
how-to block ads
|
  djcfp
join:2001-02-04 Atascadero, CA
| HJT Log - Winfixer 2005 will not stay away
Hello,
I have read the FAQs and have done everthing there (and more) I simply cannot keep Winfixer 2005 off of this machine. I have run (with up to the second updates and in this order) Awaware SE, SPYBOT Search and Destroy, Pest Patrol Corporate, Spy Sweeper, McAfee Online Virus Scan and Hijack This (HJT Log right after other scans and fixes and once again right after an immediate reboot)I first uninstalled Winfixer through the control panel, then scanned/fixed with the above process. I am including both HJT scans as well as the logs from some of the other software. By the way, I have tryed other orders and safe mode as well.
Before Reboot:
Logfile of HijackThis v1.99.1 Scan saved at 7:24:14 PM, on 9/20/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\drivers\CDAC11BA.EXE C:\WINDOWS\system32\crypserv.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\PROGRA~1\mcafee.com\agent\mctskshd.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe C:\SCANJET\PrecisionScanPro\HPLamp.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\McAfee.com\VSO\mcvsshld.exe C:\Program Files\McAfee.com\VSO\oasclnt.exe C:\WINDOWS\system32\ctfmon.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\PROGRA~1\KEYBOA~1\keyexp.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\McAfee.com\Agent\mcagent.exe C:\HJT\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhgh.dll O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddcax.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Keyboard Express 3.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - »https://components.viewpoint.com/adobe/M···eam3.cab O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - »bin.mcafee.com/molbin/Shared/Com···tl32.cab O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - »download.mcafee.com/molbin/Share···wFld.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - »download.mcafee.com/molbin/share···sctl.cab O16 - DPF: {53F63B36-5DB3-4C19-A8AB-2CB9AE7D57F7} (CFM_AXFTP_MOD.UserControl1) - »www.racelm.com/rlm/cfmaxftp/cfmprojmod.CAB O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »update.microsoft.com/windowsupda···31258104 O16 - DPF: {6EA0A4DB-0B94-40E1-9165-54F5694C19EC} (CFM2004noruna.UserControl1) - »www.racelm.com/rlm/cfm2004/cfm2004noruna.CAB O16 - DPF: {73989DDC-D9DE-47F7-B262-6FE39DC70BC2} (CFM2004Turbo.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2004turbo.CAB O16 - DPF: {797FA1DD-30E7-4093-A892-E8C2A556A583} (CFM2005TurboDMCrs.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2···MCrs.CAB O16 - DPF: {A49DFBB5-A3BB-45FE-BA2F-34890123C47F} (CFM2005TurboDMC.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2···oDMC.CAB O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - »download.mcafee.com/molbin/share···dmgr.cab O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) - O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) - O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - »photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: {DB1C1859-F90A-47DE-8934-FB8CECE8E6F3} (CFM_AXFTP_MOD.UserControl1) - »www.racelm.com/rlm/cfmaxftp/cfmp···orun.CAB O16 - DPF: {DDC38B48-52B8-4FD6-BBB3-2FC2C136FD0D} (CFM2004a.UserControl1) - »www.racelm.com/rlm/cfm2004/cfm2004a.CAB O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - »www.amiuptodate.com/vsc/mvt/bin/···mash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{6A551B11-F6EE-4A28-8E26-0BAB4D056B63}: NameServer = 64.166.172.8,206.13.29.12 O20 - Winlogon Notify: ddcax - C:\WINDOWS\system32\ddcax.dll O20 - Winlogon Notify: jkhgh - C:\WINDOWS\SYSTEM32\jkhgh.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: GEARSecurity_BackUp - Unknown owner - C:\WINDOWS\SYSTEM32\GEARSEC.EXE (file missing) O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
After reboot:
Logfile of HijackThis v1.99.1 Scan saved at 7:35:14 PM, on 9/20/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\drivers\CDAC11BA.EXE C:\WINDOWS\system32\crypserv.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\PROGRA~1\mcafee.com\agent\mctskshd.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe C:\SCANJET\PrecisionScanPro\HPLamp.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\McAfee.com\VSO\mcvsshld.exe C:\Program Files\McAfee.com\VSO\oasclnt.exe C:\WINDOWS\system32\ctfmon.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\PROGRA~1\KEYBOA~1\keyexp.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\svchost.exe C:\HJT\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhgh.dll O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddcax.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Keyboard Express 3.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - »https://components.viewpoint.com/adobe/M···eam3.cab O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - »bin.mcafee.com/molbin/Shared/Com···tl32.cab O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - »download.mcafee.com/molbin/Share···wFld.