:48 AM, on 9/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
C:\SCANJET\PrecisionScanPro\HPLamp.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EX

E
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\KEYBOA~1\keyexp.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan -

{BA52B914-B692-46c4-B683-905236F6F655} -

c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS

Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SideWinderTrayV4]

C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [HP Lamp]

C:\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [EM_EXEC]

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EX

E
O4 - HKLM\..\Run: [PinnacleDriverCheck]

C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program

Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MCUpdateExe]

C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe]

c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask]

"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program

Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program

Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Keyboard Express 3.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite -

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program

Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program

Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program

Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7}

(Microsoft ProgressBar Control, version 5.0 (SP2)) -

»bin.mcafee.com/molbin/Shared/Com···,22/ComC

tl32.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB}

(BrowseFolderPopup Class) -

»download.mcafee.com/molbin/Share···wFld.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

»a1540.g.akamai.net/7/1540/52/200···nfo.appl

e.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}

(McAfee.com Operating System Class) -

»download.mcafee.com/molbin/share···0,0,99/m

cinsctl.cab
O16 - DPF: {53F63B36-5DB3-4C19-A8AB-2CB9AE7D57F7}

(CFM_AXFTP_MOD.UserControl1) -

»www.racelm.com/rlm/cfmaxftp/cfmprojmod.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

»update.microsoft.com/windowsupda···ls/en/x8

6/client/wuweb_site.cab?1120431258104
O16 - DPF: {6EA0A4DB-0B94-40E1-9165-54F5694C19EC}

(CFM2004noruna.UserControl1) -

»www.racelm.com/rlm/cfm2004/cfm2004noruna.CAB
O16 - DPF: {73989DDC-D9DE-47F7-B262-6FE39DC70BC2}

(CFM2004Turbo.UserControl1) -

»www.racelm.com/rlm/cfmturbo/cfm2004turbo.CAB
O16 - DPF: {797FA1DD-30E7-4093-A892-E8C2A556A583}

(CFM2005TurboDMCrs.UserControl1) -

»www.racelm.com/rlm/cfmturbo/cfm2···MCrs.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

(ActiveScan Installer Class) -

»www.pandasoftware.com/activescan···inst.cab
O16 - DPF: {A49DFBB5-A3BB-45FE-BA2F-34890123C47F}

(CFM2005TurboDMC.UserControl1) -

»www.racelm.com/rlm/cfmturbo/cfm2···oDMC.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}

(DwnldGroupMgr Class) -

»download.mcafee.com/molbin/share···0,0,26/m

cgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}

(Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}

(Java Runtime Environment 1.4.1) -
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E}

(PhotosCtrl Class) -

»photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DB1C1859-F90A-47DE-8934-FB8CECE8E6F3}

(CFM_AXFTP_MOD.UserControl1) -

»www.racelm.com/rlm/cfmaxftp/cfmp···orun.CAB
O16 - DPF: {DDC38B48-52B8-4FD6-BBB3-2FC2C136FD0D}

(CFM2004a.UserControl1) -

»www.racelm.com/rlm/cfm2004/cfm2004a.CAB
O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E}

(MASHControl Class) -

»www.amiuptodate.com/vsc/mvt/bin/···mash.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{6A551B11-F6EE-4A28-8

E26-0BAB4D056B63}: NameServer =

64.166.172.8,206.13.29.12
O23 - Service: Adobe LM Service - Unknown owner - C:\Program

Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision -

C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. -

C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: GEARSecurity_BackUp - Unknown owner -

C:\WINDOWS\SYSTEM32\GEARSEC.EXE (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc.

- C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner

- C:\Program Files\Common Files\Macromedia

Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) -

McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. -

c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) -

McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager

(mcupdmgr.exe) - McAfee, Inc -

C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA

Corporation - C:\WINDOWS\system32\nvsvc32.exe]]> http://www.dslreports.com/forum/remark,14427668 Fri, 23 Sep 2005 13:45:34 EDT Re: HJT Log - Winfixer 2005 will not stay away http://www.dslreports.com/forum/remark,14426805 TheJoker : This one is being stubborn.

Using Windows Search (Start > Search > For Files or Folders), please search for and locate all instances of the following files:

ddcax
xacdd

Don't use a file extension. This will also find any other files of the same name but with any file extension.

Please post the full file name (with extension) and path of any files found along with a new HijackThis log.

Please locate your original XP install CD and have it handy. If you computer's BIOS is not set to allow booting from the CD, do you know how to change that? We will try removing the file from the recovery console. Once the file is gone, we should be able to proceed.
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,14426805 Fri, 23 Sep 2005 11:30:25 EDT Re: HJT Log - Winfixer 2005 will not stay away http://www.dslreports.com/forum/remark,14423522 djcfp : Joker,

I followed those instructions and found only ddcax.dll threads in explorer.exe only (none in winlogon.exe) Also, I found no backwards or other iterrations of that file name.

I got an interesting message from Killbox when performing the delete on reboot operation, it said:

PendingFileRenameOperations Registry Data has been Removed by External Process!

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:08:01 PM, on 9/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft

Shared\VS7Debug\mdm.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\SCANJET\PrecisionScanPro\HPLamp.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EX

E
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\KEYBOA~1\keyexp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: MSEvents Object -

{52B1DFC7-AAFC-4362-B103-868B0683C697} -

C:\WINDOWS\system32\ddcax.dll
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan -

{BA52B914-B692-46c4-B683-905236F6F655} -

c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS

Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SideWinderTrayV4]

C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [HP Lamp]

C:\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [EM_EXEC]

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EX

E
O4 - HKLM\..\Run: [PinnacleDriverCheck]

C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program

Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MCUpdateExe]

C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe]

c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask]

"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program

Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program

Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Keyboard Express 3.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite -

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program

Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program

Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program

Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7}

(Microsoft ProgressBar Control, version 5.0 (SP2)) -

»bin.mcafee.com/molbin/Shared/Com···,22/ComC

tl32.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB}

(BrowseFolderPopup Class) -

»download.mcafee.com/molbin/Share···wFld.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

»a1540.g.akamai.net/7/1540/52/200···nfo.appl

e.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}

(McAfee.com Operating System Class) -

»download.mcafee.com/molbin/share···0,0,99/m

cinsctl.cab
O16 - DPF: {53F63B36-5DB3-4C19-A8AB-2CB9AE7D57F7}

(CFM_AXFTP_MOD.UserControl1) -

»www.racelm.com/rlm/cfmaxftp/cfmprojmod.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

»update.microsoft.com/windowsupda···ls/en/x8

6/client/wuweb_site.cab?1120431258104
O16 - DPF: {6EA0A4DB-0B94-40E1-9165-54F5694C19EC}

(CFM2004noruna.UserControl1) -

»www.racelm.com/rlm/cfm2004/cfm2004noruna.CAB
O16 - DPF: {73989DDC-D9DE-47F7-B262-6FE39DC70BC2}

