# Blue screen, constant restart [Moved from XP; Security Help needed for Rootkit]



## IITMocker (Feb 6, 2004)

My computer has been crashing and restart by itself. I got a couple of blue screen with 
this message

Error 0x0000008E (OxC0000005 Ox8053ACF2 OxB7c2cc98 Ox000000)

Below is my Hijack log

---------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:26:33 PM, on 4/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Documents and Settings\HP_Administrator\Desktop\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\AGRSMMSG.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Documents and Settings\HP_Administrator\Desktop\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176836052390
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: McAfee Application Installer Cleanup (0140091177265585) (0140091177265585mcinstcleanup) - Unknown owner - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\014009~1.EXE (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe


----------



## Rollin' Rog (Dec 9, 2000)

Scanlog's ok.

Run *sysdm.cpl* and select Advanced > startup and recovery. Take the check out of "automatically restart".

This will give you a blue screen for your reading displeasure.

Next -- follow these instructions and let me see what you have gotten already:

I can run a debugging utility on the dump files if you do this:

1 > create a new folder on the desktop and call it "dumpcheck" or whatever you like
2 > navigate to %systemroot%\minidump and copy the last few minidump files to that folder.%systemroot% is normally c:\windows. They are numbered by date. You can paste that address in address bar to get there.
3 > close the folder and right click on it and select *Send to* _Compressed (zipped) Folder_. Please do NOT compress them in .rar
4 > use the "manage attachments" in the "advanced" reply window to upload that zip file here as an attachment.

This might point us to a 3rd party driver causing the error, if one exists for it.

Since almost all bugchecks can be caused by faulty ram, I would recommend you perform memory tests.

Beginners Guides: Diagnosing Bad Memory

Memtest86 - A Stand-alone Memory


----------



## IITMocker (Feb 6, 2004)

Here are the ZIPs


----------



## Rollin' Rog (Dec 9, 2000)

I've just looked at the first two (you could have put them all in one folder by the way)

You have a trojan/worm rootkit:

http://www.msisac.org/advisories/2007/01_23.cfm

The give a way is this named, faulting driver:

BugCheck 10000050, {e3aa1000, 0, 8053abef, 1}

*Probably caused by : windev-6f27-2975.sys* ( windev_6f27_2975+9b3 )

I will move your thread to the Security forum. If you do not get a response there in 24 hours -- PM me and I will put the tap on someone personally.


----------



## Byteman (Jan 24, 2002)

Hi IITMocker

Rog has asked me to help you, please download and run the tool shown below, and post the log it makes.

Download this tool to your desktop:
http://www.uploads.ejvindh.net/rootchk.exe
Run the program. After a short time a logfile will turn up. Copy the contents of the log into the thread.


----------



## Rollin' Rog (Dec 9, 2000)

Thanks Bill!

Just thought I'd through this in in case it's of any help. You may need to do some manual registry editing:

http://searchg.symantec.com/search?...US&proxystylesheet=symc_en_US&site=symc_en_US

http://www.symantec.com/security_response/writeup.jsp?docid=2007-041314-1900-99&tabid=3


----------



## IITMocker (Feb 6, 2004)

Thank you for your help. Here is the rootlog

--------------------------------------------------------

********************************* ROOTCHK-(25-04-07)-LOG, by ejvindh
Sat 04/28/2007 19:09:20.09

Driver nm (visible) is present. Run COMBOFIX by sUBs.

********************************* ROOTCHK-LOG-end

catchme 0.3.657 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-28 19:09:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\winmgmt6f27-2975

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\windev-6f27-2975.sys
C:\WINDOWS\system32\windev-peers.ini

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 2


----------



## IITMocker (Feb 6, 2004)

Bump


----------



## Byteman (Jan 24, 2002)

Hi, 
I need to see some further logs, so we will get the ComboScan tool as below:

This tool should not take long to run, something along the lines of about 5 minutes. It also does some temp file deleting, and is also supposed to create a System Restore Point for you....but, I need you to *first ensure that your System Restore is enabled- this is very important*

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab. ( If there is a check in "Turn Off System Restore...."= it is Off.) Turn Restore back On, by taking the checkmark OUT OF the box there....

*If System Restore is already on, you will see the word "Monitoring" so leave it that way if it is.*

Download ComboScan by Deckard from *Here* and save it to your Desktop. 

Double click *comboScan.exe * and follow the prompts.
When finished, it will produce a log for you. 
Post the contents of that log in your next reply.
Using Windows Explorer (to get there right-click your Start button and go to "Explore"), navigate to the *C:\ComboScan *folder. You will find two logs in the folder, *ComboScan.txt *and *Supplementary.txt*.
Open the *Supplementary.txt* log in Notepad
Also Copy and Paste its contents in a reply.


