how-to block ads
|
djcfp
join:2001-02-04
Atascadero, CA
|  HJT Log - Winfixer 2005 will not stay away
Hello,
I have read the FAQs and have done everthing there (and more) I simply cannot keep Winfixer 2005 off of this machine. I have run (with up to the second updates and in this order) Awaware SE, SPYBOT Search and Destroy, Pest Patrol Corporate, Spy Sweeper, McAfee Online Virus Scan and Hijack This (HJT Log right after other scans and fixes and once again right after an immediate reboot)I first uninstalled Winfixer through the control panel, then scanned/fixed with the above process. I am including both HJT scans as well as the logs from some of the other software. By the way, I have tryed other orders and safe mode as well.
Before Reboot:
Logfile of HijackThis v1.99.1
Scan saved at 7:24:14 PM, on 9/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
C:\SCANJET\PrecisionScanPro\HPLamp.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\KEYBOA~1\keyexp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\HJT\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhgh.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddcax.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Keyboard Express 3.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - »https://components.viewpoint.com/adobe/M···eam3.cab
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - »bin.mcafee.com/molbin/Shared/Com···tl32.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - »download.mcafee.com/molbin/Share···wFld.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - »download.mcafee.com/molbin/share···sctl.cab
O16 - DPF: {53F63B36-5DB3-4C19-A8AB-2CB9AE7D57F7} (CFM_AXFTP_MOD.UserControl1) - »www.racelm.com/rlm/cfmaxftp/cfmprojmod.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »update.microsoft.com/windowsupda···31258104
O16 - DPF: {6EA0A4DB-0B94-40E1-9165-54F5694C19EC} (CFM2004noruna.UserControl1) - »www.racelm.com/rlm/cfm2004/cfm2004noruna.CAB
O16 - DPF: {73989DDC-D9DE-47F7-B262-6FE39DC70BC2} (CFM2004Turbo.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2004turbo.CAB
O16 - DPF: {797FA1DD-30E7-4093-A892-E8C2A556A583} (CFM2005TurboDMCrs.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2···MCrs.CAB
O16 - DPF: {A49DFBB5-A3BB-45FE-BA2F-34890123C47F} (CFM2005TurboDMC.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2···oDMC.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - »download.mcafee.com/molbin/share···dmgr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - »photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DB1C1859-F90A-47DE-8934-FB8CECE8E6F3} (CFM_AXFTP_MOD.UserControl1) - »www.racelm.com/rlm/cfmaxftp/cfmp···orun.CAB
O16 - DPF: {DDC38B48-52B8-4FD6-BBB3-2FC2C136FD0D} (CFM2004a.UserControl1) - »www.racelm.com/rlm/cfm2004/cfm2004a.CAB
O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - »www.amiuptodate.com/vsc/mvt/bin/···mash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A551B11-F6EE-4A28-8E26-0BAB4D056B63}: NameServer = 64.166.172.8,206.13.29.12
O20 - Winlogon Notify: ddcax - C:\WINDOWS\system32\ddcax.dll
O20 - Winlogon Notify: jkhgh - C:\WINDOWS\SYSTEM32\jkhgh.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: GEARSecurity_BackUp - Unknown owner - C:\WINDOWS\SYSTEM32\GEARSEC.EXE (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
After reboot:
Logfile of HijackThis v1.99.1
Scan saved at 7:35:14 PM, on 9/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
C:\SCANJET\PrecisionScanPro\HPLamp.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\KEYBOA~1\keyexp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhgh.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddcax.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Keyboard Express 3.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - »https://components.viewpoint.com/adobe/M···eam3.cab
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - »bin.mcafee.com/molbin/Shared/Com···tl32.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - »download.mcafee.com/molbin/Share···wFld.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - »download.mcafee.com/molbin/share···sctl.cab
O16 - DPF: {53F63B36-5DB3-4C19-A8AB-2CB9AE7D57F7} (CFM_AXFTP_MOD.UserControl1) - »www.racelm.com/rlm/cfmaxftp/cfmprojmod.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »update.microsoft.com/windowsupda···31258104
O16 - DPF: {6EA0A4DB-0B94-40E1-9165-54F5694C19EC} (CFM2004noruna.UserControl1) - »www.racelm.com/rlm/cfm2004/cfm2004noruna.CAB
O16 - DPF: {73989DDC-D9DE-47F7-B262-6FE39DC70BC2} (CFM2004Turbo.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2004turbo.CAB
O16 - DPF: {797FA1DD-30E7-4093-A892-E8C2A556A583} (CFM2005TurboDMCrs.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2···MCrs.CAB