(CFM2004Turbo.UserControl1) -

»www.racelm.com/rlm/cfmturbo/cfm2004turbo.CAB
O16 - DPF: {797FA1DD-30E7-4093-A892-E8C2A556A583}

(CFM2005TurboDMCrs.UserControl1) -

»www.racelm.com/rlm/cfmturbo/cfm2···MCrs.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

(ActiveScan Installer Class) -

»www.pandasoftware.com/activescan···inst.cab
O16 - DPF: {A49DFBB5-A3BB-45FE-BA2F-34890123C47F}

(CFM2005TurboDMC.UserControl1) -

»www.racelm.com/rlm/cfmturbo/cfm2···oDMC.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}

(DwnldGroupMgr Class) -

»download.mcafee.com/molbin/share···0,0,26/m

cgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}

(Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}

(Java Runtime Environment 1.4.1) -
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E}

(PhotosCtrl Class) -

»photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DB1C1859-F90A-47DE-8934-FB8CECE8E6F3}

(CFM_AXFTP_MOD.UserControl1) -

»www.racelm.com/rlm/cfmaxftp/cfmp···orun.CAB
O16 - DPF: {DDC38B48-52B8-4FD6-BBB3-2FC2C136FD0D}

(CFM2004a.UserControl1) -

»www.racelm.com/rlm/cfm2004/cfm2004a.CAB
O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E}

(MASHControl Class) -

»www.amiuptodate.com/vsc/mvt/bin/···mash.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{6A551B11-F6EE-4A28-8

E26-0BAB4D056B63}: NameServer =

64.166.172.8,206.13.29.12
O20 - Winlogon Notify: ddcax -

C:\WINDOWS\system32\ddcax.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program

Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision -

C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. -

C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: GEARSecurity_BackUp - Unknown owner -

C:\WINDOWS\SYSTEM32\GEARSEC.EXE (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc.

- C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner

- C:\Program Files\Common Files\Macromedia

Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) -

McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. -

c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) -

McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager

(mcupdmgr.exe) - McAfee, Inc -

C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA

Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) -

Webroot Software, Inc. - C:\Program Files\Webroot\Spy

Sweeper\WRSSSDK.exe]]> http://www.dslreports.com/forum/remark,14423522 Thu, 22 Sep 2005 21:15:07 EDT Re: HJT Log - Winfixer 2005 will not stay away http://www.dslreports.com/forum/remark,14423168 djcfp : Oh man, and I was doing so good at following your instructions to this point, I read on in your last post, and it addressed me looking for it in explorer.exe, sorry, I am continuing on.]]> http://www.dslreports.com/forum/remark,14423168 Thu, 22 Sep 2005 20:21:09 EDT Re: HJT Log - Winfixer 2005 will not stay away http://www.dslreports.com/forum/remark,14423115 djcfp : Joker,

I am in process explorer in the safe mode on the affected machine. When following your instructions by double clicking on winlogin.exe, then selecting the threads tab, there are no instances of ddcax.dll at all, for that matter, all of the threads in winlogin.exe are somewhat generic in nature. A few examples are: 0x103d353, !CreateThread+0x27, etc......... However, I took it upon myself to use the find function in the main menu of process explorer to find ddcax.dll and found it in threads of explorer.exe. Some examples of those threads are: ddcax.dll+0x233ad, ddcax.dll+0x2047c, etc...

I have not got any further than simply finding those threads, so please advise.

Thank you Joker]]> http://www.dslreports.com/forum/remark,14423115 Thu, 22 Sep 2005 20:10:53 EDT Re: HJT Log - Winfixer 2005 will not stay away http://www.dslreports.com/forum/remark,14422748 TheJoker : Ok, since the automated method isn't working, lets try an older manual method.

Please download Process Explorer by Systernals from HERE

Also download KillBox by Option^Explicit from www.thespykiller.co.uk/files/killbox.exe

Then boot up in SAFE MODE

the rest of this fix must be done in safe mode.

Unzip Process Explorer and double click on procexp.exe

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of ddcax.dll once and then click the kill button.

After you have killed all of the ddcax.dll's under winlogon click OK.

also look for any .ini or bak files or other dll's with either the same name or the file name in reverse & kill them as well

Example:

ddcax.bak
ddcax.ini
ddcax.reg etc

or

xacdd.dll
xacdd.bak
xacdd.ini etc

Next double click on explorer.exe and again click once on each instance of ddcax.dll then click the kill button.

also look for any .ini or bak files or reverse named dll's with either the same name or the file name in reverse & kill them as well. See above for examples, and write down the names and full path of files you find, you will need those file paths for Killbox.

Click on the Threads tab at the top.

Once you have done that click OK again.

Next run HijackThis and place a check beside each of the following.

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddcax.dll
O20 - Winlogon Notify: ddcax - C:\WINDOWS\system32\ddcax.dll

Now click fix checked and close HijackThis.

Please copy the text in the box below, and paste it into a blank notepad window.
Save it as vundo.reg and in the save as type box choose all files.

Once you have saved it double click it and allow it to merge with the registry.

quote:
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\CLSID\{581F22DA-7202-4F21-AEF3-114787156016}]

[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_CLASSES_ROOT\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1]


Now run killbox and paste The line below in bold into the box, select delete on reboot then press the red X button, say yes to the prompt but no to reboot now

Then continue to paste the lines in turn and follow the above procedure every time, If it says file is missing, or if it says unable to delete then make a note of the file name and let us know when you reply

C:\WINDOWS\system32\ddcax.dll

Then repeat by typing in the full name of any of the reverse named .bak or .ini or other files that you discovered in step 1 if there were any.

When you enter the last file, select yes to Reboot now. If you system does not restart, reboot it manually

After your computer has rebooted please run Hijackthis again and post a new HijackThis log.
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,14422748 Thu, 22 Sep 2005 19:17:00 EDT Re: HJT Log - Winfixer 2005 will not stay away http://www.dslreports.com/forum/remark,14422329 djcfp : Okay, I followed the steps in your last reply and here are the results of the scans:

Activescan:

Incident Status Location
Spyware:Spyware/Virtumonde No disinfected C:\HJT\backups\backup-20050922-134457-263.dll
Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\ddcax.dll

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 3:03:41 PM, on 9/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
C:\SCANJET\PrecisionScanPro\HPLamp.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EX

E
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\KEYBOA~1\keyexp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

O2 - BHO: MSEvents Object -

{52B1DFC7-AAFC-4362-B103-868B0683C697} -

C:\WINDOWS\system32\ddcax.dll
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan -

{BA52B914-B692-46c4-B683-905236F6F655} -

c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS

Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SideWinderTrayV4]

C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [HP Lamp]

C:\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [EM_EXEC]

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EX

E
O4 - HKLM\..\Run: [PinnacleDriverCheck]

C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program

Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MCUpdateExe]

C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe]

c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask]

"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program

Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program

Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Keyboard Express 3.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite -

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program

Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program

Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program

Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7}

(Microsoft ProgressBar Control, version 5.0 (SP2)) -

»bin.mcafee.com/molbin/Shared/Com···,22/ComC

tl32.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB}

(BrowseFolderPopup Class) -

»download.mcafee.com/molbin/Share···wFld.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

»a1540.g.akamai.net/7/1540/52/200···nfo.appl

e.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}

(McAfee.com Operating System Class) -

»download.mcafee.com/molbin/share···0,0,99/m

cinsctl.cab
O16 - DPF: {53F63B36-5DB3-4C19-A8AB-2CB9AE7D57F7}

(CFM_AXFTP_MOD.UserControl1) -

»www.racelm.com/rlm/cfmaxftp/cfmprojmod.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

»update.microsoft.com/windowsupda···ls/en/x8

6/client/wuweb_site.cab?1120431258104
O16 - DPF: {6EA0A4DB-0B94-40E1-9165-54F5694C19EC}

(CFM2004noruna.UserControl1) -

»www.racelm.com/rlm/cfm2004/cfm2004noruna.CAB
O16 - DPF: {73989DDC-D9DE-47F7-B262-6FE39DC70BC2}

(CFM2004Turbo.UserControl1) -

»www.racelm.com/rlm/cfmturbo/cfm2004turbo.CAB
O16 - DPF: {797FA1DD-30E7-4093-A892-E8C2A556A583}

(CFM2005TurboDMCrs.UserControl1) -

»www.racelm.com/rlm/cfmturbo/cfm2···MCrs.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

(ActiveScan Installer Class) -

»www.pandasoftware.com/activescan···inst.cab
O16 - DPF: {A49DFBB5-A3BB-45FE-BA2F-34890123C47F}

(CFM2005TurboDMC.UserControl1) -

»www.racelm.com/rlm/cfmturbo/cfm2···oDMC.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}

(DwnldGroupMgr Class) -

»download.mcafee.com/molbin/share···0,0,26/m

cgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}

(Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}

(Java Runtime Environment 1.4.1) -
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E}

(PhotosCtrl Class) -

»photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DB1C1859-F90A-47DE-8934-FB8CECE8E6F3}

(CFM_AXFTP_MOD.UserControl1) -

»www.racelm.com/rlm/cfmaxftp/cfmp···orun.CAB
O16 - DPF: {DDC38B48-52B8-4FD6-BBB3-2FC2C136FD0D}

(CFM2004a.UserControl1) -

»www.racelm.com/rlm/cfm2004/cfm2004a.CAB
O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E}

(MASHControl Class) -

»www.amiuptodate.com/vsc/mvt/bin/···mash.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{6A551B11-F6EE-4A28-8

E26-0BAB4D056B63}: NameServer =

64.166.172.8,206.13.29.12
O20 - Winlogon Notify: ddcax -

C:\WINDOWS\system32\ddcax.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program

Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision -

C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. -

C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: GEARSecurity_BackUp - Unknown owner -

C:\WINDOWS\SYSTEM32\GEARSEC.EXE (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc.

- C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner

- C:\Program Files\Common Files\Macromedia

Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) -

McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. -

c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) -

McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager

(mcupdmgr.exe) - McAfee, Inc -

C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA

Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) -

Webroot Software, Inc. - C:\Program Files\Webroot\Spy

Sweeper\WRSSSDK.exe

Vundofix:

Could not delete file.
Files Deleted sucessfully.]]> http://www.dslreports.com/forum/remark,14422329 Thu, 22 Sep 2005 18:08:35 EDT Re: HJT Log - Winfixer 2005 will not stay away http://www.dslreports.com/forum/remark,14421075 TheJoker : Lets try one more time. If it doesn’t work, we'll try another method. Now that there is only one set of entries for Vundo, it may work better.

Please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

[*]Once in Safe mode, Using Windows Explorer, locate and delete the following Files:

C:\HJT\backups\backup-20050922-091542-924.dll
C:\WINDOWS\dhdomp1.bin

[*]Open the VundoFix folder and doubleclick on KillVundo.bat
[*]You will first be presented with a warning and a list of forums to seek help at.
it should look like this
VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
Please seek assistance at one of the following forums:
http://www.atribune.org/forums
http://www.247fixes.com/forums
http://www.geekstogo.com/forum
http://forums.net-integration.net
[*] At this point press enter one time.
[*] Next you will see:
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
[*]At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\SYSTEM32\ddcax.dll

[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*] Next you will see:
 Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
[*]At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\SYSTEM32\xacdd.*

[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*]The fix will run then HijackThis will open.
[*]In HijackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddcax.dll
O20 - Winlogon Notify: ddcax - C:\WINDOWS\system32\ddcax.dll

[*]After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
[*]Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
[*]Once your machine reboots please continue with the instructions below.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.

--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,14421075 Thu, 22 Sep 2005 15:08:59 EDT Re: HJT Log - Winfixer 2005 will not stay away http://www.dslreports.com/forum/remark,14420785 djcfp : Okay,

I performed the tasks that you requested. FYI, to delete C:\WINDOWS\system32\jkhgh.dll, I had to physically remove the HDD from this machine and install it as a slave in another XP machine. I tryed all other methods to no avail due to the fact that it was "being used by another process". That includes trying to delete it from a command prompt in the safe mode. Bottom line is that I got it deleted.

Here are the results of the scans that you requested:

vundofix:

Could not delete file.
Files Deleted sucessfully.

Activescan:

Incident Status Location
Spyware:Spyware/Virtumonde No disinfected C:\HJT\backups\backup-20050922-091542-924.dll
Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]
Adware:adware/dealhelper No disinfected C:\WINDOWS\dhdomp1.bin
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\ddcax.dll

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 11:01:01 AM, on 9/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
C:\SCANJET\PrecisionScanPro\HPLamp.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\KEYBOA~1\keyexp.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddcax.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Keyboard Express 3.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - »bin.mcafee.com/molbin/Shared/Com···tl32.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - »download.mcafee.com/molbin/Share···wFld.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - »download.mcafee.com/molbin/share···sctl.cab
O16 - DPF: {53F63B36-5DB3-4C19-A8AB-2CB9AE7D57F7} (CFM_AXFTP_MOD.UserControl1) - »www.racelm.com/rlm/cfmaxftp/cfmprojmod.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »update.microsoft.com/windowsupda···31258104
O16 - DPF: {6EA0A4DB-0B94-40E1-9165-54F5694C19EC} (CFM2004noruna.UserControl1) - »www.racelm.com/rlm/cfm2004/cfm2004noruna.CAB
O16 - DPF: {73989DDC-D9DE-47F7-B262-6FE39DC70BC2} (CFM2004Turbo.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2004turbo.CAB
O16 - DPF: {797FA1DD-30E7-4093-A892-E8C2A556A583} (CFM2005TurboDMCrs.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2···MCrs.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »www.pandasoftware.com/activescan···inst.cab
O16 - DPF: {A49DFBB5-A3BB-45FE-BA2F-34890123C47F} (CFM2005TurboDMC.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2···oDMC.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - »download.mcafee.com/molbin/share···dmgr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - »photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DB1C1859-F90A-47DE-8934-FB8CECE8E6F3} (CFM_AXFTP_MOD.UserControl1) - »www.racelm.com/rlm/cfmaxftp/cfmp···orun.CAB
O16 - DPF: {DDC38B48-52B8-4FD6-BBB3-2FC2C136FD0D} (CFM2004a.UserControl1) - »www.racelm.com/rlm/cfm2004/cfm2004a.CAB
O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - »www.amiuptodate.com/vsc/mvt/bin/···mash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A551B11-F6EE-4A28-8E26-0BAB4D056B63}: NameServer = 64.166.172.8,206.13.29.12
O20 - Winlogon Notify: ddcax - C:\WINDOWS\system32\ddcax.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: GEARSecurity_BackUp - Unknown owner - C:\WINDOWS\SYSTEM32\GEARSEC.EXE (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe]]> http://www.dslreports.com/forum/remark,14420785 Thu, 22 Sep 2005 14:20:52 EDT Re: HJT Log - Winfixer 2005 will not stay away http://www.dslreports.com/forum/remark,14418905 TheJoker : Let's take care of a few things there first, and then see if after running Vundofix you can get a clean scan.