----------



## IITMocker (Feb 6, 2004)

Here is the log...thanks..

___________
ComboScan v20070306.20 run by HP_Administrator on 2007-05-01 at 23:12:25
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) D CPU 3.00GHz
CPU 1: Intel(R) Pentium(R) D CPU 3.00GHz
Percentage of Memory in Use: 50%
Physical Memory (total/avail): 1022.41 MiB / 510 MiB
Pagefile Memory (total/avail): 2459.41 MiB / 2105.82 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1994.96 MiB

C: is Fixed (NTFS) - 224.87 GiB total, 28.7 GiB free. 
D: is Fixed (FAT32) - 8 GiB total, 1.37 GiB free. 
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
K: is CDROM (UDF)
L: is Fixed (FAT32) - 232.83 GiB total, 49.23 GiB free.

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\HP_Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ROLYJP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\HP_Administrator
LOGONSERVER=\\ROLYJP
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\;C:\Program Files\ATI Technologies\ATI Control Panel;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0404
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=c:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp
USERDOMAIN=ROLYJP
USERNAME=HP_Administrator
USERPROFILE=C:\Documents and Settings\HP_Administrator
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

HP_Administrator _(admin)_
Administrator _(admin)_

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Advanced Registry Optimizer --> "C:\Program Files\Advanced Registry Optimizer\unins000.exe" /silent
Agere Systems PCI Soft Modem --> agrsmdel
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe" 
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_classISPLAY -clean
Blackhawk Striker 2 from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\758619C0-7C97-42BB-B1E9-775F72FDAD1E\Uninstall.exe"
Blasterball 2 from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\D2DACBCD-E1FE-4C32-A49B-1EB0743D1E79\Uninstall.exe"
Blasterball 2 Holidays from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\1B497FAA-E53E-420D-8408-FFDD3278CD50\Uninstall.exe"
Blasterball 2 Remix from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\0C84A7C5-2762-4932-96BF-44A77202DCC3\Uninstall.exe"
Bounce Symphony from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\5DAA9E44-1B31-41CD-88A8-228EDED6E36E\Uninstall.exe"
Crystal Maze from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\3D61540E-C88C-4358-B6A1-DC26648F2A3D\Uninstall.exe"
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
Easy Internet Sign-up --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{8105684D-8CA6-440D-8F58-7E5FD67A499D} /l1033 
Final Drive Nitro from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\31D6EDEF-1926-4267-A24E-077BFB360F72\Uninstall.exe"
GemMaster Mystic --> "C:\Program Files\GemMaster\uninstallgemmaster.exe"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
HP Boot Optimizer --> MsiExec.exe /I{3BA95526-6AE0-4B87-A62D-17187EF565FC}
HP Deskjet Printer Preload --> MsiExec.exe /I{2C5D07FB-31A2-4F2D-9FDA-0B24ACD42BD0}
HP Image Zone 4.8.6 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Image Zone for Media Center PC --> MsiExec.exe /X{8D0C57BC-4942-4960-BB6D-142456D6F233}
HP Image Zone Plus 4.8.6 --> C:\Program Files\HP\Digital Imaging\{32498B7B-E1F3-4ad5-A23B-F26414E94BE0}\setup\hpzscr01.exe -datfile hpdscr01.dat
HP Photosmart Cameras 4.5 --> C:\Program Files\HP\Digital Imaging\{ABA2B37F-AB88-486e-870A-52454A23FEE0}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP PSC & OfficeJet 4.7 --> "C:\Program Files\HP\Digital Imaging\{342C7C88-D335-4bc2-8CF1-281857629CE2}\setup\hpzscr01.exe" -datfile hposcr05.dat
HP Software Update --> MsiExec.exe /X{64FC0C98-B035-4530-B15D-3D30610B6DF1}
HP Tunes --> MsiExec.exe /X{6512B303-F989-4C13-B9F6-A99989E4ED54}
HPIZplus450 --> MsiExec.exe /X{0E484A60-A429-49A8-982C-D6475F1E80A9}
Intel(R) PRO Network Connections Drivers --> Prounstl.exe
IntelliMover Data Transfer Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14589F05-C658-4594-9429-D437BA688686}\Setup.exe" -l0x9 
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
KBD --> C:\HP\KBD\KBD.EXE uninstalled
Lexibox Deluxe from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\9844050E-4CA4-4901-A53D-A5D14C63789B\Uninstall.exe"