O16 - DPF: {A49DFBB5-A3BB-45FE-BA2F-34890123C47F} (CFM2005TurboDMC.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2···oDMC.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - »download.mcafee.com/molbin/share···dmgr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - »photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DB1C1859-F90A-47DE-8934-FB8CECE8E6F3} (CFM_AXFTP_MOD.UserControl1) - »www.racelm.com/rlm/cfmaxftp/cfmp···orun.CAB
O16 - DPF: {DDC38B48-52B8-4FD6-BBB3-2FC2C136FD0D} (CFM2004a.UserControl1) - »www.racelm.com/rlm/cfm2004/cfm2004a.CAB
O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - »www.amiuptodate.com/vsc/mvt/bin/···mash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A551B11-F6EE-4A28-8E26-0BAB4D056B63}: NameServer = 64.166.172.8,206.13.29.12
O20 - Winlogon Notify: ddcax - C:\WINDOWS\system32\ddcax.dll
O20 - Winlogon Notify: jkhgh - C:\WINDOWS\SYSTEM32\jkhgh.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: GEARSecurity_BackUp - Unknown owner - C:\WINDOWS\SYSTEM32\GEARSEC.EXE (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Adaware scan:
Ad-Aware SE Build 1.06r1
Logfile Created on:Tuesday, September 20, 2005 5:14:47 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R67 20.09.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Other(TAC index:5):1 total references
WinFixer(TAC index:3):38 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R67 20.09.2005
Internal build : 79
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 524443 Bytes
Total size : 1576182 Bytes
Signature data size : 1543004 Bytes
Reference data size : 32666 Bytes
Signatures total : 43850
CSI Fingerprints total : 1047
CSI data size : 37307 Bytes
Target categories : 15
Target families : 746
Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:48 %
Total physical memory:523760 kb
Available physical memory:247692 kb
Total page file size:1279564 kb
Available on page file:1052256 kb
Total virtual memory:2097024 kb
Available virtual memory:2045144 kb
OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)
Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
9-20-2005 5:14:47 PM - Scan started. (Custom mode)
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 588
ThreadCreationTime : 9-20-2005 11:50:27 PM
BasePriority : Normal
#:2 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : n/a
ProcessID : 672
ThreadCreationTime : 9-20-2005 11:50:34 PM
BasePriority : High
#:3 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : n/a
ProcessID : 716
ThreadCreationTime : 9-20-2005 11:50:35 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
#:4 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : n/a
ProcessID : 728
ThreadCreationTime : 9-20-2005 11:50:35 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:5 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : n/a
ProcessID : 884
ThreadCreationTime : 9-20-2005 11:50:36 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:6 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : n/a
ProcessID : 996
ThreadCreationTime : 9-20-2005 11:50:36 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:7 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : n/a
ProcessID : 1268
ThreadCreationTime : 9-20-2005 11:50:37 PM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
#:8 [cdac11ba.exe]
ModuleName : C:\WINDOWS\System32\drivers\CDAC11BA.EXE
Command Line : n/a
ProcessID : 1412
ThreadCreationTime : 9-20-2005 11:50:43 PM
BasePriority : Normal
FileVersion : 4.20.030
ProductVersion : 4.20.030 Windows NT 2002/01/29
ProductName : SafeCast Windows NT
CompanyName : Macrovision
FileDescription : Macrovision RTS Service
InternalName : CDANTSRV
LegalCopyright : Copyright (c) 1998-2003 Macrovision Corp.
OriginalFilename : CDANTSRV.EXE
Comments : StringFileInfo: U.S. English
#:9 [crypserv.exe]
ModuleName : C:\WINDOWS\system32\crypserv.exe
Command Line : n/a
ProcessID : 1432
ThreadCreationTime : 9-20-2005 11:50:43 PM
BasePriority : High
FileVersion : 5.4.0
ProductVersion : 5.4
ProductName : CrypKey Software Licensing System
CompanyName : Kenonic Controls Ltd.
FileDescription : CrypKey NT Service
InternalName : crypserv
LegalCopyright : Copyright © 2000
LegalTrademarks : CrypKey
OriginalFilename : crypserv.exe
Comments : Operates in all directories, not just configured ones. Directory configuration only used for fille clean up and uninstall. 0/3 fixed problem with other partitions. 0/6 fixed problem with short paths
#:10 [mcdetect.exe]
ModuleName : c:\program files\mcafee.com\agent\mcdetect.exe
Command Line : n/a
ProcessID : 1484
ThreadCreationTime : 9-20-2005 11:50:44 PM
BasePriority : Normal
FileVersion : 6, 0, 0, 7
ProductVersion : 6, 0, 0, 0
ProductName : McAfee SecurityCenter
CompanyName : McAfee, Inc
FileDescription : McAfee WSC Integration Service
InternalName : McDetect
LegalCopyright : Copyright © 2005 McAfee, Inc.