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - »download.mcafee.com/molbin/share···sctl.cab O16 - DPF: {53F63B36-5DB3-4C19-A8AB-2CB9AE7D57F7} (CFM_AXFTP_MOD.UserControl1) - »www.racelm.com/rlm/cfmaxftp/cfmprojmod.CAB O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »update.microsoft.com/windowsupda···31258104 O16 - DPF: {6EA0A4DB-0B94-40E1-9165-54F5694C19EC} (CFM2004noruna.UserControl1) - »www.racelm.com/rlm/cfm2004/cfm2004noruna.CAB O16 - DPF: {73989DDC-D9DE-47F7-B262-6FE39DC70BC2} (CFM2004Turbo.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2004turbo.CAB O16 - DPF: {797FA1DD-30E7-4093-A892-E8C2A556A583} (CFM2005TurboDMCrs.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2···MCrs.CAB O16 - DPF: {A49DFBB5-A3BB-45FE-BA2F-34890123C47F} (CFM2005TurboDMC.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2···oDMC.CAB O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - »download.mcafee.com/molbin/share···dmgr.cab O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) - O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) - O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - »photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: {DB1C1859-F90A-47DE-8934-FB8CECE8E6F3} (CFM_AXFTP_MOD.UserControl1) - »www.racelm.com/rlm/cfmaxftp/cfmp···orun.CAB O16 - DPF: {DDC38B48-52B8-4FD6-BBB3-2FC2C136FD0D} (CFM2004a.UserControl1) - »www.racelm.com/rlm/cfm2004/cfm2004a.CAB O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - »www.amiuptodate.com/vsc/mvt/bin/···mash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{6A551B11-F6EE-4A28-8E26-0BAB4D056B63}: NameServer = 64.166.172.8,206.13.29.12 O20 - Winlogon Notify: ddcax - C:\WINDOWS\system32\ddcax.dll O20 - Winlogon Notify: jkhgh - C:\WINDOWS\SYSTEM32\jkhgh.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: GEARSecurity_BackUp - Unknown owner - C:\WINDOWS\SYSTEM32\GEARSEC.EXE (file missing) O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Adaware scan:
Ad-Aware SE Build 1.06r1 Logfile Created on:Tuesday, September 20, 2005 5:14:47 PM Created with Ad-Aware SE Personal, free for private use. Using definitions file:SE1R67 20.09.2005 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Other(TAC index:5):1 total references WinFixer(TAC index:3):38 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Definition File: ========================= Definitions File Loaded: Reference Number : SE1R67 20.09.2005 Internal build : 79 File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref File size : 524443 Bytes Total size : 1576182 Bytes Signature data size : 1543004 Bytes Reference data size : 32666 Bytes Signatures total : 43850 CSI Fingerprints total : 1047 CSI data size : 37307 Bytes Target categories : 15 Target families : 746
Memory + processor status: ========================== Number of processors : 1 Processor architecture : Intel Pentium IV Memory available:48 % Total physical memory:523760 kb Available physical memory:247692 kb Total page file size:1279564 kb Available on page file:1052256 kb Total virtual memory:2097024 kb Available virtual memory:2045144 kb OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)
Ad-Aware SE Settings =========================== Set : Search for low-risk threats Set : Safe mode (always request confirmation) Set : Scan active processes Set : Scan registry Set : Deep-scan registry Set : Scan my IE Favorites for banned URLs Set : Scan within archives Set : Scan my Hosts file
Extended Ad-Aware SE Settings =========================== Set : Unload recognized processes & modules during scan Set : Obtain command line of scanned processes Set : Scan registry for all users instead of current user only Set : Always try to unload modules before deletion Set : During removal, unload Explorer and IE if necessary Set : Let Windows remove files in use at next reboot Set : Delete quarantined objects after restoring Set : Include basic Ad-Aware settings in log file Set : Include additional Ad-Aware settings in log file Set : Include reference summary in log file Set : Include alternate data stream details in log file Set : Play sound at scan completion if scan locates critical objects
9-20-2005 5:14:47 PM - Scan started. (Custom mode)
Listing running processes »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe] ModuleName : \SystemRoot\System32\smss.exe Command Line : n/a ProcessID : 588 ThreadCreationTime : 9-20-2005 11:50:27 PM BasePriority : Normal
#:2 [winlogon.exe] ModuleName : \??\C:\WINDOWS\system32\winlogon.exe Command Line : n/a ProcessID : 672 ThreadCreationTime : 9-20-2005 11:50:34 PM BasePriority : High
#:3 [services.exe] ModuleName : C:\WINDOWS\system32\services.exe Command Line : n/a ProcessID : 716 ThreadCreationTime : 9-20-2005 11:50:35 PM BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Services and Controller app InternalName : services.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : services.exe
#:4 [lsass.exe] ModuleName : C:\WINDOWS\system32\lsass.exe Command Line : n/a ProcessID : 728 ThreadCreationTime : 9-20-2005 11:50:35 PM BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : LSA Shell (Export Version) InternalName : lsass.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : lsass.exe
#:5 [svchost.exe] ModuleName : C:\WINDOWS\system32\svchost.exe Command Line : n/a ProcessID : 884 ThreadCreationTime : 9-20-2005 11:50:36 PM BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe
#:6 [svchost.exe] ModuleName : C:\WINDOWS\System32\svchost.exe Command Line : n/a ProcessID : 996 ThreadCreationTime : 9-20-2005 11:50:36 PM BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe
#:7 [spoolsv.exe] ModuleName : C:\WINDOWS\system32\spoolsv.exe Command Line : n/a ProcessID : 1268 ThreadCreationTime : 9-20-2005 11:50:37 PM BasePriority : Normal FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519) ProductVersion : 5.1.2600.2696 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Spooler SubSystem App InternalName : spoolsv.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : spoolsv.exe
#:8 [cdac11ba.exe] ModuleName : C:\WINDOWS\System32\drivers\CDAC11BA.EXE Command Line : n/a ProcessID : 1412 ThreadCreationTime : 9-20-2005 11:50:43 PM BasePriority : Normal FileVersion : 4.20.030 ProductVersion : 4.20.030 Windows NT 2002/01/29 ProductName : SafeCast Windows NT CompanyName : Macrovision FileDescription : Macrovision RTS Service InternalName : CDANTSRV LegalCopyright : Copyright (c) 1998-2003 Macrovision Corp. OriginalFilename : CDANTSRV.EXE Comments : StringFileInfo: U.S. English
#:9 [crypserv.exe] ModuleName : C:\WINDOWS\system32\crypserv.exe Command Line : n/a ProcessID : 1432 ThreadCreationTime : 9-20-2005 11:50:43 PM BasePriority : High FileVersion : 5.4.0 ProductVersion : 5.4 ProductName : CrypKey Software Licensing System CompanyName : Kenonic Controls Ltd. FileDescription : CrypKey NT Service InternalName : crypserv LegalCopyright : Copyright © 2000 LegalTrademarks : CrypKey OriginalFilename : crypserv.exe Comments : Operates in all directories, not just configured ones. Directory configuration only used for fille clean up and uninstall. 0/3 fixed problem with other partitions. 0/6 fixed problem with short paths
#:10 [mcdetect.exe] ModuleName : c:\program files\mcafee.com\agent\mcdetect.exe Command Line : n/a ProcessID : 1484 ThreadCreationTime : 9-20-2005 11:50:44 PM BasePriority : Normal FileVersion : 6, 0, 0, 7 ProductVersion : 6, 0, 0, 0 ProductName : McAfee SecurityCenter CompanyName : McAfee, Inc FileDescription : McAfee WSC Integration Service InternalName : McDetect LegalCopyright : Copyright © 2005 McAfee, Inc. OriginalFilename : McDetect.exe Comments : McAfee WSC Integration Service
#:11 [mcshield.exe] ModuleName : c:\PROGRA~1\mcafee.com\vso\mcshield.exe Command Line : n/a ProcessID : 1512 ThreadCreationTime : 9-20-2005 11:50:44 PM BasePriority : High
#:12 [mctskshd.exe] ModuleName : c:\PROGRA~1\mcafee.com\agent\mctskshd.exe Command Line : n/a ProcessID : 1584 ThreadCreationTime : 9-20-2005 11:50:45 PM BasePriority : Normal FileVersion : 6, 0, 0, 13 ProductVersion : 6, 0, 0, 0 ProductName : McAfee SecurityCenter CompanyName : McAfee, Inc FileDescription : McAfee Task Scheduler InternalName : McTskshd LegalCopyright : Copyright © 2005 McAfee, Inc. OriginalFilename : McTskshd.exe
#:13 [mdm.exe] ModuleName : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe Command Line : n/a ProcessID : 1624 ThreadCreationTime : 9-20-2005 11:50:47 PM BasePriority : Normal FileVersion : 7.00.9466 ProductVersion : 7.00.9466 ProductName : Microsoft® Visual Studio .NET CompanyName : Microsoft Corporation FileDescription : Machine Debug Manager InternalName : mdm.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : mdm.exe
#:14 [nvsvc32.exe] ModuleName : C:\WINDOWS\system32\nvsvc32.exe Command Line : n/a ProcessID : 1752 ThreadCreationTime : 9-20-2005 11:50:52 PM BasePriority : Normal FileVersion : 6.14.10.7189 ProductVersion : 6.14.10.7189 ProductName : NVIDIA Driver Helper Service, Version 71.89 CompanyName : NVIDIA Corporation FileDescription : NVIDIA Driver Helper Service, Version 71.89 InternalName : NVSVC LegalCopyright : (C) NVIDIA Corporation. All rights reserved. OriginalFilename : nvsvc32.exe
#:15 [svchost.exe] ModuleName : C:\WINDOWS\System32\svchost.exe Command Line : n/a ProcessID : 1816 ThreadCreationTime : 9-20-2005 11:50:53 PM BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe
#:16 [wrsssdk.exe] ModuleName : C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe Command Line : n/a ProcessID : 1896 ThreadCreationTime : 9-20-2005 11:50:56 PM BasePriority : Normal FileVersion : 1,0,4,289 ProductVersion : 1, 0 ProductName : Spy Sweeper SDK CompanyName : Webroot Software, Inc. FileDescription : Spy Sweeper SDK LegalCopyright : Copyright (C) 2002 - 2004, All Rights Reserved. LegalTrademarks : Spy Sweeper is a trademark of Webroot Software, Inc. OriginalFilename : SpySweeper.exe
#:17 [mspmspsv.exe] ModuleName : C:\WINDOWS\System32\MsPMSPSv.exe Command Line : n/a ProcessID : 176 ThreadCreationTime : 9-20-2005 11:50:59 PM BasePriority : Normal FileVersion : 7.01.00.3055 ProductVersion : 7.01.00.3055 ProductName : Microsoft (R) DRM CompanyName : Microsoft Corporation FileDescription : WMDM PMSP Service InternalName : MSPMSPSV.EXE LegalCopyright : Copyright (C) Microsoft Corp. 1981-2000 OriginalFilename : MSPMSPSV.EXE