Microsoft Office 2000 Small Business --> MsiExec.exe /I{00030409-78E1-11D2-B60F-006097C998E7}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Dancer LE --> MsiExec.exe /X{1A103D70-5C9B-4E1A-B306-5106C68F9914}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
muvee autoProducer 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC10C922-52E9-4739-ACD0-EB0FF035EE7E}\setup.exe" -l0x9 
muvee autoProducer unPlugged - HPD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D8E4A88B-E35A-4F3B-AB60-42E7DB0EC765}\setup.exe" -l0x9 
NewsLeecher v3.8 Final --> "C:\Program Files\NewsLeecher\unins000.exe"
Otto --> "C:\Program Files\EnglishOtto\uninstallotto.exe"
Overball from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\A8B63E91-BB8C-41FF-B530-5BB13C915612\Uninstall.exe"
Pando --> MsiExec.exe /I{C0B0FA55-D4E9-4374-9871-BBFBF2AEF0D1}
PC-Doctor for Windows --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{19C989C4-50AE-43A4-B06E-8C70FFFF852F} /l1033 
Phoenix Assault from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\4C838121-69EC-424A-8FB0-91C15306A758\Uninstall.exe"
Photosmart 320,370,7400,8100,8400 Series --> C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\setup\hpzscr01.exe -datfile hphscr01.dat
Picasa 2 --> "C:\Documents and Settings\HP_Administrator\My Documents\Picasa2\Uninstall.exe"
Polar Bowler from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\1FFA88DF-0AC3-4D9E-9139-5FF98813C12C\Uninstall.exe"
Polar Golfer from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\55275778-F7D9-4BA0-95F4-DEFD71ADDFD9\Uninstall.exe"
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
Python 2.2 pywin32 extensions (build 203) --> "C:\Python22\Removepywin32.exe" -u "C:\Python22\pywin32-wininst.log"
Python 2.2.3 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
QuickPar 0.9 --> C:\Program Files\QuickPar\uninst.exe
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Registry Mechanic 6.0 --> "C:\Program Files\Registry Mechanic\unins000.exe"
Remove Microsoft Money 2005 installer --> c:\\hp\\bin\\cloaker.exe commands /ww /lw:c:\\hp\\bin\\ifc\\Money\\lg.ini /c c:\\hp\\bin\\cloaker.exe c:\\hp\\bin\\ifc\\uninst.cmd ar
Remove Quicken New User Edition installer --> c:\\hp\\bin\\cloaker.exe commands /ww /lw:c:\\hp\\bin\\ifc\\Quicken_NUE\\lg.ini /c c:\\hp\\bin\\cloaker.exe c:\\hp\\bin\\ifc\\uninst.cmd ar
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shooting Stars Pool from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\B2AA88B1-4920-462B-9F7C-019782B3C4DB\Uninstall.exe"
Slyder from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\600C800C-5985-4E74-AFE7-571001AC3FA4\Uninstall.exe"
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Super Granny from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\0C20CAB1-F8BC-4AC1-A796-535B005C1B83\Uninstall.exe"
Tradewinds from HP Media Center (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\B3FF79F4-CDA8-4845-A7C0-9CE017719F36\Uninstall.exe"
Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369) --> C:\WINDOWS\$NtUninstallMC05Upd1$\spuninst\spuninst.exe
Updates from HP --> C:\WINDOWS\BWUnin-6.3.2.62.exe -AppId 309731
VideoLAN VLC media player 0.8.6 --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Window Washer --> C:\WINDOWS\Unwash6.exe
Windows XP Media Center Edition 2005 KB888316 --> C:\WINDOWS\$NtUninstallKB888316$\spuninst\spuninst.exe
Windows XP Media Center Edition 2005 KB890629 --> 
Windows XP Media Center Edition 2005 KB895678 --> C:\WINDOWS\$NtUninstallKB895678$\spuninst\spuninst.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe

-- End of ComboScan: finished at 2007-05-01 at 23:13:15 ------------------------


----------



## IITMocker (Feb 6, 2004)

I am not sure if this is related...but I have been trying to install McAfee anti-virus program several time but it fail every time. Also, I no longer have the search function for Windows...the screen comes up, but it's blank....


----------



## Byteman (Jan 24, 2002)

Hi, You posted only the Supplementary file, need to see the file named *ComboScan.txt*

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), navigate to the C:\ComboScan folder. You will find two logs in the folder, ComboScan.txt and Supplementary.txt.

Post ComboScan.txt please. If you were in the process, just go ahead and post it....

Regarding your question: Malware can produce the oddest symptoms, most of these will clear up when we clean out the crap!