One of the files the scan found was a test file (Eicar) for scanners, and not really a virus, so we will leave that alone. We will take care of the one listed as virtumondo with the Vundofix.

The first file Panda found was in your Sun Java Runtime Environment (JRE) cache. Delete it by clearing the JRE cache directory:

1. From the Start button, click Settings -> Control Panel
2. In the Control Panel, open the "Java Plug-in Control Panel"
3. Select the Cache Tab
4. Click the Clear button inside the Cache Tab, which will clear your JRE cache directory

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.

Using Windows Explorer, locate and delete the following files:

C:\HJT\backups\backup-20050921-181624-266.dll
C:\ keys.ini
C:\WINDOWS\dhdom1.bin
C:\WINDOWS\system32\jkhgh.dll
C:\WINDOWS\system32\msfdje.gif
C:\WINDOWS\system32\mshpeb.dll
C:\WINDOWS\system32\msnapl.dll

Please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
[*]Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
[*]You will first be presented with a warning and a list of forums to seek help at.
it should look like this
VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
Please seek assistance at one of the following forums:
http://www.atribune.org/forums
http://www.247fixes.com/forums
http://www.geekstogo.com/forum
http://forums.net-integration.net
[*] At this point press enter one time.
[*] Next you will see:
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
[*]At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\SYSTEM32\ddcax.dll

[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*] Next you will see:
 Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
[*]At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\SYSTEM32\xacdd.*

[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*]The fix will run then HijackThis will open.
[*]In HijackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhgh.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddcax.dll
O20 - Winlogon Notify: ddcax - C:\WINDOWS\system32\ddcax.dll
O20 - Winlogon Notify: jkhgh - C:\WINDOWS\SYSTEM32\jkhgh.dll

[*]After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
[*]Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
[*]Once your machine reboots please continue with the instructions below.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.

--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,14418905 Thu, 22 Sep 2005 09:02:58 EDT Re: HJT Log - Winfixer 2005 will not stay away http://www.dslreports.com/forum/remark,14417238 djcfp : Okay,

First of all, thank you for assisting me, it is much appreciated.

Now as far my progress. You mentioned that I would have to this twice. I assumed that you meant perform vundo fix once, reboot, post results, then do it or something like it again, so here are the results from the first run:

Activescan:
Incident Status Location

Adware:Adware/RazeSpyware No disinfected C:\Documents and Settings\Chuck\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-51cccb7c-27e64a25.class
Adware:Adware/StartPage.AIW No disinfected C:\HJT\backups\backup-20050921-181624-266.dll
Adware:adware/delfinmedia No disinfected C:\keys.ini
Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]
Adware:adware/dealhelper No disinfected C:\WINDOWS\dhdom1.bin
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\ddcax.dll
Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\system32\jkhgh.dll
Spyware:Spyware/Omi No disinfected C:\WINDOWS\system32\msfdje.gif
Spyware:Spyware/Omi No disinfected C:\WINDOWS\system32\mshpeb.dll
Spyware:Spyware/Omi No disinfected C:\WINDOWS\system32\msnapl.dll

Hijack This:
Logfile of HijackThis v1.99.1
Scan saved at 8:21:48 PM, on 9/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
C:\SCANJET\PrecisionScanPro\HPLamp.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\KEYBOA~1\keyexp.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhgh.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddcax.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Keyboard Express 3.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - »bin.mcafee.com/molbin/Shared/Com···tl32.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - »download.mcafee.com/molbin/Share···wFld.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - »download.mcafee.com/molbin/share···sctl.cab
O16 - DPF: {53F63B36-5DB3-4C19-A8AB-2CB9AE7D57F7} (CFM_AXFTP_MOD.UserControl1) - »www.racelm.com/rlm/cfmaxftp/cfmprojmod.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »update.microsoft.com/windowsupda···31258104
O16 - DPF: {6EA0A4DB-0B94-40E1-9165-54F5694C19EC} (CFM2004noruna.UserControl1) - »www.racelm.com/rlm/cfm2004/cfm2004noruna.CAB
O16 - DPF: {73989DDC-D9DE-47F7-B262-6FE39DC70BC2} (CFM2004Turbo.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2004turbo.CAB
O16 - DPF: {797FA1DD-30E7-4093-A892-E8C2A556A583} (CFM2005TurboDMCrs.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2···MCrs.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »www.pandasoftware.com/activescan···inst.cab
O16 - DPF: {A49DFBB5-A3BB-45FE-BA2F-34890123C47F} (CFM2005TurboDMC.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2···oDMC.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - »download.mcafee.com/molbin/share···dmgr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - »photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DB1C1859-F90A-47DE-8934-FB8CECE8E6F3} (CFM_AXFTP_MOD.UserControl1) - »www.racelm.com/rlm/cfmaxftp/cfmp···orun.CAB
O16 - DPF: {DDC38B48-52B8-4FD6-BBB3-2FC2C136FD0D} (CFM2004a.UserControl1) - »www.racelm.com/rlm/cfm2004/cfm2004a.CAB
O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - »www.amiuptodate.com/vsc/mvt/bin/···mash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A551B11-F6EE-4A28-8E26-0BAB4D056B63}: NameServer = 64.166.172.8,206.13.29.12
O20 - Winlogon Notify: ddcax - C:\WINDOWS\system32\ddcax.dll
O20 - Winlogon Notify: jkhgh - C:\WINDOWS\SYSTEM32\jkhgh.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: GEARSecurity_BackUp - Unknown owner - C:\WINDOWS\SYSTEM32\GEARSEC.EXE (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

vundofix.txt:

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 200 'smss.exe'
Threads [204]Error 0x6 : The handle is invalid.

[208]Error 0x6 : The handle is invalid.

[212]Error 0x6 : The handle is invalid.