#:18 [explorer.exe] ModuleName : C:\WINDOWS\Explorer.EXE Command Line : C:\WINDOWS\Explorer.EXE ProcessID : 916 ThreadCreationTime : 9-21-2005 12:08:44 AM BasePriority : Normal FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 6.00.2900.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Windows Explorer InternalName : explorer LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : EXPLORER.EXE
#:19 [swtrayv4.exe] ModuleName : C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe Command Line : "C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe" ProcessID : 792 ThreadCreationTime : 9-21-2005 12:08:49 AM BasePriority : Normal FileVersion : 4.02.145 ProductVersion : 4.02.145 ProductName : Microsoft Game Controller Software CompanyName : Microsoft Corporation FileDescription : MS SideWinder Tray Application InternalName : MS SideWinder Tray Application LegalCopyright : Copyright © 1995-1999 Microsoft Corporation OriginalFilename : SWTRAYV4.EXE
#:20 [hplamp.exe] ModuleName : C:\SCANJET\PrecisionScanPro\HPLamp.exe Command Line : "C:\SCANJET\PrecisionScanPro\HPLamp.exe" ProcessID : 200 ThreadCreationTime : 9-21-2005 12:08:49 AM BasePriority : Normal
#:21 [em_exec.exe] ModuleName : C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE Command Line : "C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" ProcessID : 1044 ThreadCreationTime : 9-21-2005 12:08:49 AM BasePriority : Normal FileVersion : 9.42.57 ProductVersion : 9.42.1 ProductName : MouseWare CompanyName : Logitech Inc. FileDescription : Control Center InternalName : EM_EXEC LegalCopyright : Copyright © Logitech Inc. 1987-2001. LegalTrademarks : Logitech® and MouseWare® are registered trademarks of Logitech Inc. OriginalFilename : EM_EXEC.CPP Comments : Created by the MouseWare Team
#:22 [cthelper.exe] ModuleName : C:\WINDOWS\system32\CTHELPER.EXE Command Line : "C:\WINDOWS\system32\CTHELPER.EXE" ProcessID : 1124 ThreadCreationTime : 9-21-2005 12:08:50 AM BasePriority : Normal FileVersion : 1, 0, 0, 2 ProductVersion : 1, 0, 0, 2 ProductName : CtHelper Application CompanyName : Creative Technology Ltd FileDescription : CtHelper Application InternalName : CtHelper LegalCopyright : Copyright (C) 2002 OriginalFilename : CtHelper.EXE
#:23 [mcagent.exe] ModuleName : C:\PROGRA~1\mcafee.com\agent\mcagent.exe Command Line : "C:\PROGRA~1\mcafee.com\agent\mcagent.exe" ProcessID : 912 ThreadCreationTime : 9-21-2005 12:08:55 AM BasePriority : Normal FileVersion : 6, 0, 0, 3 ProductVersion : 6, 0, 0, 0 ProductName : McAfee SecurityCenter CompanyName : McAfee, Inc FileDescription : McAfee SecurityCenter Agent InternalName : mcagent LegalCopyright : Copyright © 2005 McAfee, Inc. OriginalFilename : mcagent.exe
#:24 [mcvsshld.exe] ModuleName : C:\Program Files\McAfee.com\VSO\mcvsshld.exe Command Line : "C:\Program Files\McAfee.com\VSO\mcvsshld.exe" ProcessID : 1528 ThreadCreationTime : 9-21-2005 12:08:55 AM BasePriority : Normal FileVersion : 10, 0, 0, 22 ProductVersion : 10, 0, 0, 0 ProductName : McAfee VirusScan CompanyName : McAfee, Inc. FileDescription : McAfee VirusScan ActiveShield Resource InternalName : McVsShld LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved. OriginalFilename : McVsShld.exe Comments : McAfee VirusScan ActiveShield Resource
#:25 [oasclnt.exe] ModuleName : C:\Program Files\McAfee.com\VSO\oasclnt.exe Command Line : "C:\Program Files\McAfee.com\VSO\oasclnt.exe" ProcessID : 1848 ThreadCreationTime : 9-21-2005 12:08:56 AM BasePriority : Normal FileVersion : 10, 0, 0, 24 ProductVersion : 10, 0, 0, 0 ProductName : McAfee VirusScan CompanyName : McAfee, Inc. FileDescription : McAfee VirusScan OAS Client InternalName : OasClnt LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved. OriginalFilename : OasClnt.exe Comments : McAfee VirusScan OAS Client
#:26 [ctfmon.exe] ModuleName : C:\WINDOWS\system32\ctfmon.exe Command Line : "C:\WINDOWS\system32\ctfmon.exe" ProcessID : 1164 ThreadCreationTime : 9-21-2005 12:09:03 AM BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : CTF Loader InternalName : CTFMON LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : CTFMON.EXE
#:27 [mcvsescn.exe] ModuleName : c:\progra~1\mcafee.com\vso\mcvsescn.exe Command Line : "c:\progra~1\mcafee.com\vso\mcvsescn.exe" /disabled ProcessID : 772 ThreadCreationTime : 9-21-2005 12:09:05 AM BasePriority : Normal FileVersion : 10, 0, 0, 20 ProductVersion : 10, 0, 0, 0 ProductName : McAfee VirusScan CompanyName : McAfee, Inc. FileDescription : McAfee VirusScan E-mail Scan Module InternalName : mcvsescn LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved. OriginalFilename : mcvsescn.EXE Comments : McAfee VirusScan E-mail Scan Module
#:28 [keyexp.exe] ModuleName : C:\PROGRA~1\KEYBOA~1\keyexp.exe Command Line : "C:\PROGRA~1\KEYBOA~1\keyexp.exe" ProcessID : 2060 ThreadCreationTime : 9-21-2005 12:09:07 AM BasePriority : Normal FileVersion : 3.0.5.1 ProductVersion : 3.0 ProductName : Keyboard Express CompanyName : Insight Software Solutions FileDescription : Keyboard Express, a Windows macro program InternalName : keyexp.exe LegalCopyright : (c) 1996-2002 Insight Software Solutions, Inc. LegalTrademarks : Keyboard Express OriginalFilename : keyexp.exe Comments : Keyboard Express is a Windows macro utility designed to aid the user in automating repetitive tasks. Keyboard Express is a Trademark of Insight Software Solutions, Inc.