----------



## IITMocker (Feb 6, 2004)

-- HijackThis (run as HP_Administrator.exe) ------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:40:31 PM, on 5/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\tcpipmon.exe
C:\WINDOWS\system32\tcpipmon.exe
C:\Documents and Settings\HP_Administrator\Desktop\today\comboscan.exe
C:\PROGRA~1\HIJACK~1\HP_ADM~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {713A7346-6EE8-4C5C-BD80-D9BBF6786012} - C:\WINDOWS\system32\iiffcbx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Documents and Settings\HP_Administrator\Desktop\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu2000352.exe 61A847B5BBF72810329B385577FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176836052390
O20 - Winlogon Notify: iiffcbx - C:\WINDOWS\SYSTEM32\iiffcbx.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: McAfee Application Installer Cleanup (0140091177265585) (0140091177265585mcinstcleanup) - Unknown owner - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\014009~1.EXE (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

-- Files created between 2007-04-01 and 2007-05-01 -----------------------------

2007-05-01 18:49:42 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Microsoft Web Folders<MICROS~2>
2007-05-01 00:21:58 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\InterVideo<INTERV~1>
2007-04-30 06:53:42 0 d-------- C:\Program Files\Registry Mechanic<REGIST~2>
2007-04-30 06:53:03 4991776 --a------ C:\Program Files\rminstall.exe<RMINST~1.EXE>
2007-04-30 00:49:35 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\NewsLeecher<NEWSLE~1>
2007-04-30 00:11:54 614191 --a------ C:\WINDOWS\system32\RegistryCleanerSetup.exe<REGIST~1.EXE>
2007-04-29 23:57:26 30720 --a------ C:\WINDOWS\system32\tcpipmon.exe
2007-04-29 23:57:25 13824 --a------ C:\WINDOWS\system32\max1d1641.exe<MAX1D1~1.EXE>
2007-04-29 23:57:25 48128 --a------ C:\stmjv.exe
2007-04-29 23:57:23 30720 --a------ C:\WINDOWS\system32\rpcc.dll
2007-04-29 23:57:23 7200 --a------ C:\rwswny.exe
2007-04-29 23:57:18 45056 --a------ C:\WINDOWS\retadpu2000352.exe<RETADP~1.EXE>
2007-04-29 23:57:15 26678 --a------ C:\WINDOWS\system32\iiffcbx.dll
2007-04-25 00:41:42 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Sammsoft
2007-04-25 00:41:34 0 d-------- C:\Program Files\Advanced Registry Optimizer<ADVANC~1>
2007-04-24 15:14:57 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\dvdcss
2007-04-22 14:21:59 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2007-04-22 14:21:53 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Adobe
2007-04-22 12:35:00 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Lavasoft
2007-04-21 23:53:35 0 d-------- C:\SDFix
2007-04-21 11:04:21 21504 --a------ C:\WINDOWS\system32\encxfjm.dll
2007-04-20 18:48:53 439296 --a------ C:\Documents and Settings\HP_Administrator\GoToAssist_phone__317_en.exe<GOTOAS~1.EXE>
2007-04-20 18:48:32 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Sun
2007-04-20 18:46:11 21504 --a------ C:\WINDOWS\system32\g.dll
2007-04-18 23:09:58 91476 --a------ C:\WINDOWS\system32\cent.exe
2007-04-18 23:07:47 21504 --a------ C:\WINDOWS\system32\kbx.dll
2007-04-18 13:25:50 636502 -ra------ C:\WINDOWS\system32\drivers\PRISMUSB.sys
2007-04-18 06:57:50 21504 --a------ C:\WINDOWS\system32\hpikgcnwntwaz.dll<HPIKGC~1.DLL>
2007-04-18 06:57:22 48 --a------ C:\WINDOWS\system32\pfxzmtymsg.dll<PFXZMT~4.DLL>
2007-04-18 06:57:22 48 --a------ C:\WINDOWS\system32\pfxzmtwbmail.dll<PF9452~1.DLL>
2007-04-18 06:57:22 48 --a------ C:\WINDOWS\system32\pfxzmticq.dll<PFXZMT~1.DLL>
2007-04-18 06:57:22 48 --a------ C:\WINDOWS\system32\pfxzmtgtal.dll<PFXZMT~3.DLL>
2007-04-18 06:57:22 48 --a------ C:\WINDOWS\system32\pfxzmtforum.dll<PF5607~1.DLL>