OriginalFilename : McDetect.exe
Comments : McAfee WSC Integration Service
#:11 [mcshield.exe]
ModuleName : c:\PROGRA~1\mcafee.com\vso\mcshield.exe
Command Line : n/a
ProcessID : 1512
ThreadCreationTime : 9-20-2005 11:50:44 PM
BasePriority : High
#:12 [mctskshd.exe]
ModuleName : c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
Command Line : n/a
ProcessID : 1584
ThreadCreationTime : 9-20-2005 11:50:45 PM
BasePriority : Normal
FileVersion : 6, 0, 0, 13
ProductVersion : 6, 0, 0, 0
ProductName : McAfee SecurityCenter
CompanyName : McAfee, Inc
FileDescription : McAfee Task Scheduler
InternalName : McTskshd
LegalCopyright : Copyright © 2005 McAfee, Inc.
OriginalFilename : McTskshd.exe
#:13 [mdm.exe]
ModuleName : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
Command Line : n/a
ProcessID : 1624
ThreadCreationTime : 9-20-2005 11:50:47 PM
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : mdm.exe
#:14 [nvsvc32.exe]
ModuleName : C:\WINDOWS\system32\nvsvc32.exe
Command Line : n/a
ProcessID : 1752
ThreadCreationTime : 9-20-2005 11:50:52 PM
BasePriority : Normal
FileVersion : 6.14.10.7189
ProductVersion : 6.14.10.7189
ProductName : NVIDIA Driver Helper Service, Version 71.89
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 71.89
InternalName : NVSVC
LegalCopyright : (C) NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe
#:15 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : n/a
ProcessID : 1816
ThreadCreationTime : 9-20-2005 11:50:53 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:16 [wrsssdk.exe]
ModuleName : C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Command Line : n/a
ProcessID : 1896
ThreadCreationTime : 9-20-2005 11:50:56 PM
BasePriority : Normal
FileVersion : 1,0,4,289
ProductVersion : 1, 0
ProductName : Spy Sweeper SDK
CompanyName : Webroot Software, Inc.
FileDescription : Spy Sweeper SDK
LegalCopyright : Copyright (C) 2002 - 2004, All Rights Reserved.
LegalTrademarks : Spy Sweeper is a trademark of Webroot Software, Inc.
OriginalFilename : SpySweeper.exe
#:17 [mspmspsv.exe]
ModuleName : C:\WINDOWS\System32\MsPMSPSv.exe
Command Line : n/a
ProcessID : 176
ThreadCreationTime : 9-20-2005 11:50:59 PM
BasePriority : Normal
FileVersion : 7.01.00.3055
ProductVersion : 7.01.00.3055
ProductName : Microsoft (R) DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright (C) Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE
#:18 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 916
ThreadCreationTime : 9-21-2005 12:08:44 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
#:19 [swtrayv4.exe]
ModuleName : C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
Command Line : "C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe"
ProcessID : 792
ThreadCreationTime : 9-21-2005 12:08:49 AM
BasePriority : Normal
FileVersion : 4.02.145
ProductVersion : 4.02.145
ProductName : Microsoft Game Controller Software
CompanyName : Microsoft Corporation
FileDescription : MS SideWinder Tray Application
InternalName : MS SideWinder Tray Application
LegalCopyright : Copyright © 1995-1999 Microsoft Corporation
OriginalFilename : SWTRAYV4.EXE
#:20 [hplamp.exe]
ModuleName : C:\SCANJET\PrecisionScanPro\HPLamp.exe
Command Line : "C:\SCANJET\PrecisionScanPro\HPLamp.exe"
ProcessID : 200
ThreadCreationTime : 9-21-2005 12:08:49 AM
BasePriority : Normal
#:21 [em_exec.exe]
ModuleName : C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
Command Line : "C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE"
ProcessID : 1044
ThreadCreationTime : 9-21-2005 12:08:49 AM
BasePriority : Normal
FileVersion : 9.42.57
ProductVersion : 9.42.1
ProductName : MouseWare
CompanyName : Logitech Inc.
FileDescription : Control Center
InternalName : EM_EXEC
LegalCopyright : Copyright © Logitech Inc. 1987-2001.
LegalTrademarks : Logitech® and MouseWare® are registered trademarks of Logitech Inc.
OriginalFilename : EM_EXEC.CPP
Comments : Created by the MouseWare Team
#:22 [cthelper.exe]
ModuleName : C:\WINDOWS\system32\CTHELPER.EXE
Command Line : "C:\WINDOWS\system32\CTHELPER.EXE"
ProcessID : 1124
ThreadCreationTime : 9-21-2005 12:08:50 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 2
ProductName : CtHelper Application
CompanyName : Creative Technology Ltd
FileDescription : CtHelper Application
InternalName : CtHelper
LegalCopyright : Copyright (C) 2002
OriginalFilename : CtHelper.EXE
#:23 [mcagent.exe]
ModuleName : C:\PROGRA~1\mcafee.com\agent\mcagent.exe
Command Line : "C:\PROGRA~1\mcafee.com\agent\mcagent.exe"
ProcessID : 912
ThreadCreationTime : 9-21-2005 12:08:55 AM
BasePriority : Normal
FileVersion : 6, 0, 0, 3
ProductVersion : 6, 0, 0, 0
ProductName : McAfee SecurityCenter
CompanyName : McAfee, Inc
FileDescription : McAfee SecurityCenter Agent
InternalName : mcagent
LegalCopyright : Copyright © 2005 McAfee, Inc.