#:29 [svchost.exe] ModuleName : C:\WINDOWS\System32\svchost.exe Command Line : n/a ProcessID : 2336 ThreadCreationTime : 9-21-2005 12:09:21 AM BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe
#:30 [msiexec.exe] ModuleName : C:\WINDOWS\system32\msiexec.exe Command Line : n/a ProcessID : 3156 ThreadCreationTime : 9-21-2005 12:11:29 AM BasePriority : Normal
#:31 [ad-aware.exe] ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" ProcessID : 3596 ThreadCreationTime : 9-21-2005 12:14:36 AM BasePriority : Normal FileVersion : 6.2.0.236 ProductVersion : SE 106 ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft AB Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights Reserved
Memory scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 0
Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinFixer Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : appid\{8c65aef6-e413-4314-815b-82717a3f1603}
WinFixer Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : appid\checkproduct2.dll
WinFixer Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{c427b3e3-28dc-4001-9590-d99b6776119b}
WinFixer Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{c427b3e3-28dc-4001-9590-d99b6776119b} Value : AppID
WinFixer Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{4f79d1c5-24f9-4e59-8022-604d4b41d5ca}
WinFixer Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : typelib\{30ed49a5-ca6c-4918-b5f3-5e6818c91d8b}
WinFixer Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : appid\{4d05a335-1a1c-46b3-bcff-7f25b326895c}
WinFixer Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{328ba26a-1619-47ee-a37d-7d7a6ab1b000}
WinFixer Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{328ba26a-1619-47ee-a37d-7d7a6ab1b000} Value : AppID
WinFixer Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{27967fbc-694b-41a6-8cce-30e59292350e}
WinFixer Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{c0a3779c-3345-4150-bd63-c399eb32661e}
WinFixer Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : typelib\{4d05a335-1a1c-46b3-bcff-7f25b326895c}
Registry Scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 12 Objects found so far: 12
Started deep registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinFixer Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Misc Comment : ({C427B3E3-28DC-4001-9590-D99B6776119B}) Rootkey : HKEY_CLASSES_ROOT Object : CheckProduct2.CheckProduct
WinFixer Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Misc Comment : ({C427B3E3-28DC-4001-9590-D99B6776119B}) Rootkey : HKEY_CLASSES_ROOT Object : CheckProduct2.CheckProduct.1
Deep registry scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 2 Objects found so far: 14
Started Tracking Cookie scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking cookie scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 14
Deep scanning and examining files (C:) »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinFixer Object Recognized! Type : File Data : PCheck.dll TAC Rating : 3 Category : Misc Comment : Object : C:\Program Files\Common Files\WinSoftware\ FileVersion : 1.0.4.0 ProductVersion : 1.0.4.0 ProductName : Products Checker CompanyName : WinSoftware, Ltd. FileDescription : Products Checker InternalName : PCheck.dll LegalCopyright : 2005 (c) WinSoftware, Ltd. All rights reserved. OriginalFilename : PCheck.dll
WinFixer Object Recognized! Type : File Data : WFF.exe TAC Rating : 3 Category : Misc Comment : Object : C:\Program Files\Common Files\WinSoftware\ FileVersion : 1.0.1.0 ProductVersion : 1.0.1.0
WinFixer Object Recognized! Type : File Data : WFF.sys TAC Rating : 3 Category : Misc Comment : Object : C:\WINDOWS\system32\drivers\ FileVersion : 1.0.2.0 ProductVersion : 1.0.2.0 CompanyName : WinSoftware Ltd FileDescription : File Creation Filter Driver LegalCopyright : Copyright (C) WinSoftware Ltd 2005 OriginalFilename : wff.sys
Disk Scan Result for C:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 17
Scanning Hosts file...... Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts". »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 0 entries scanned. New critical objects:0 Objects found so far: 17
Performing conditional scans... »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinFixer Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : appid\filecreationfilter.dll
WinFixer Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : vapfm.creationnotifier
WinFixer Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : vapfm.creationnotifier.1
WinFixer Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_CURRENT_USER Object : software\winsoftware
WinFixer Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\winsoftware
WinFixer Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : system\controlset001\enum\root\legacy_df_kmd
WinFixer Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : system\controlset001\services\wff
WinFixer Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : system\controlset001\services\wff Value : Start
WinFixer Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : system\controlset001\services\wff Value : ErrorControl
WinFixer Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : system\controlset001\services\wff Value : Tag
WinFixer Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : system\controlset001\services\wff Value : ImagePath
WinFixer Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : system\controlset001\services\wff Value : DisplayName
WinFixer Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : system\controlset001\services\wff Value : Group
WinFixer Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : system\currentcontrolset\enum\root\legacy_df_kmd
WinFixer Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : system\currentcontrolset\services\wff
WinFixer Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : system\currentcontrolset\services\wff Value : Start
WinFixer Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : system\currentcontrolset\services\wff Value : ErrorControl
WinFixer Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : system\currentcontrolset\services\wff Value : Tag
WinFixer Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : system\currentcontrolset\services\wff Value : ImagePath
WinFixer Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : system\currentcontrolset\services\wff Value : DisplayName
WinFixer Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : system\currentcontrolset\services\wff Value : Group
Other Object Recognized! Type : File Data : WFF.EXE-1D35F413.pf TAC Rating : 7 Category : Malware Comment : Object : C:\WINDOWS\prefetch\
Conditional scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 22 Objects found so far: 39
5:32:14 PM Scan Complete
Summary Of This Scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Total scanning time:00:17:27.125 Objects scanned:185490 Objects identified:40 Objects ignored:0 New critical objects:40
Spysweeper Log:
******** 6:44 PM: |··· Start of Session, Tuesday, September 20, 2005 ···| 6:44 PM: Spy Sweeper started 6:44 PM: Sweep initiated using definitions version 537 6:44 PM: Starting Memory Sweep 6:47 PM: Memory Sweep Complete, Elapsed Time: 00:02:44 6:47 PM: Starting Registry Sweep 6:47 PM: Found Adware: winantispyware 2005 6:47 PM: HKU\S-1-5-21-2000478354-1580436667-854245398-1009\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\winfixer 2005\ (1 subtraces) (ID = 543254) 6:47 PM: Found Adware: virtumonde 6:47 PM: HKCR\msevents.msevents\ (5 subtraces) (ID = 749130) 6:47 PM: HKCR\msevents.msevents.1\ (3 subtraces) (ID = 749136) 6:47 PM: HKLM\software\classes\msevents.msevents\ (5 subtraces) (ID = 749153) 6:47 PM: HKLM\software\classes\msevents.msevents.1\ (3 subtraces) (ID = 749157) 6:47 PM: HKLM\system\currentcontrolset\control\class\{29ae0e04-08b8-4d2f-bfbe-83fb0ec73bb7}\ (3 subtraces) (ID = 795420) 6:47 PM: HKU\WRSS_Profile_S-1-5-21-2000478354-1580436667-854245398-1006\software\winsoftware\winantispyware 2005\ (17 subtraces) (ID = 797676) 6:47 PM: HKCR\clsid\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (12 subtraces) (ID = 812324) 6:47 PM: HKLM\software\classes\clsid\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (12 subtraces) (ID = 812338) 6:47 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (ID = 812351) 6:47 PM: Registry Sweep Complete, Elapsed Time:00:00:14 6:47 PM: Starting Cookie Sweep 6:47 PM: Found Spy Cookie: reliablestats cookie 6:47 PM: chuck@stats1.reliablestats[2].txt (ID = 3254) 6:47 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00 6:47 PM: Starting File Sweep 6:47 PM: c:\program files\common files\winsoftware (ID = -2147476682) 7:04 PM: setup.exe (ID = 150640) 7:08 PM: winantispyware2005setup.exe (ID = 150641) 7:09 PM: df_kmd.sys (ID = 146298) 7:09 PM: File Sweep Complete, Elapsed Time: 00:22:03 7:09 PM: Full Sweep has completed. Elapsed time 00:25:06 7:09 PM: Traces Found: 76 7:10 PM: Removal process initiated 7:10 PM: Quarantining All Traces: winantispyware 2005 7:10 PM: Quarantining All Traces: virtumonde 7:10 PM: Quarantining All Traces: reliablestats cookie 7:10 PM: Removal process completed. Elapsed time 00:00:23 ******** | |   John2g Qui Tacet Consentit Premium join:2001-08-10 England
| This is a major problem.