2007-04-18 06:57:22 48 --a------ C:\WINDOWS\system32\pfxzmtaim.dll<PFXZMT~2.DLL>
2007-04-18 06:57:20 40758 --a------ C:\WINDOWS\pdp.exe
2007-04-18 06:57:17 91958 --a------ C:\WINDOWS\cent.exe
2007-04-18 06:57:06 8704 --a------ C:\WINDOWS\system32\sporder.dll
2007-04-17 19:26:32 0 d-------- C:\Program Files\McAfee.com
2007-04-17 18:57:55 25856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-04-17 18:57:46 15104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-04-17 18:57:42 31616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-04-17 18:53:22 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Template
2007-04-17 18:53:08 300 --a------ C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2007-04-17 16:53:48 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Webroot
2007-04-17 16:53:12 486400 --a------ C:\WINDOWS\system32\wwSecure.exe
2007-04-17 16:53:09 3213464 --a------ C:\Program Files\wwsetup4930_1918159813.exe<WWSETU~1.EXE>
2007-04-17 16:09:42 0 d-------- C:\WINDOWS\system32\appmgmt
2007-04-17 15:54:51 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\vlc
2007-04-17 15:17:23 2560 -----n--- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-04-17 15:17:23 2432 -----n--- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-04-17 15:16:50 0 d-------- C:\WINDOWS\nsyB7.tmp
2007-04-17 15:16:45 5355320 --a------ C:\Program Files\picasaweb-current-setup.exe<PICASA~1.EXE>
2007-04-17 15:16:20 0 d-------- C:\WINDOWS\nsrB3.tmp
2007-04-17 14:58:29 0 d-------- C:\WINDOWS\system32\PreInstall<PREINS~1>
2007-04-17 14:55:28 18200 --a------ C:\WINDOWS\system32\wups2.dll
2007-04-17 14:55:26 0 d-------- C:\WINDOWS\system32\SoftwareDistribution<SOFTWA~1>
2007-04-17 14:52:11 0 dr-hs---- C:\cmdcons
2007-04-17 14:51:44 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Yahoo!
2007-04-17 14:47:14 0 d--h----- C:\WINDOWS\msdownld.tmp
2007-04-17 14:47:00 0 d-------- C:\WINDOWS\system32\en-US
2007-04-17 14:43:54 121856 -----n--- C:\WINDOWS\system32\xmllite.dll
2007-04-17 13:48:00 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\InterMute<INTERM~1>
2007-04-17 13:48:00 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Apple Computer<APPLEC~1>
2007-04-17 13:47:59 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Symantec
2007-04-17 13:47:59 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\SampleView<SAMPLE~1>
2007-04-17 13:47:59 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Real
2007-04-17 13:47:58 0 d-------- C:\Documents and Settings\HP_Administrator\WINDOWS
2007-04-17 13:47:58 2621440 --ah----- C:\Documents and Settings\HP_Administrator\NTUSER.DAT
2007-04-17 13:39:47 21504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-04-17 13:39:43 12160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-04-17 13:39:37 9600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-04-17 13:08:37 0 dr-hs---- C:\WINDOWS\system32\dllcache
2007-04-17 13:07:53 0 d--hs---- C:\Documents and Settings\HP_Administrator\UserData
2007-04-17 13:05:31 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Google
2007-04-17 11:32:02 0 d-------- C:\Documents and Settings\HP_Administrator\Incomplete<INCOMP~1>
2007-04-17 11:31:51 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\LimeWire
2007-04-17 10:56:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-04-15 14:56:55 0 d-------- C:\Webroot
2007-04-15 14:56:47  0 d-------- C:\Plugins
2007-04-15 14:56:47 0 d-------- C:\Download
2007-04-15 14:56:47 0 d-------- C:\Backup
2007-04-15 14:56:31 58368 --a------ C:\WINDOWS\Unwash6.exe
2007-04-14 19:02:58 1156 --a------ C:\WINDOWS\mozver.dat
2007-04-14 18:44:51 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-04-04 23:24:08 0 d-------- C:\Program Files\High Quality Photo Resizer<HIGHQU~1>