OriginalFilename : mcagent.exe
#:24 [mcvsshld.exe]
ModuleName : C:\Program Files\McAfee.com\VSO\mcvsshld.exe
Command Line : "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
ProcessID : 1528
ThreadCreationTime : 9-21-2005 12:08:55 AM
BasePriority : Normal
FileVersion : 10, 0, 0, 22
ProductVersion : 10, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : McAfee, Inc.
FileDescription : McAfee VirusScan ActiveShield Resource
InternalName : McVsShld
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : McVsShld.exe
Comments : McAfee VirusScan ActiveShield Resource
#:25 [oasclnt.exe]
ModuleName : C:\Program Files\McAfee.com\VSO\oasclnt.exe
Command Line : "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
ProcessID : 1848
ThreadCreationTime : 9-21-2005 12:08:56 AM
BasePriority : Normal
FileVersion : 10, 0, 0, 24
ProductVersion : 10, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : McAfee, Inc.
FileDescription : McAfee VirusScan OAS Client
InternalName : OasClnt
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : OasClnt.exe
Comments : McAfee VirusScan OAS Client
#:26 [ctfmon.exe]
ModuleName : C:\WINDOWS\system32\ctfmon.exe
Command Line : "C:\WINDOWS\system32\ctfmon.exe"
ProcessID : 1164
ThreadCreationTime : 9-21-2005 12:09:03 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE
#:27 [mcvsescn.exe]
ModuleName : c:\progra~1\mcafee.com\vso\mcvsescn.exe
Command Line : "c:\progra~1\mcafee.com\vso\mcvsescn.exe" /disabled
ProcessID : 772
ThreadCreationTime : 9-21-2005 12:09:05 AM
BasePriority : Normal
FileVersion : 10, 0, 0, 20
ProductVersion : 10, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : McAfee, Inc.
FileDescription : McAfee VirusScan E-mail Scan Module
InternalName : mcvsescn
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : mcvsescn.EXE
Comments : McAfee VirusScan E-mail Scan Module
#:28 [keyexp.exe]
ModuleName : C:\PROGRA~1\KEYBOA~1\keyexp.exe
Command Line : "C:\PROGRA~1\KEYBOA~1\keyexp.exe"
ProcessID : 2060
ThreadCreationTime : 9-21-2005 12:09:07 AM
BasePriority : Normal
FileVersion : 3.0.5.1
ProductVersion : 3.0
ProductName : Keyboard Express
CompanyName : Insight Software Solutions
FileDescription : Keyboard Express, a Windows macro program
InternalName : keyexp.exe
LegalCopyright : (c) 1996-2002 Insight Software Solutions, Inc.
LegalTrademarks : Keyboard Express
OriginalFilename : keyexp.exe
Comments : Keyboard Express is a Windows macro utility designed to aid the user in automating repetitive tasks. Keyboard Express is a Trademark of Insight Software Solutions, Inc.
#:29 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : n/a
ProcessID : 2336
ThreadCreationTime : 9-21-2005 12:09:21 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:30 [msiexec.exe]
ModuleName : C:\WINDOWS\system32\msiexec.exe
Command Line : n/a
ProcessID : 3156
ThreadCreationTime : 9-21-2005 12:11:29 AM
BasePriority : Normal
#:31 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 3596
ThreadCreationTime : 9-21-2005 12:14:36 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : appid\{8c65aef6-e413-4314-815b-82717a3f1603}
WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : appid\checkproduct2.dll
WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{c427b3e3-28dc-4001-9590-d99b6776119b}
WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{c427b3e3-28dc-4001-9590-d99b6776119b}
Value : AppID
WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{4f79d1c5-24f9-4e59-8022-604d4b41d5ca}
WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{30ed49a5-ca6c-4918-b5f3-5e6818c91d8b}
WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : appid\{4d05a335-1a1c-46b3-bcff-7f25b326895c}
WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{328ba26a-1619-47ee-a37d-7d7a6ab1b000}
WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{328ba26a-1619-47ee-a37d-7d7a6ab1b000}
Value : AppID
WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{27967fbc-694b-41a6-8cce-30e59292350e}
WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c0a3779c-3345-4150-bd63-c399eb32661e}
WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{4d05a335-1a1c-46b3-bcff-7f25b326895c}
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 12
Objects found so far: 12
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment : ({C427B3E3-28DC-4001-9590-D99B6776119B})
Rootkey : HKEY_CLASSES_ROOT
Object : CheckProduct2.CheckProduct
WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment : ({C427B3E3-28DC-4001-9590-D99B6776119B})
Rootkey : HKEY_CLASSES_ROOT
Object : CheckProduct2.CheckProduct.1
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 14
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 14
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinFixer Object Recognized!