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddcax.dll O20 - Winlogon Notify: ddcax - C:\WINDOWS\system32\ddcax.dll
You will have to wait for one of the forum HJT helpers to show you how you use vundofix. -- Better to remain silent and be thought a fool, than to speak and remove all doubt. | |   John2g Qui Tacet Consentit Premium join:2001-08-10 England edit: September 21st, @04:09AM
| reply to djcfp These will need to be fixed as well.
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhgh.dll O20 - Winlogon Notify: jkhgh - C:\WINDOWS\SYSTEM32\jkhgh.dll | |   Rusty Dusty
join:2002-11-23 Littleton, NH | reply to djcfp This topic may be of help... »hijack this log...Winfixer, cws.qttask, Vx2.Look2m | |   djcfp
join:2001-02-04 Atascadero, CA
edit: September 21st, @12:19PM
| reply to John2g Thank you for the reply. I will do as you suggest and wait for one of the HJT experts to instruct me on how to use vundofix.
I have downloaded and extracted VundoFix to my Desktop on the affected machine. I will hold here and wait for further instructions. | |   TheJoker Premium,MVM join:2001-04-26 Alexandria, VA
| reply to djcfp Fix for djcfp on DSLReports
Hi djcfp, we'll get you fixed up, but will have to do this twice, you seem to have items related to two separate vundo infections.
Please print these instructions out for use in Safe Mode.
Please download www.atribune.org/downloads/VundoFix.exe to your desktop. [*]Double-click VundoFix.exe to extract the files [*]This will create a VundoFix folder on your desktop. [*]After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter. [*]Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat [*]You will first be presented with a warning and a list of forums to seek help at. it should look like this
VundoFix V2.1 by Atri By pressing enter you agree that you are using this at your own risk Please seek assistance at one of the following forums: http://www.atribune.org/forums http://www.247fixes.com/forums http://www.geekstogo.com/forum http://forums.net-integration.net [*] At this point press enter one time. [*] Next you will see:
Type in the filepath as instructed by the forum staff Then Press Enter, Then F6, Then Enter Again to continue with the fix. [*]At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\SYSTEM32\jkhgh.dll
[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix. [*] Next you will see:
Please type in the second filepath as instructed by the forum staff Then Press Enter, Then F6, Then Enter Again to continue with the fix. [*]At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\SYSTEM32\hghkj.*
[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix. [*]The fix will run then HijackThis will open. [*]In HijackThis, please place a check next to the following items and click FIX CHECKED:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhgh.dll O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - »»https://components.viewpoint.com/adobe/MTSInst..
[*]After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer. [*]Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry! [*]Once your machine reboots please continue with the instructions below.
Then, please run this online virus scan: ActiveScan
Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
-- Proud ASAP member since 2005 | |   djcfp
join:2001-02-04 Atascadero, CA
| Okay,
First of all, thank you for assisting me, it is much appreciated.