-- Find3M Report ---------------------------------------------------------------

2007-05-28 14:02:49 0 d-------- C:\Program Files\Easy Internet signup<EASYIN~1>
2007-05-01 18:48:13 0 d-------- C:\Program Files\microsoft frontpage<MICROS~1>
2007-04-30 07:34:04 0 d-------- C:\Program Files\McAfee
2007-04-30 00:49:32 0 d-------- C:\Program Files\NewsLeecher<NEWSLE~1>
2007-04-30 00:17:13 0 d-------- C:\Program Files\Yahoo!
2007-04-18 13:41:58 0 d-------- C:\Program Files\Online Services<ONLINE~1>
2007-04-17 19:39:58 591400 --a------ C:\Program Files\DMSetup.exe
2007-04-17 18:53:22 0 d---s---- C:\Documents and Settings\HP_Administrator\Application Data\Microsoft<MICROS~1>
2007-04-17 16:53:53 0 d-------- C:\Program Files\Common Files\Webroot Shared<WEBROO~1>
2007-04-17 16:16:03 0 d-------- C:\Program Files\Symantec
2007-04-17 15:52:56 9451515 --a------ C:\Program Files\vlc-0.8.6-win32.exe<VLC-08~2.EXE>
2007-04-17 13:22:53 0 d-------- C:\Program Files\Windows NT<WINDOW~2>
2007-04-17 13:22:51 0 d-------- C:\Program Files\Movie Maker<MOVIEM~1>
2007-04-17 13:22:50 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-04-17 11:32:10 0 d-------- C:\Program Files\LimeWire
2007-04-17 11:21:54 0 d-------- C:\Program Files\hacha
2007-04-17 11:16:05 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla
2007-04-17 11:14:07 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-04-17 11:09:33 0 d-------- C:\Program Files\FLVPlayer<FLVPLA~1>
2007-04-17 11:08:50 0 d-------- C:\Program Files\Flying Fish<FLYING~1>
2007-04-17 11:01:33 0 d-------- C:\Program Files\Java
2007-04-17 10:56:11 0 d-------- C:\Program Files\Google
2007-04-17 10:56:08 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Macromedia<MACROM~1>
2007-04-15 14:56:45 0 d-------- C:\Program Files\Webroot
2007-04-06 07:05:56 0 d-------- C:\Program Files\Kazaa
2007-03-20 11:11:01 31 --ah----- C:\WINDOWS\uccspecc.sys
2007-03-20 11:11:01 0 d-------- C:\Program Files\Coupons
2007-03-20 10:54:21 0 d-------- C:\Program Files\Common Files\McAfee
2007-03-20 10:18:06 0 d-------- C:\Program Files\Veoh
2007-03-17 09:43:01 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 11:36:28 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36:28 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36:28 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47:48 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-15 16:22:20 2514784 --a------ C:\Program Files\wmpy_flv_player_pc.zip<WMPY_F~1.ZIP>
2007-02-05 16:17:02 185344 --a------ C:\WINDOWS\system32\upnphost.dll

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Window Washer"="C:\\Program Files\\Webroot\\Washer\\wwDisp.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Pando"="\"C:\\Program Files\\Pando Networks\\Pando\\Pando.exe\" /Minimized"
"AROReminder"="C:\\Program Files\\Advanced Registry Optimizer\\aro.exe -rem"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"RTHDCPL"="RTHDCPL.EXE"
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Documents and Settings\\HP_Administrator\\Desktop\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"runner1"="C:\\WINDOWS\\retadpu2000352.exe 61A847B5BBF72810329B385577FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310"
"tcpipmon"="tcpipmon.exe"
"RegistryMechanic"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{713A7346-6EE8-4C5C-BD80-D9BBF6786012}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffcbx
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command	D:\setupSNK.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command	E:\SWSETUP\APPINSTL\setup.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{15b00678-ed0a-11db-9a51-806d6172696f}]
Shell\AutoRun\command	D:\setupSNK.exe

-- End of ComboScan: finished at 2007-05-01 at 23:41:03 ------------------------


----------



## Byteman (Jan 24, 2002)

Hi,

Download  Combofix to your desktop:

* Double-click combofix.exe & follow the prompts.
* When finished, it shall produce a log for you. Post that log in your next reply.

Note:
*Do not mouseclick combofix's window while it's running. That may cause it to stall!*

Next: Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Reboot to safe mode by pressing F8 at boot time & select safe mode in the list on the black screen


Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.
In the *Processes * group click *Non-Microsoft* 
In the *Win32 Services * group click *Non-Microsoft* 
In the *Driver Services * group click *Non-Microsoft* 
In the *Registry * group click *Non-Microsoft* 
In the *Files Created Within* group click *30 days* Make sure Non-Microsoft only is *CHECKED*
In the *Files Modified Within* group select *30 days* Make sure Non-Microsoft only is *CHECKED*
In the *File String Search* group select *Non-Microsoft*
in the *Additional scans sections* please press *select all *and *uncheck* microsoft only

Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file 

reboot normally 
Use the * Reply* button and attach the notepad file here

I will look at the log and have to make a fix and I am not sure how long this will take.

ComboFix should find and remove some of the other malware files but will not fix the Peacomm trojan you have, that's what the WinPFind3ulog will give me info about.


----------



## IITMocker (Feb 6, 2004)

ou said to "uncheck microsoft only" but the choice was to check or uncheck "non-microsoft only" -- I left it checked...was that ok? 