Type : File
Data : PCheck.dll
TAC Rating : 3
Category : Misc
Comment :
Object : C:\Program Files\Common Files\WinSoftware\
FileVersion : 1.0.4.0
ProductVersion : 1.0.4.0
ProductName : Products Checker
CompanyName : WinSoftware, Ltd.
FileDescription : Products Checker
InternalName : PCheck.dll
LegalCopyright : 2005 (c) WinSoftware, Ltd. All rights reserved.
OriginalFilename : PCheck.dll
WinFixer Object Recognized!
Type : File
Data : WFF.exe
TAC Rating : 3
Category : Misc
Comment :
Object : C:\Program Files\Common Files\WinSoftware\
FileVersion : 1.0.1.0
ProductVersion : 1.0.1.0
WinFixer Object Recognized!
Type : File
Data : WFF.sys
TAC Rating : 3
Category : Misc
Comment :
Object : C:\WINDOWS\system32\drivers\
FileVersion : 1.0.2.0
ProductVersion : 1.0.2.0
CompanyName : WinSoftware Ltd
FileDescription : File Creation Filter Driver
LegalCopyright : Copyright (C) WinSoftware Ltd 2005
OriginalFilename : wff.sys
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 17
Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
0 entries scanned.
New critical objects:0
Objects found so far: 17
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : appid\filecreationfilter.dll
WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : vapfm.creationnotifier
WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : vapfm.creationnotifier.1
WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\winsoftware
WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\winsoftware
WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\enum\root\legacy_df_kmd
WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\wff
WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\wff
Value : Start
WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\wff
Value : ErrorControl
WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\wff
Value : Tag
WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\wff
Value : ImagePath
WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\wff
Value : DisplayName
WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\wff
Value : Group
WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\enum\root\legacy_df_kmd
WinFixer Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\wff
WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\wff
Value : Start
WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\wff
Value : ErrorControl
WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\wff
Value : Tag
WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\wff
Value : ImagePath
WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\wff
Value : DisplayName
WinFixer Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\wff
Value : Group
Other Object Recognized!
Type : File
Data : WFF.EXE-1D35F413.pf
TAC Rating : 7
Category : Malware
Comment :
Object : C:\WINDOWS\prefetch\
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 22
Objects found so far: 39
5:32:14 PM Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:17:27.125
Objects scanned:185490
Objects identified:40
Objects ignored:0
New critical objects:40
Spysweeper Log:
********
6:44 PM: |··· Start of Session, Tuesday, September 20, 2005 ···|
6:44 PM: Spy Sweeper started
6:44 PM: Sweep initiated using definitions version 537
6:44 PM: Starting Memory Sweep
6:47 PM: Memory Sweep Complete, Elapsed Time: 00:02:44
6:47 PM: Starting Registry Sweep
6:47 PM: Found Adware: winantispyware 2005
6:47 PM: HKU\S-1-5-21-2000478354-1580436667-854245398-1009\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\winfixer 2005\ (1 subtraces) (ID = 543254)
6:47 PM: Found Adware: virtumonde
6:47 PM: HKCR\msevents.msevents\ (5 subtraces) (ID = 749130)
6:47 PM: HKCR\msevents.msevents.1\ (3 subtraces) (ID = 749136)
6:47 PM: HKLM\software\classes\msevents.msevents\ (5 subtraces) (ID = 749153)
6:47 PM: HKLM\software\classes\msevents.msevents.1\ (3 subtraces) (ID = 749157)
6:47 PM: HKLM\system\currentcontrolset\control\class\{29ae0e04-08b8-4d2f-bfbe-83fb0ec73bb7}\ (3 subtraces) (ID = 795420)
6:47 PM: HKU\WRSS_Profile_S-1-5-21-2000478354-1580436667-854245398-1006\software\winsoftware\winantispyware 2005\ (17 subtraces) (ID = 797676)
6:47 PM: HKCR\clsid\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (12 subtraces) (ID = 812324)
6:47 PM: HKLM\software\classes\clsid\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (12 subtraces) (ID = 812338)
6:47 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (ID = 812351)
6:47 PM: Registry Sweep Complete, Elapsed Time:00:00:14
6:47 PM: Starting Cookie Sweep
6:47 PM: Found Spy Cookie: reliablestats cookie
6:47 PM: chuck@stats1.reliablestats[2].txt (ID = 3254)
6:47 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:47 PM: Starting File Sweep
6:47 PM: c:\program files\common files\winsoftware (ID = -2147476682)
7:04 PM: setup.exe (ID = 150640)
7:08 PM: winantispyware2005setup.exe (ID = 150641)
7:09 PM: df_kmd.sys (ID = 146298)
7:09 PM: File Sweep Complete, Elapsed Time: 00:22:03
7:09 PM: Full Sweep has completed. Elapsed time 00:25:06
7:09 PM: Traces Found: 76
7:10 PM: Removal process initiated
7:10 PM: Quarantining All Traces: winantispyware 2005
7:10 PM: Quarantining All Traces: virtumonde
7:10 PM: Quarantining All Traces: reliablestats cookie
7:10 PM: Removal process completed. Elapsed time 00:00:23
******** | |
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
| This is a major problem.