Now as far my progress. You mentioned that I would have to this twice. I assumed that you meant perform vundo fix once, reboot, post results, then do it or something like it again, so here are the results from the first run:
Activescan: Incident Status Location
Adware:Adware/RazeSpyware No disinfected C:\Documents and Settings\Chuck\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-51cccb7c-27e64a25.class Adware:Adware/StartPage.AIW No disinfected C:\HJT\backups\backup-20050921-181624-266.dll Adware:adware/delfinmedia No disinfected C:\keys.ini Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html] Adware:adware/dealhelper No disinfected C:\WINDOWS\dhdom1.bin Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\ddcax.dll Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\system32\jkhgh.dll Spyware:Spyware/Omi No disinfected C:\WINDOWS\system32\msfdje.gif Spyware:Spyware/Omi No disinfected C:\WINDOWS\system32\mshpeb.dll Spyware:Spyware/Omi No disinfected C:\WINDOWS\system32\msnapl.dll
Hijack This: Logfile of HijackThis v1.99.1 Scan saved at 8:21:48 PM, on 9/21/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\drivers\CDAC11BA.EXE C:\WINDOWS\system32\crypserv.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\PROGRA~1\mcafee.com\agent\mctskshd.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe C:\SCANJET\PrecisionScanPro\HPLamp.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\McAfee.com\VSO\mcvsshld.exe C:\Program Files\McAfee.com\VSO\oasclnt.exe C:\WINDOWS\system32\ctfmon.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\PROGRA~1\KEYBOA~1\keyexp.exe C:\WINDOWS\System32\svchost.exe C:\HJT\HijackThis.exe
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhgh.dll O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddcax.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Keyboard Express 3.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - »bin.mcafee.com/molbin/Shared/Com···tl32.cab O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - »download.mcafee.com/molbin/Share···wFld.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - »download.mcafee.com/molbin/share···sctl.cab O16 - DPF: {53F63B36-5DB3-4C19-A8AB-2CB9AE7D57F7} (CFM_AXFTP_MOD.UserControl1) - »www.racelm.com/rlm/cfmaxftp/cfmprojmod.CAB O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »update.microsoft.com/windowsupda···31258104 O16 - DPF: {6EA0A4DB-0B94-40E1-9165-54F5694C19EC} (CFM2004noruna.UserControl1) - »www.racelm.com/rlm/cfm2004/cfm2004noruna.CAB O16 - DPF: {73989DDC-D9DE-47F7-B262-6FE39DC70BC2} (CFM2004Turbo.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2004turbo.CAB O16 - DPF: {797FA1DD-30E7-4093-A892-E8C2A556A583} (CFM2005TurboDMCrs.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2···MCrs.CAB O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »www.pandasoftware.com/activescan···inst.cab O16 - DPF: {A49DFBB5-A3BB-45FE-BA2F-34890123C47F} (CFM2005TurboDMC.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2···oDMC.CAB O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - »download.mcafee.com/molbin/share···dmgr.cab O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) - O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) - O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - »photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: {DB1C1859-F90A-47DE-8934-FB8CECE8E6F3} (CFM_AXFTP_MOD.UserControl1) - »www.racelm.com/rlm/cfmaxftp/cfmp···orun.CAB O16 - DPF: {DDC38B48-52B8-4FD6-BBB3-2FC2C136FD0D} (CFM2004a.UserControl1) - »www.racelm.com/rlm/cfm2004/cfm2004a.CAB O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - »www.amiuptodate.com/vsc/mvt/bin/···mash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{6A551B11-F6EE-4A28-8E26-0BAB4D056B63}: NameServer = 64.166.172.8,206.13.29.12 O20 - Winlogon Notify: ddcax - C:\WINDOWS\system32\ddcax.dll O20 - Winlogon Notify: jkhgh - C:\WINDOWS\SYSTEM32\jkhgh.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: GEARSecurity_BackUp - Unknown owner - C:\WINDOWS\SYSTEM32\GEARSEC.EXE (file missing) O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
vundofix.txt:
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Suspending PID 200 'smss.exe' Threads [204]Error 0x6 : The handle is invalid.
[208]Error 0x6 : The handle is invalid.
[212]Error 0x6 : The handle is invalid.
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1100 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Error, Cannot find a process with an image name of rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 272 'winlogon.exe' Error 0x6 : The handle is invalid.
Could not delete file. Files Deleted sucessfully. | |   TheJoker Premium,MVM join:2001-04-26 Alexandria, VA
| Let's take care of a few things there first, and then see if after running Vundofix you can get a clean scan.
One of the files the scan found was a test file (Eicar) for scanners, and not really a virus, so we will leave that alone. We will take care of the one listed as virtumondo with the Vundofix.
The first file Panda found was in your Sun Java Runtime Environment (JRE) cache. Delete it by clearing the JRE cache directory:
1. From the Start button, click Settings -> Control Panel 2. In the Control Panel, open the "Java Plug-in Control Panel" 3. Select the Cache Tab 4. Click the Clear button inside the Cache Tab, which will clear your JRE cache directory
Reconfigure Windows XP to show hidden files: Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select "Show hidden files and folders". Uncheck the "Hide protected operating system files (recommended)" option. Uncheck the "Hide file extensions for known file types" option.
Using Windows Explorer, locate and delete the following files:
C:\HJT\backups\backup-20050921-181624-266.dll C:\ keys.ini C:\WINDOWS\dhdom1.bin C:\WINDOWS\system32\jkhgh.dll C:\WINDOWS\system32\msfdje.gif C:\WINDOWS\system32\mshpeb.dll C:\WINDOWS\system32\msnapl.dll
Please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter. [*]Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat [*]You will first be presented with a warning and a list of forums to seek help at. it should look like this
VundoFix V2.1 by Atri By pressing enter you agree that you are using this at your own risk Please seek assistance at one of the following forums: http://www.atribune.org/forums http://www.247fixes.com/forums http://www.geekstogo.com/forum http://forums.net-integration.net [*] At this point press enter one time. [*] Next you will see:
Type in the filepath as instructed by the forum staff Then Press Enter, Then F6, Then Enter Again to continue with the fix. [*]At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\SYSTEM32\ddcax.dll
[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix. [*] Next you will see:
Please type in the second filepath as instructed by the forum staff Then Press Enter, Then F6, Then Enter Again to continue with the fix. [*]At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\SYSTEM32\xacdd.*
[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix. [*]The fix will run then HijackThis will open. [*]In HijackThis, please place a check next to the following items and click FIX CHECKED:
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhgh.dll O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddcax.dll O20 - Winlogon Notify: ddcax - C:\WINDOWS\system32\ddcax.dll O20 - Winlogon Notify: jkhgh - C:\WINDOWS\SYSTEM32\jkhgh.dll
[*]After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer. [*]Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry! [*]Once your machine reboots please continue with the instructions below.
Then, please run this online virus scan: ActiveScan
Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
-- Proud ASAP member since 2005 | |   djcfp
join:2001-02-04 Atascadero, CA
| Okay,
I performed the tasks that you requested. FYI, to delete C:\WINDOWS\system32\jkhgh.dll, I had to physically remove the HDD from this machine and install it as a slave in another XP machine. I tryed all other methods to no avail due to the fact that it was "being used by another process". That includes trying to delete it from a command prompt in the safe mode. Bottom line is that I got it deleted.