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1100 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 272 'winlogon.exe'
Error 0x6 : The handle is invalid.

Could not delete file.
Files Deleted sucessfully.]]> http://www.dslreports.com/forum/remark,14417238 Wed, 21 Sep 2005 23:39:07 EDT Re: HJT Log - Winfixer 2005 will not stay away http://www.dslreports.com/forum/remark,14414945 TheJoker : Fix for djcfp on DSLReports

Hi djcfp, we'll get you fixed up, but will have to do this twice, you seem to have items related to two separate vundo infections.

Please print these instructions out for use in Safe Mode.

Please download www.atribune.org/downloads/VundoFix.exe to your desktop.
[*]Double-click VundoFix.exe to extract the files
[*]This will create a VundoFix folder on your desktop.
[*]After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
[*]Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
[*]You will first be presented with a warning and a list of forums to seek help at.
it should look like this
VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
Please seek assistance at one of the following forums:
http://www.atribune.org/forums
http://www.247fixes.com/forums
http://www.geekstogo.com/forum
http://forums.net-integration.net
[*] At this point press enter one time.
[*] Next you will see:
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
[*]At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\SYSTEM32\jkhgh.dll

[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*] Next you will see:
 Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
[*]At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\SYSTEM32\hghkj.*

[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*]The fix will run then HijackThis will open.
[*]In HijackThis, please place a check next to the following items and click FIX CHECKED:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhgh.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - »»https://components.viewpoint.com/adobe/MTSInst..

[*]After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
[*]Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
[*]Once your machine reboots please continue with the instructions below.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.

--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,14414945 Wed, 21 Sep 2005 18:55:15 EDT Re: HJT Log - Winfixer 2005 will not stay away http://www.dslreports.com/forum/remark,14411814 djcfp : Thank you for the reply. I will do as you suggest and wait for one of the HJT experts to instruct me on how to use vundofix.

I have downloaded and extracted VundoFix to my Desktop on the affected machine. I will hold here and wait for further instructions.]]> http://www.dslreports.com/forum/remark,14411814 Wed, 21 Sep 2005 11:35:16 EDT Re: HJT Log - Winfixer 2005 will not stay away http://www.dslreports.com/forum/remark,14410978 Rusty Dusty : This topic may be of help...
»hijack this log...Winfixer, cws.qttask, Vx2.Look2m]]> http://www.dslreports.com/forum/remark,14410978 Wed, 21 Sep 2005 09:30:43 EDT Re: HJT Log - Winfixer 2005 will not stay away http://www.dslreports.com/forum/remark,14410147 John2g : These will need to be fixed as well.

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhgh.dll
O20 - Winlogon Notify: jkhgh - C:\WINDOWS\SYSTEM32\jkhgh.dll]]> http://www.dslreports.com/forum/remark,14410147 Wed, 21 Sep 2005 04:06:33 EDT Re: HJT Log - Winfixer 2005 will not stay away http://www.dslreports.com/forum/remark,14410057 John2g : This is a major problem.

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddcax.dll
O20 - Winlogon Notify: ddcax - C:\WINDOWS\system32\ddcax.dll

You will have to wait for one of the forum HJT helpers to show you how you use vundofix.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. ]]> http://www.dslreports.com/forum/remark,14410057 Wed, 21 Sep 2005 03:11:07 EDT HJT Log - Winfixer 2005 will not stay away http://www.dslreports.com/forum/remark,14408854 djcfp : Hello,

I have read the FAQs and have done everthing there (and more) I simply cannot keep Winfixer 2005 off of this machine. I have run (with up to the second updates and in this order) Awaware SE, SPYBOT Search and Destroy, Pest Patrol Corporate, Spy Sweeper, McAfee Online Virus Scan and Hijack This (HJT Log right after other scans and fixes and once again right after an immediate reboot)I first uninstalled Winfixer through the control panel, then scanned/fixed with the above process. I am including both HJT scans as well as the logs from some of the other software. By the way, I have tryed other orders and safe mode as well.

Before Reboot:

Logfile of HijackThis v1.99.1
Scan saved at 7:24:14 PM, on 9/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
C:\SCANJET\PrecisionScanPro\HPLamp.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\KEYBOA~1\keyexp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhgh.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddcax.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Keyboard Express 3.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - »https://components.viewpoint.com/adobe/M···eam3.cab
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - »bin.mcafee.com/molbin/Shared/Com···tl32.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - »download.mcafee.com/molbin/Share···wFld.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - »download.mcafee.com/molbin/share···sctl.cab
O16 - DPF: {53F63B36-5DB3-4C19-A8AB-2CB9AE7D57F7} (CFM_AXFTP_MOD.UserControl1) - »www.racelm.com/rlm/cfmaxftp/cfmprojmod.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »update.microsoft.com/windowsupda···31258104
O16 - DPF: {6EA0A4DB-0B94-40E1-9165-54F5694C19EC} (CFM2004noruna.UserControl1) - »www.racelm.com/rlm/cfm2004/cfm2004noruna.CAB
O16 - DPF: {73989DDC-D9DE-47F7-B262-6FE39DC70BC2} (CFM2004Turbo.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2004turbo.CAB
O16 - DPF: {797FA1DD-30E7-4093-A892-E8C2A556A583} (CFM2005TurboDMCrs.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2···MCrs.CAB
O16 - DPF: {A49DFBB5-A3BB-45FE-BA2F-34890123C47F} (CFM2005TurboDMC.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2···oDMC.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - »download.mcafee.com/molbin/share···dmgr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - »photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DB1C1859-F90A-47DE-8934-FB8CECE8E6F3} (CFM_AXFTP_MOD.UserControl1) - »www.racelm.com/rlm/cfmaxftp/cfmp···orun.CAB
O16 - DPF: {DDC38B48-52B8-4FD6-BBB3-2FC2C136FD0D} (CFM2004a.UserControl1) - »www.racelm.com/rlm/cfm2004/cfm2004a.CAB
O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - »www.amiuptodate.com/vsc/mvt/bin/···mash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A551B11-F6EE-4A28-8E26-0BAB4D056B63}: NameServer = 64.166.172.8,206.13.29.12
O20 - Winlogon Notify: ddcax - C:\WINDOWS\system32\ddcax.dll
O20 - Winlogon Notify: jkhgh - C:\WINDOWS\SYSTEM32\jkhgh.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: GEARSecurity_BackUp - Unknown owner - C:\WINDOWS\SYSTEM32\GEARSEC.EXE (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

After reboot:

Logfile of HijackThis v1.99.1
Scan saved at 7:35:14 PM, on 9/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
C:\SCANJET\PrecisionScanPro\HPLamp.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\KEYBOA~1\keyexp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhgh.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddcax.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Keyboard Express 3.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - »https://components.viewpoint.com/adobe/M···eam3.cab
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - »bin.mcafee.com/molbin/Shared/Com···tl32.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - »download.mcafee.com/molbin/Share···wFld.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - »download.mcafee.com/molbin/share···sctl.cab
O16 - DPF: {53F63B36-5DB3-4C19-A8AB-2CB9AE7D57F7} (CFM_AXFTP_MOD.UserControl1) - »www.racelm.com/rlm/cfmaxftp/cfmprojmod.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »update.microsoft.com/windowsupda···31258104
O16 - DPF: {6EA0A4DB-0B94-40E1-9165-54F5694C19EC} (CFM2004noruna.UserControl1) - »www.racelm.com/rlm/cfm2004/cfm2004noruna.CAB
O16 - DPF: {73989DDC-D9DE-47F7-B262-6FE39DC70BC2} (CFM2004Turbo.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2004turbo.CAB
O16 - DPF: {797FA1DD-30E7-4093-A892-E8C2A556A583} (CFM2005TurboDMCrs.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2···MCrs.CAB
O16 - DPF: {A49DFBB5-A3BB-45FE-BA2F-34890123C47F} (CFM2005TurboDMC.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2···oDMC.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - »download.mcafee.com/molbin/share···dmgr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - »photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DB1C1859-F90A-47DE-8934-FB8CECE8E6F3} (CFM_AXFTP_MOD.UserControl1) - »www.racelm.com/rlm/cfmaxftp/cfmp···orun.CAB
O16 - DPF: {DDC38B48-52B8-4FD6-BBB3-2FC2C136FD0D} (CFM2004a.UserControl1) - »www.racelm.com/rlm/cfm2004/cfm2004a.CAB
O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - »www.amiuptodate.com/vsc/mvt/bin/···mash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A551B11-F6EE-4A28-8E26-0BAB4D056B63}: NameServer = 64.166.172.8,206.13.29.12
O20 - Winlogon Notify: ddcax - C:\WINDOWS\system32\ddcax.dll
O20 - Winlogon Notify: jkhgh - C:\WINDOWS\SYSTEM32\jkhgh.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: GEARSecurity_BackUp - Unknown owner - C:\WINDOWS\SYSTEM32\GEARSEC.EXE (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Adaware scan:

Ad-Aware SE Build 1.06r1
Logfile Created on:Tuesday, September 20, 2005 5:14:47 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R67 20.09.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Other(TAC index:5):1 total references
WinFixer(TAC index:3):38 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R67 20.09.2005
Internal build : 79
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 524443 Bytes
Total size : 1576182 Bytes
Signature data size : 1543004 Bytes
Reference data size : 32666 Bytes
Signatures total : 43850
CSI Fingerprints total : 1047
CSI data size : 37307 Bytes
Target categories : 15
Target families : 746

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:48 %
Total physical memory:523760 kb
Available physical memory:247692 kb
Total page file size:1279564 kb
Available on page file:1052256 kb
Total virtual memory:2097024 kb
Available virtual memory:2045144 kb
OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

9-20-2005 5:14:47 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 588
ThreadCreationTime : 9-20-2005 11:50:27 PM
BasePriority : Normal

#:2 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : n/a
ProcessID : 672
ThreadCreationTime : 9-20-2005 11:50:34 PM
BasePriority : High

#:3 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : n/a
ProcessID : 716
ThreadCreationTime : 9-20-2005 11:50:35 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:4 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : n/a
ProcessID : 728
ThreadCreationTime : 9-20-2005 11:50:35 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:5 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : n/a
ProcessID : 884
ThreadCreationTime : 9-20-2005 11:50:36 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : n/a
ProcessID : 996
ThreadCreationTime : 9-20-2005 11:50:36 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : n/a
ProcessID : 1268
ThreadCreationTime : 9-20-2005 11:50:37 PM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:8 [cdac11ba.exe]
ModuleName : C:\WINDOWS\System32\drivers\CDAC11BA.EXE
Command Line : n/a
ProcessID : 1412
ThreadCreationTime : 9-20-2005 11:50:43 PM
BasePriority : Normal
FileVersion : 4.20.030
ProductVersion : 4.20.030 Windows NT 2002/01/29
ProductName : SafeCast Windows NT
CompanyName : Macrovision
FileDescription : Macrovision RTS Service
InternalName : CDANTSRV
LegalCopyright : Copyright (c) 1998-2003 Macrovision Corp.
OriginalFilename : CDANTSRV.EXE
Comments : StringFileInfo: U.S. English

#:9 [crypserv.exe]
ModuleName : C:\WINDOWS\system32\crypserv.exe
Command Line : n/a
ProcessID : 1432
ThreadCreationTime : 9-20-2005 11:50:43 PM
BasePriority : High
FileVersion : 5.4.0
ProductVersion : 5.4
ProductName : CrypKey Software Licensing System
CompanyName : Kenonic Controls Ltd.
FileDescription : CrypKey NT Service
InternalName : crypserv
LegalCopyright : Copyright © 2000
LegalTrademarks : CrypKey
OriginalFilename : crypserv.exe
Comments : Operates in all directories, not just configured ones. Directory configuration only used for fille clean up and uninstall. 0/3 fixed problem with other partitions. 0/6 fixed problem with short paths

#:10 [mcdetect.exe]
ModuleName : c:\program files\mcafee.com\agent\mcdetect.exe
Command Line : n/a
ProcessID : 1484
ThreadCreationTime : 9-20-2005 11:50:44 PM
BasePriority : Normal
FileVersion : 6, 0, 0, 7
ProductVersion : 6, 0, 0, 0
ProductName : McAfee SecurityCenter
CompanyName : McAfee, Inc
FileDescription : McAfee WSC Integration Service
InternalName : McDetect
LegalCopyright : Copyright © 2005 McAfee, Inc.
OriginalFilename : McDetect.exe
Comments : McAfee WSC Integration Service

#:11 [mcshield.exe]
ModuleName : c:\PROGRA~1\mcafee.com\vso\mcshield.exe
Command Line : n/a
ProcessID : 1512
ThreadCreationTime : 9-20-2005 11:50:44 PM
BasePriority : High

#:12 [mctskshd.exe]
ModuleName : c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
Command Line : n/a
ProcessID : 1584
ThreadCreationTime : 9-20-2005 11:50:45 PM
BasePriority : Normal
FileVersion : 6, 0, 0, 13
ProductVersion : 6, 0, 0, 0
ProductName : McAfee SecurityCenter
CompanyName : McAfee, Inc
FileDescription : McAfee Task Scheduler
InternalName : McTskshd
LegalCopyright : Copyright © 2005 McAfee, Inc.
OriginalFilename : McTskshd.exe

#:13 [mdm.exe]
ModuleName : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
Command Line : n/a
ProcessID : 1624
ThreadCreationTime : 9-20-2005 11:50:47 PM
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : mdm.exe