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddcax.dll
O20 - Winlogon Notify: ddcax - C:\WINDOWS\system32\ddcax.dll
You will have to wait for one of the forum HJT helpers to show you how you use vundofix.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. | |
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
edit:
September 21st, @04:09AM
| reply to djcfp
These will need to be fixed as well.
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhgh.dll
O20 - Winlogon Notify: jkhgh - C:\WINDOWS\SYSTEM32\jkhgh.dll | |
Rusty Dusty
join:2002-11-23
Littleton, NH | reply to djcfp
This topic may be of help...
»hijack this log...Winfixer, cws.qttask, Vx2.Look2m | |
djcfp
join:2001-02-04
Atascadero, CA
edit:
September 21st, @12:19PM
| reply to John2g
Thank you for the reply. I will do as you suggest and wait for one of the HJT experts to instruct me on how to use vundofix.
I have downloaded and extracted VundoFix to my Desktop on the affected machine. I will hold here and wait for further instructions. | |
TheJoker
Premium,MVM
join:2001-04-26
Alexandria, VA
| reply to djcfp
Fix for djcfp on DSLReports
Hi djcfp, we'll get you fixed up, but will have to do this twice, you seem to have items related to two separate vundo infections.
Please print these instructions out for use in Safe Mode.
Please download www.atribune.org/downloads/VundoFix.exe to your desktop.
[*]Double-click VundoFix.exe to extract the files
[*]This will create a VundoFix folder on your desktop.
[*]After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
[*]Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
[*]You will first be presented with a warning and a list of forums to seek help at.
it should look like this
VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
Please seek assistance at one of the following forums:
http://www.atribune.org/forums
http://www.247fixes.com/forums
http://www.geekstogo.com/forum
http://forums.net-integration.net
[*] Next you will see:
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
C:\WINDOWS\SYSTEM32\jkhgh.dll
[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*] Next you will see:
Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
C:\WINDOWS\SYSTEM32\hghkj.*
[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*]The fix will run then HijackThis will open.
[*]In HijackThis, please place a check next to the following items and click FIX CHECKED:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhgh.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - »»https://components.viewpoint.com/adobe/MTSInst..
[*]After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
[*]Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
[*]Once your machine reboots please continue with the instructions below.
Then, please run this online virus scan: ActiveScan
Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
--
Proud ASAP member since 2005 | |
djcfp
join:2001-02-04
Atascadero, CA
| Okay,
First of all, thank you for assisting me, it is much appreciated.
Now as far my progress. You mentioned that I would have to this twice. I assumed that you meant perform vundo fix once, reboot, post results, then do it or something like it again, so here are the results from the first run:
Activescan:
Incident Status Location
Adware:Adware/RazeSpyware No disinfected C:\Documents and Settings\Chuck\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-51cccb7c-27e64a25.class
Adware:Adware/StartPage.AIW No disinfected C:\HJT\backups\backup-20050921-181624-266.dll
Adware:adware/delfinmedia No disinfected C:\keys.ini
Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]
Adware:adware/dealhelper No disinfected C:\WINDOWS\dhdom1.bin
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\ddcax.dll
Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\system32\jkhgh.dll
Spyware:Spyware/Omi No disinfected C:\WINDOWS\system32\msfdje.gif
Spyware:Spyware/Omi No disinfected C:\WINDOWS\system32\mshpeb.dll
Spyware:Spyware/Omi No disinfected C:\WINDOWS\system32\msnapl.dll
Hijack This:
Logfile of HijackThis v1.99.1
Scan saved at 8:21:48 PM, on 9/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
C:\SCANJET\PrecisionScanPro\HPLamp.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\KEYBOA~1\keyexp.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhgh.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddcax.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Keyboard Express 3.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - »bin.mcafee.com/molbin/Shared/Com···tl32.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - »download.mcafee.com/molbin/Share···wFld.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - »download.mcafee.com/molbin/share···sctl.cab
O16 - DPF: {53F63B36-5DB3-4C19-A8AB-2CB9AE7D57F7} (CFM_AXFTP_MOD.UserControl1) - »www.racelm.com/rlm/cfmaxftp/cfmprojmod.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »update.microsoft.com/windowsupda···31258104