Here are the results of the scans that you requested:
vundofix:
Could not delete file. Files Deleted sucessfully.
Activescan:
Incident Status Location Spyware:Spyware/Virtumonde No disinfected C:\HJT\backups\backup-20050922-091542-924.dll Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html] Adware:adware/dealhelper No disinfected C:\WINDOWS\dhdomp1.bin Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\ddcax.dll
HJT:
Logfile of HijackThis v1.99.1 Scan saved at 11:01:01 AM, on 9/22/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\drivers\CDAC11BA.EXE C:\WINDOWS\system32\crypserv.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\PROGRA~1\mcafee.com\agent\mctskshd.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe C:\SCANJET\PrecisionScanPro\HPLamp.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\McAfee.com\VSO\mcvsshld.exe C:\Program Files\McAfee.com\VSO\oasclnt.exe C:\WINDOWS\system32\ctfmon.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\PROGRA~1\KEYBOA~1\keyexp.exe C:\WINDOWS\System32\svchost.exe C:\HJT\HijackThis.exe
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddcax.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Keyboard Express 3.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - »bin.mcafee.com/molbin/Shared/Com···tl32.cab O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - »download.mcafee.com/molbin/Share···wFld.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - »download.mcafee.com/molbin/share···sctl.cab O16 - DPF: {53F63B36-5DB3-4C19-A8AB-2CB9AE7D57F7} (CFM_AXFTP_MOD.UserControl1) - »www.racelm.com/rlm/cfmaxftp/cfmprojmod.CAB O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »update.microsoft.com/windowsupda···31258104 O16 - DPF: {6EA0A4DB-0B94-40E1-9165-54F5694C19EC} (CFM2004noruna.UserControl1) - »www.racelm.com/rlm/cfm2004/cfm2004noruna.CAB O16 - DPF: {73989DDC-D9DE-47F7-B262-6FE39DC70BC2} (CFM2004Turbo.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2004turbo.CAB O16 - DPF: {797FA1DD-30E7-4093-A892-E8C2A556A583} (CFM2005TurboDMCrs.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2···MCrs.CAB O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »www.pandasoftware.com/activescan···inst.cab O16 - DPF: {A49DFBB5-A3BB-45FE-BA2F-34890123C47F} (CFM2005TurboDMC.UserControl1) - »www.racelm.com/rlm/cfmturbo/cfm2···oDMC.CAB O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - »download.mcafee.com/molbin/share···dmgr.cab O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) - O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) - O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - »photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: {DB1C1859-F90A-47DE-8934-FB8CECE8E6F3} (CFM_AXFTP_MOD.UserControl1) - »www.racelm.com/rlm/cfmaxftp/cfmp···orun.CAB O16 - DPF: {DDC38B48-52B8-4FD6-BBB3-2FC2C136FD0D} (CFM2004a.UserControl1) - »www.racelm.com/rlm/cfm2004/cfm2004a.CAB O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - »www.amiuptodate.com/vsc/mvt/bin/···mash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{6A551B11-F6EE-4A28-8E26-0BAB4D056B63}: NameServer = 64.166.172.8,206.13.29.12 O20 - Winlogon Notify: ddcax - C:\WINDOWS\system32\ddcax.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: GEARSecurity_BackUp - Unknown owner - C:\WINDOWS\SYSTEM32\GEARSEC.EXE (file missing) O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe | |   TheJoker Premium,MVM join:2001-04-26 Alexandria, VA
| reply to djcfp Lets try one more time. If it doesnt work, we'll try another method. Now that there is only one set of entries for Vundo, it may work better.
Please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
[*]Once in Safe mode, Using Windows Explorer, locate and delete the following Files:
C:\HJT\backups\backup-20050922-091542-924.dll C:\WINDOWS\dhdomp1.bin
[*]Open the VundoFix folder and doubleclick on KillVundo.bat [*]You will first be presented with a warning and a list of forums to seek help at. it should look like this
VundoFix V2.1 by Atri By pressing enter you agree that you are using this at your own risk Please seek assistance at one of the following forums: http://www.atribune.org/forums http://www.247fixes.com/forums http://www.geekstogo.com/forum http://forums.net-integration.net [*] At this point press enter one time. [*] Next you will see:
Type in the filepath as instructed by the forum staff Then Press Enter, Then F6, Then Enter Again to continue with the fix. [*]At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\SYSTEM32\ddcax.dll
[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix. [*] Next you will see:
Please type in the second filepath as instructed by the forum staff Then Press Enter, Then F6, Then Enter Again to continue with the fix. [*]At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\SYSTEM32\xacdd.*
[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix. [*]The fix will run then HijackThis will open. [*]In HijackThis, please place a check next to the following items and click FIX CHECKED:
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddcax.dll O20 - Winlogon Notify: ddcax - C:\WINDOWS\system32\ddcax.dll
[*]After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer. [*]Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry! [*]Once your machine reboots please continue with the instructions below.
Then, please run this online virus scan: ActiveScan
Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
-- Proud ASAP member since 2005 | |   djcfp
join:2001-02-04 Atascadero, CA
| Okay, I followed the steps in your last reply and here are the results of the scans:
Activescan:
Incident Status Location Spyware:Spyware/Virtumonde No disinfected C:\HJT\backups\backup-20050922-134457-263.dll Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html] Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\ddcax.dll
HJT:
Logfile of HijackThis v1.99.1 Scan saved at 3:03:41 PM, on 9/22/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\drivers\CDAC11BA.EXE C:\WINDOWS\system32\crypserv.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\PROGRA~1\mcafee.com\agent\mctskshd.exe C:\Program Files\Common Files\Microsoft
Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\MsPMSPSv.exe C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe C:\SCANJET\PrecisionScanPro\HPLamp.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EX
E C:\WINDOWS\system32\CTHELPE |
|