#:14 [nvsvc32.exe]
ModuleName : C:\WINDOWS\system32\nvsvc32.exe
Command Line : n/a
ProcessID : 1752
ThreadCreationTime : 9-20-2005 11:50:52 PM
BasePriority : Normal
FileVersion : 6.14.10.7189
ProductVersion : 6.14.10.7189
ProductName : NVIDIA Driver Helper Service, Version 71.89
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 71.89
InternalName : NVSVC
LegalCopyright : (C) NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:15 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : n/a
ProcessID : 1816
ThreadCreationTime : 9-20-2005 11:50:53 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:16 [wrsssdk.exe]
ModuleName : C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Command Line : n/a
ProcessID : 1896
ThreadCreationTime : 9-20-2005 11:50:56 PM
BasePriority : Normal
FileVersion : 1,0,4,289
ProductVersion : 1, 0
ProductName : Spy Sweeper SDK
CompanyName : Webroot Software, Inc.
FileDescription : Spy Sweeper SDK
LegalCopyright : Copyright (C) 2002 - 2004, All Rights Reserved.
LegalTrademarks : Spy Sweeper is a trademark of Webroot Software, Inc.
OriginalFilename : SpySweeper.exe

#:17 [mspmspsv.exe]
ModuleName : C:\WINDOWS\System32\MsPMSPSv.exe
Command Line : n/a
ProcessID : 176
ThreadCreationTime : 9-20-2005 11:50:59 PM
BasePriority : Normal
FileVersion : 7.01.00.3055
ProductVersion : 7.01.00.3055
ProductName : Microsoft (R) DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright (C) Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE

#:18 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 916
ThreadCreationTime : 9-21-2005 12:08:44 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:19 [swtrayv4.exe]
ModuleName : C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
Command Line : "C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe"
ProcessID : 792
ThreadCreationTime : 9-21-2005 12:08:49 AM
BasePriority : Normal
FileVersion : 4.02.145
ProductVersion : 4.02.145
ProductName : Microsoft Game Controller Software
CompanyName : Microsoft Corporation
FileDescription : MS SideWinder Tray Application
InternalName : MS SideWinder Tray Application
LegalCopyright : Copyright © 1995-1999 Microsoft Corporation
OriginalFilename : SWTRAYV4.EXE

#:20 [hplamp.exe]
ModuleName : C:\SCANJET\PrecisionScanPro\HPLamp.exe
Command Line : "C:\SCANJET\PrecisionScanPro\HPLamp.exe"
ProcessID : 200
ThreadCreationTime : 9-21-2005 12:08:49 AM
BasePriority : Normal

#:21 [em_exec.exe]
ModuleName : C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
Command Line : "C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE"
ProcessID : 1044
ThreadCreationTime : 9-21-2005 12:08:49 AM
BasePriority : Normal
FileVersion : 9.42.57
ProductVersion : 9.42.1
ProductName : MouseWare
CompanyName : Logitech Inc.
FileDescription : Control Center
InternalName : EM_EXEC
LegalCopyright : Copyright © Logitech Inc. 1987-2001.
LegalTrademarks : Logitech® and MouseWare® are registered trademarks of Logitech Inc.
OriginalFilename : EM_EXEC.CPP
Comments : Created by the MouseWare Team

#:22 [cthelper.exe]
ModuleName : C:\WINDOWS\system32\CTHELPER.EXE
Command Line : "C:\WINDOWS\system32\CTHELPER.EXE"
ProcessID : 1124
ThreadCreationTime : 9-21-2005 12:08:50 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 2
ProductName : CtHelper Application
CompanyName : Creative Technology Ltd
FileDescription : CtHelper Application
InternalName : CtHelper
LegalCopyright : Copyright (C) 2002
OriginalFilename : CtHelper.EXE

#:23 [mcagent.exe]
ModuleName : C:\PROGRA~1\mcafee.com\agent\mcagent.exe
Command Line : "C:\PROGRA~1\mcafee.com\agent\mcagent.exe"
ProcessID : 912
ThreadCreationTime : 9-21-2005 12:08:55 AM
BasePriority : Normal
FileVersion : 6, 0, 0, 3
ProductVersion : 6, 0, 0, 0
ProductName : McAfee SecurityCenter
CompanyName : McAfee, Inc
FileDescription : McAfee SecurityCenter Agent
InternalName : mcagent
LegalCopyright : Copyright © 2005 McAfee, Inc.
OriginalFilename : mcagent.exe

#:24 [mcvsshld.exe]
ModuleName : C:\Program Files\McAfee.com\VSO\mcvsshld.exe
Command Line : "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
ProcessID : 1528
ThreadCreationTime : 9-21-2005 12:08:55 AM
BasePriority : Normal
FileVersion : 10, 0, 0, 22
ProductVersion : 10, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : McAfee, Inc.
FileDescription : McAfee VirusScan ActiveShield Resource
InternalName : McVsShld
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : McVsShld.exe
Comments : McAfee VirusScan ActiveShield Resource

#:25 [oasclnt.exe]
ModuleName : C:\Program Files\McAfee.com\VSO\oasclnt.exe
Command Line : "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
ProcessID : 1848
ThreadCreationTime : 9-21-2005 12:08:56 AM
BasePriority : Normal
FileVersion : 10, 0, 0, 24
ProductVersion : 10, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : McAfee, Inc.
FileDescription : McAfee VirusScan OAS Client
InternalName : OasClnt
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : OasClnt.exe
Comments : McAfee VirusScan OAS Client

#:26 [ctfmon.exe]
ModuleName : C:\WINDOWS\system32\ctfmon.exe
Command Line : "C:\WINDOWS\system32\ctfmon.exe"
ProcessID : 1164
ThreadCreationTime : 9-21-2005 12:09:03 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:27 [mcvsescn.exe]
ModuleName : c:\progra~1\mcafee.com\vso\mcvsescn.exe
Command Line : "c:\progra~1\mcafee.com\vso\mcvsescn.exe" /disabled
ProcessID : 772
ThreadCreationTime : 9-21-2005 12:09:05 AM
BasePriority : Normal
FileVersion : 10, 0, 0, 20
ProductVersion : 10, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : McAfee, Inc.
FileDescription : McAfee VirusScan E-mail Scan Module
InternalName : mcvsescn
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : mcvsescn.EXE
Comments : McAfee VirusScan E-mail Scan Module

#:28 [keyexp.exe]
ModuleName : C:\PROGRA~1\KEYBOA~1\keyexp.exe
Command Line : "C:\PROGRA~1\KEYBOA~1\keyexp.exe"
ProcessID : 2060
ThreadCreationTime : 9-21-2005 12:09:07 AM
BasePriority : Normal
FileVersion : 3.0.5.1
ProductVersion : 3.0
ProductName : Keyboard Express
CompanyName : Insight Software Solutions
FileDescription : Keyboard Express, a Windows macro program
InternalName : keyexp.exe
LegalCopyright : (c) 1996-2002 Insight Software Solutions, Inc.
LegalTrademarks : Keyboard Express
OriginalFilename : keyexp.exe
Comments : Keyboard Express is a Windows macro utility designed to aid the user in automating repetitive tasks. Keyboard Express is a Trademark of Insight Software Solutions, Inc.