O16 - DPF: {6EA0A4DB-0B94-40E1-9165-54F5694C19EC} (CFM2004noruna.UserControl1) - »www.racelm.com/rlm/cfm2004/cfm2004noruna.CAB
O16 - DPF: {73989DDC-D9DE-47F7-B262-6FE39DC70BC2} (CFM2004Turbo.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2004turbo.CAB
O16 - DPF: {797FA1DD-30E7-4093-A892-E8C2A556A583} (CFM2005TurboDMCrs.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2···MCrs.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »www.pandasoftware.com/activescan···inst.cab
O16 - DPF: {A49DFBB5-A3BB-45FE-BA2F-34890123C47F} (CFM2005TurboDMC.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2···oDMC.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - »download.mcafee.com/molbin/share···dmgr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - »photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DB1C1859-F90A-47DE-8934-FB8CECE8E6F3} (CFM_AXFTP_MOD.UserControl1) - »www.racelm.com/rlm/cfmaxftp/cfmp···orun.CAB
O16 - DPF: {DDC38B48-52B8-4FD6-BBB3-2FC2C136FD0D} (CFM2004a.UserControl1) - »www.racelm.com/rlm/cfm2004/cfm2004a.CAB
O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - »www.amiuptodate.com/vsc/mvt/bin/···mash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A551B11-F6EE-4A28-8E26-0BAB4D056B63}: NameServer = 64.166.172.8,206.13.29.12
O20 - Winlogon Notify: ddcax - C:\WINDOWS\system32\ddcax.dll
O20 - Winlogon Notify: jkhgh - C:\WINDOWS\SYSTEM32\jkhgh.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: GEARSecurity_BackUp - Unknown owner - C:\WINDOWS\SYSTEM32\GEARSEC.EXE (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
vundofix.txt:
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 200 'smss.exe'
Threads [204]Error 0x6 : The handle is invalid.
[208]Error 0x6 : The handle is invalid.
[212]Error 0x6 : The handle is invalid.
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1100 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 272 'winlogon.exe'
Error 0x6 : The handle is invalid.
Could not delete file.
Files Deleted sucessfully. | |
TheJoker
Premium,MVM
join:2001-04-26
Alexandria, VA
| Let's take care of a few things there first, and then see if after running Vundofix you can get a clean scan.
One of the files the scan found was a test file (Eicar) for scanners, and not really a virus, so we will leave that alone. We will take care of the one listed as virtumondo with the Vundofix.
The first file Panda found was in your Sun Java Runtime Environment (JRE) cache. Delete it by clearing the JRE cache directory:
1. From the Start button, click Settings -> Control Panel
2. In the Control Panel, open the "Java Plug-in Control Panel"
3. Select the Cache Tab
4. Click the Clear button inside the Cache Tab, which will clear your JRE cache directory
Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Using Windows Explorer, locate and delete the following files:
C:\HJT\backups\backup-20050921-181624-266.dll
C:\ keys.ini
C:\WINDOWS\dhdom1.bin
C:\WINDOWS\system32\jkhgh.dll
C:\WINDOWS\system32\msfdje.gif
C:\WINDOWS\system32\mshpeb.dll
C:\WINDOWS\system32\msnapl.dll
Please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
[*]Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
[*]You will first be presented with a warning and a list of forums to seek help at.
it should look like this
VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
Please seek assistance at one of the following forums:
http://www.atribune.org/forums
http://www.247fixes.com/forums
http://www.geekstogo.com/forum
http://forums.net-integration.net
[*] Next you will see:
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
C:\WINDOWS\SYSTEM32\ddcax.dll
[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*] Next you will see:
Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
C:\WINDOWS\SYSTEM32\xacdd.*
[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*]The fix will run then HijackThis will open.
[*]In HijackThis, please place a check next to the following items and click FIX CHECKED:
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhgh.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddcax.dll
O20 - Winlogon Notify: ddcax - C:\WINDOWS\system32\ddcax.dll
O20 - Winlogon Notify: jkhgh - C:\WINDOWS\SYSTEM32\jkhgh.dll
[*]After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
[*]Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
[*]Once your machine reboots please continue with the instructions below.
Then, please run this online virus scan: ActiveScan
Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
--
Proud ASAP member since 2005 | |
djcfp
join:2001-02-04
Atascadero, CA
| Okay,
I performed the tasks that you requested. FYI, to delete C:\WINDOWS\system32\jkhgh.dll, I had to physically remove the HDD from this machine and install it as a slave in another XP machine. I tryed all other methods to no avail due to the fact that it was "being used by another process". That includes trying to delete it from a command prompt in the safe mode. Bottom line is that I got it deleted.
Here are the results of the scans that you requested:
vundofix:
Could not delete file.
Files Deleted sucessfully.
Activescan:
Incident Status Location
Spyware:Spyware/Virtumonde No disinfected C:\HJT\backups\backup-20050922-091542-924.dll
Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]
Adware:adware/dealhelper No disinfected C:\WINDOWS\dhdomp1.bin
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\ddcax.dll
HJT:
Logfile of HijackThis v1.99.1
Scan saved at 11:01:01 AM, on 9/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
C:\SCANJET\PrecisionScanPro\HPLamp.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\KEYBOA~1\keyexp.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddcax.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Keyboard Express 3.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - »bin.mcafee.com/molbin/Shared/Com···tl32.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - »download.mcafee.com/molbin/Share···wFld.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - »download.mcafee.com/molbin/share···sctl.cab
O16 - DPF: {53F63B36-5DB3-4C19-A8AB-2CB9AE7D57F7} (CFM_AXFTP_MOD.UserControl1) - »www.racelm.com/rlm/cfmaxftp/cfmprojmod.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »update.microsoft.com/windowsupda···31258104
O16 - DPF: {6EA0A4DB-0B94-40E1-9165-54F5694C19EC} (CFM2004noruna.UserControl1) - »www.racelm.com/rlm/cfm2004/cfm2004noruna.CAB
O16 - DPF: {73989DDC-D9DE-47F7-B262-6FE39DC70BC2} (CFM2004Turbo.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2004turbo.CAB
O16 - DPF: {797FA1DD-30E7-4093-A892-E8C2A556A583} (CFM2005TurboDMCrs.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2···MCrs.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »www.pandasoftware.com/activescan···inst.cab
O16 - DPF: {A49DFBB5-A3BB-45FE-BA2F-34890123C47F} (CFM2005TurboDMC.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2···oDMC.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - »download.mcafee.com/molbin/share···dmgr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - »photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DB1C1859-F90A-47DE-8934-FB8CECE8E6F3} (CFM_AXFTP_MOD.UserControl1) - »www.racelm.com/rlm/cfmaxftp/cfmp···orun.CAB
O16 - DPF: {DDC38B48-52B8-4FD6-BBB3-2FC2C136FD0D} (CFM2004a.UserControl1) - »www.racelm.com/rlm/cfm2004/cfm2004a.CAB
O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - »www.amiuptodate.com/vsc/mvt/bin/···mash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A551B11-F6EE-4A28-8E26-0BAB4D056B63}: NameServer = 64.166.172.8,206.13.29.12
O20 - Winlogon Notify: ddcax - C:\WINDOWS\system32\ddcax.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: GEARSecurity_BackUp - Unknown owner - C:\WINDOWS\SYSTEM32\GEARSEC.EXE (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe | |
TheJoker
Premium,MVM
join:2001-04-26
Alexandria, VA
| reply to djcfp
Lets try one more time. If it doesn’t work, we'll try another method. Now that there is only one set of entries for Vundo, it may work better.
Please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
[*]Once in Safe mode, Using Windows Explorer, locate and delete the following Files:
C:\HJT\backups\backup-20050922-091542-924.dll
C:\WINDOWS\dhdomp1.bin
[*]Open the VundoFix folder and doubleclick on KillVundo.bat
[*]You will first be presented with a warning and a list of forums to seek help at.
it should look like this
VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
Please seek assistance at one of the following forums:
http://www.atribune.org/forums
http://www.247fixes.com/forums
http://www.geekstogo.com/forum
http://forums.net-integration.net
[*] Next you will see:
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
C:\WINDOWS\SYSTEM32\ddcax.dll
[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*] Next you will see:
Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
C:\WINDOWS\SYSTEM32\xacdd.*
[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*]The fix will run then HijackThis will open.
[*]In HijackThis, please place a check next to the following items and click FIX CHECKED:
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddcax.dll
O20 - Winlogon Notify: ddcax - C:\WINDOWS\system32\ddcax.dll
[*]After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
[*]Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
[*]Once your machine reboots please continue with the instructions below.
Then, please run this online virus scan: ActiveScan
Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
--
Proud ASAP member since 2005 | |
djcfp
join:2001-02-04
Atascadero, CA
| Okay, I followed the steps in your last reply and here are the results of the scans:
Activescan:
Incident Status Location
Spyware:Spyware/Virtumonde No disinfected C:\HJT\backups\backup-20050922-134457-263.dll
Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\ddcax.dll
HJT:
Logfile of HijackThis v1.99.1
Scan saved at 3:03:41 PM, on 9/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft
Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
C:\SCANJET\PrecisionScanPro\HPLamp.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EX
E
C:\WINDOWS\system32\CTHELPE |
|