#:29 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : n/a
ProcessID : 2336
ThreadCreationTime : 9-21-2005 12:09:21 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:30 [msiexec.exe]
ModuleName : C:\WINDOWS\system32\msiexec.exe
Command Line : n/a
ProcessID : 3156
ThreadCreationTime : 9-21-2005 12:11:29 AM
BasePriority : Normal

#:31 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 3596
ThreadCreationTime : 9-21-2005 12:14:36 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : appid\{8c65aef6-e413-4314-815b-82717a3f1603}

WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : appid\checkproduct2.dll

WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{c427b3e3-28dc-4001-9590-d99b6776119b}

WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{c427b3e3-28dc-4001-9590-d99b6776119b}
Value : AppID

WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{4f79d1c5-24f9-4e59-8022-604d4b41d5ca}

WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{30ed49a5-ca6c-4918-b5f3-5e6818c91d8b}

WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : appid\{4d05a335-1a1c-46b3-bcff-7f25b326895c}

WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{328ba26a-1619-47ee-a37d-7d7a6ab1b000}

WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{328ba26a-1619-47ee-a37d-7d7a6ab1b000}
Value : AppID

WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{27967fbc-694b-41a6-8cce-30e59292350e}

WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c0a3779c-3345-4150-bd63-c399eb32661e}

WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{4d05a335-1a1c-46b3-bcff-7f25b326895c}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 12
Objects found so far: 12

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment : ({C427B3E3-28DC-4001-9590-D99B6776119B})
Rootkey : HKEY_CLASSES_ROOT
Object : CheckProduct2.CheckProduct

WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment : ({C427B3E3-28DC-4001-9590-D99B6776119B})
Rootkey : HKEY_CLASSES_ROOT
Object : CheckProduct2.CheckProduct.1

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 14

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 14

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WinFixer Object Recognized!
Type : File
Data : PCheck.dll
TAC Rating : 3
Category : Misc
Comment :
Object : C:\Program Files\Common Files\WinSoftware\
FileVersion : 1.0.4.0
ProductVersion : 1.0.4.0
ProductName : Products Checker
CompanyName : WinSoftware, Ltd.
FileDescription : Products Checker
InternalName : PCheck.dll
LegalCopyright : 2005 (c) WinSoftware, Ltd. All rights reserved.
OriginalFilename : PCheck.dll

WinFixer Object Recognized!
Type : File
Data : WFF.exe
TAC Rating : 3
Category : Misc
Comment :
Object : C:\Program Files\Common Files\WinSoftware\
FileVersion : 1.0.1.0
ProductVersion : 1.0.1.0

WinFixer Object Recognized!
Type : File
Data : WFF.sys
TAC Rating : 3
Category : Misc
Comment :
Object : C:\WINDOWS\system32\drivers\
FileVersion : 1.0.2.0
ProductVersion : 1.0.2.0
CompanyName : WinSoftware Ltd
FileDescription : File Creation Filter Driver
LegalCopyright : Copyright (C) WinSoftware Ltd 2005
OriginalFilename : wff.sys

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 17

Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
0 entries scanned.
New critical objects:0
Objects found so far: 17

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : appid\filecreationfilter.dll

WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : vapfm.creationnotifier

WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : vapfm.creationnotifier.1

WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\winsoftware

WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\winsoftware

WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\enum\root\legacy_df_kmd

WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\wff

WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\wff
Value : Start

WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\wff
Value : ErrorControl

WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\wff
Value : Tag

WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\wff
Value : ImagePath

WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\wff
Value : DisplayName

WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\wff
Value : Group

WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\enum\root\legacy_df_kmd

WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\wff

WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\wff
Value : Start

WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\wff
Value : ErrorControl

WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\wff
Value : Tag

WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\wff
Value : ImagePath

WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\wff
Value : DisplayName

WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\wff
Value : Group

Other Object Recognized!
Type : File
Data : WFF.EXE-1D35F413.pf
TAC Rating : 7
Category : Malware
Comment :
Object : C:\WINDOWS\prefetch\

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 22
Objects found so far: 39

5:32:14 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:17:27.125
Objects scanned:185490
Objects identified:40
Objects ignored:0
New critical objects:40

Spysweeper Log:

********
6:44 PM: |··· Start of Session, Tuesday, September 20, 2005 ···|
6:44 PM: Spy Sweeper started
6:44 PM: Sweep initiated using definitions version 537
6:44 PM: Starting Memory Sweep
6:47 PM: Memory Sweep Complete, Elapsed Time: 00:02:44
6:47 PM: Starting Registry Sweep
6:47 PM: Found Adware: winantispyware 2005
6:47 PM: HKU\S-1-5-21-2000478354-1580436667-854245398-1009\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\winfixer 2005\ (1 subtraces) (ID = 543254)
6:47 PM: Found Adware: virtumonde
6:47 PM: HKCR\msevents.msevents\ (5 subtraces) (ID = 749130)
6:47 PM: HKCR\msevents.msevents.1\ (3 subtraces) (ID = 749136)
6:47 PM: HKLM\software\classes\msevents.msevents\ (5 subtraces) (ID = 749153)
6:47 PM: HKLM\software\classes\msevents.msevents.1\ (3 subtraces) (ID = 749157)
6:47 PM: HKLM\system\currentcontrolset\control\class\{29ae0e04-08b8-4d2f-bfbe-83fb0ec73bb7}\ (3 subtraces) (ID = 795420)
6:47 PM: HKU\WRSS_Profile_S-1-5-21-2000478354-1580436667-854245398-1006\software\winsoftware\winantispyware 2005\ (17 subtraces) (ID = 797676)
6:47 PM: HKCR\clsid\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (12 subtraces) (ID = 812324)
6:47 PM: HKLM\software\classes\clsid\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (12 subtraces) (ID = 812338)
6:47 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (ID = 812351)
6:47 PM: Registry Sweep Complete, Elapsed Time:00:00:14
6:47 PM: Starting Cookie Sweep
6:47 PM: Found Spy Cookie: reliablestats cookie
6:47 PM: chuck@stats1.reliablestats[2].txt (ID = 3254)
6:47 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:47 PM: Starting File Sweep
6:47 PM: c:\program files\common files\winsoftware (ID = -2147476682)
7:04 PM: setup.exe (ID = 150640)
7:08 PM: winantispyware2005setup.exe (ID = 150641)
7:09 PM: df_kmd.sys (ID = 146298)
7:09 PM: File Sweep Complete, Elapsed Time: 00:22:03
7:09 PM: Full Sweep has completed. Elapsed time 00:25:06
7:09 PM: Traces Found: 76
7:10 PM: Removal process initiated
7:10 PM: Quarantining All Traces: winantispyware 2005
7:10 PM: Quarantining All Traces: virtumonde
7:10 PM: Quarantining All Traces: reliablestats cookie
7:10 PM: Removal process completed. Elapsed time 00:00:23
********]]> http://www.dslreports.com/forum/remark,14408854 Tue, 20 Sep 2005 22:54:27 EDT