Anyway, here is the log... it's too big so I have to cut it in several posts


----------



## Byteman (Jan 24, 2002)

Hi, Please do this, from my last reply:



Byteman said:


> Download  Combofix to your desktop:
> 
> * Double-click combofix.exe & follow the prompts.
> * When finished, it shall produce a log for you. Post that log in your next reply.
> ...


ComboFix will find and delete some trojan files, it just makes things easier....You can also just delete the *ComboScan folder plus any log from it*

As soon as I can take a look at the ComboFix log and reply back to you, and then see a new WinPFind3u log we will get you fixed up.

_ _ _ _

The instructions to get that *WinPFind3u* log were this:



Byteman said:


> Use the * Reply* button and attach the notepad file here


 It meant you were to Attach the log file to the Reply....not post it IN a Reply- (like the .zip files you attached in your first post.)

The VBulletin software the forum runs on, does some odd things to some of the text, and puts spaces in Registry entries-

About the other question- I see there was a small typo in the directions....They did say to use "Select All" and UNcheck the Microsoft one (should have been Non-Microsoft, yes) so, I think that we will need you to redo the log. Please attach the log and for that last *Additional Scans item, press Select All, and UNcheck Non-Microsoft Only. *

Please put the old WinPFind3u log in the Recycle Bin so you dont get it mixed up.

Could you tell me if it is better for you to work on this, be at this forum etc during the daytime? I can arrange to be online tomorrow morning, or afternoon till 4 PM etc, but in the evening it's only after about 9-10PM. I will look for a reply from you in the morning and go from there.

I'm sorry things got slightly mixed up!


----------



## IITMocker (Feb 6, 2004)

yes, I will be able to check in the morning...


----------



## IITMocker (Feb 6, 2004)

winfind log


----------



## Byteman (Jan 24, 2002)

Hi, Before I post any fixing, I would like to ask you about the program or file or whatever it is called *hacha* If you use it, know what it is, etc then I will leave it alone....it seems suspicious but I also find somewhat OK info about it. It might be a program that does something with DVD files like a Zone Identifier.

One thing we can do is scan just that one file here to tell:

http://virusscan.jotti.org/

At the Jotti site, you see a "Browse" button, so navigate to the file shown below on your hard drive> using Windows Explorer to find this item:

*hacha.exe* (looks to be on your Desktop, and also may be in the 
C:\Program Files\hacha folder. You can't scan a folder at Jotti, so find the file hacha.exe and when you highlight it once with the mouse cursor, the path to it will show on the Jotti submit line, then just click Submit to send the file up for a quick scan. Please *copy and paste the results it gives you about the file into a Reply*


----------



## IITMocker (Feb 6, 2004)

HACHA is a file joiner program to join movie parts. I have been using it for years and have never had a problem. It has always been on the PC and is not new at all. It has always been trouble free.


----------



## Byteman (Jan 24, 2002)

OK, that clears that up for me about hacha.....

Also> I believe you may have missed one or more of the steps as the hidden driver/service the rootkit uses did not show in your newer WinPFind3u log so I have to ask you to re-do it again.

Here are the steps to use for the next use of WinPFind3u:


Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.
In the *Processes * group click *Non-Microsoft* 
In the *Win32 Services * group click *Non-Microsoft* 
In the *Driver Services * group click *Non-Microsoft* this one, make sure you get it included
In the *Registry * group click *Non-Microsoft* 
In the *Files Created Within* group click *30 days* Make sure Non-Microsoft only is *CHECKED*
In the *Files Modified Within* group select *30 days* Make sure Non-Microsoft only is *CHECKED*
In the *File String Search* group select *Non-Microsoft*
in the *Additional scans sections* please press *select all *and *uncheck*Non- microsoft only

Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file 

reboot normally 
Use the * Reply* button and *attach the notepad file to your post as you did last time*


----------



## IITMocker (Feb 6, 2004)

Let's try this again...I hope it works this time


----------



## Byteman (Jan 24, 2002)

Yes, that was better!

When you have read what to do, print it out or save the text directions if you wish.....then, close any open programs like antivirus, antispyware, any programs that you can spare, some from the tray bottom right> less running the better, though it doesn't give me any trouble at all it may on an infected machine so try to close what you know is not needed> not the volume button or things of that nature but programs that operate in the background.

Start WinPFind3U. Look at the text items in the Code box....see how that one entry to see it you have to scroll sideways to the right? What you are to do, is highlight all that text inside the code box....EVERYTHING inside it, every letter making sure you do get all of that one long line and down past it. It's re-doable so if you make a mistake just delete the contents of the pasted in fix and start again.

Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the *Run Fix* button.


```
[Kill Explorer]
[Unregister Dlls]
[Win32 Services - Non-Microsoft Only]
YY -> (0140091177265585mcinstcleanup) McAfee Application Installer Cleanup (0140091177265585) [Win32_Own | Auto | Stopped] -> %SystemDrive%\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\014009~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini
[Driver Services - Non-Microsoft Only]
YY -> (windev-6f27-2975) windev-6f27-2975 [Kernel | Auto | Stopped] -> %System32%\windev-6f27-2975.sys
[Registry - Non-Microsoft Only]
< Protocol Filters [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\
YN -> lzdhtml -> Reg Data - Key not found
[Files/Folders - Created Within 30 days]
NY -> rwswny.exe -> %SystemDrive%\rwswny.exe
NY -> stmjv.exe -> %SystemDrive%\stmjv.exe
NY -> cent.exe -> %SystemRoot%\cent.exe
NY -> nsrB3.tmp -> %SystemRoot%\nsrB3.tmp
NY -> nsyB7.tmp -> %SystemRoot%\nsyB7.tmp
NY -> pdp.exe -> %SystemRoot%\pdp.exe
NY -> retadpu2000352.exe -> %SystemRoot%\retadpu2000352.exe
NY -> cent.exe -> %System32%\cent.exe
NY -> encxfjm.dll -> %System32%\encxfjm.dll
NY -> g.dll -> %System32%\g.dll
NY -> hpikgcnwntwaz.dll -> %System32%\hpikgcnwntwaz.dll
NY -> windev-6f27-2975.sys -> %System32%\windev-6f27-2975.sys
NY -> windev-peers.ini -> %System32%\windev-peers.ini
[Files/Folders - Modified Within 30 days]
NY -> rwswny.exe -> %SystemDrive%\rwswny.exe
NY -> stmjv.exe -> %SystemDrive%\stmjv.exe
NY -> cent.exe -> %SystemRoot%\cent.exe
NY -> nsrB3.tmp -> %SystemRoot%\nsrB3.tmp
NY -> nsyB7.tmp -> %SystemRoot%\nsyB7.tmp
NY -> pdp.exe -> %SystemRoot%\pdp.exe
NY -> retadpu2000352.exe -> %SystemRoot%\retadpu2000352.exe
NY -> cent.exe -> %System32%\cent.exe
NY -> encxfjm.dll -> %System32%\encxfjm.dll
NY -> g.dll -> %System32%\g.dll
NY -> hpikgcnwntwaz.dll -> %System32%\hpikgcnwntwaz.dll
NY -> RegistryCleanerSetup.exe -> %System32%\RegistryCleanerSetup.exe
NY -> windev-6f27-2975.sys -> %System32%\windev-6f27-2975.sys
NY -> windev-peers.ini -> %System32%\windev-peers.ini
[File String Scan - Non-Microsoft Only]
NY -> UPX! , UPX0 , -> %SystemDrive%\stmjv.exe
NY -> UPX! , -> %SystemRoot%\retadpu2000352.exe
[ Extra Files ]
C:\WINDOWS\system32\tcpipmon.exe
C:\WINDOWS\system32\max1d1641.exe
C:\WINDOWS\system32\rpcc.dll
C:\WINDOWS\system32\iiffcbx.dll
C:\WINDOWS\system32\pfxzmtymsg.dll
C:\WINDOWS\system32\pfxzmtwbmail.dll
C:\WINDOWS\system32\pfxzmticq.dll
C:\WINDOWS\system32\pfxzmtgtal.dll
C:\WINDOWS\system32\pfxzmtforum.dll
C:\WINDOWS\system32\pfxzmtaim.dll
C:\WINDOWS\system32\sporder.dll
[ Extra Registry Entries ]
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\\"tcpipmon"="tcpipmon.exe"    -> 
HKLM\SYSTEM\CurrentControlSet\Services\winmgmt6f27-2975\    -> 
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\\"runner1"="C:\\WINDOWS\\retadpu2000352.exe"     -> 
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffcbx\   -> 
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc\    -> 
    -> 
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. *Post that information back here into the Reply & it should fit OK....* along with a new WinPFind3u scan log ((attach the .log please!))

I will review the information when it comes back in.

Next:

Run Hijackthis and *post a fresh log from that, and also, do this:*

Open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad. Copy and paste that list here.

* Run ActiveScan online virus scan *here*

- Once you are on the Panda site click the *Scan your PC* button
- A new window will open...click the *Check Now* button
- Enter your *Country*
- Enter your *State/Province*
- Enter your *e-mail address* and click *send*
- Select either *Home User* or *Company*
- Click the big *Scan Now* button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on *Local Disks* to start the scan
- When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post that log called activescan.txt please.

You can attach it or just post it if it will fit.

Thanks for your patience!


----------



## Byteman (Jan 24, 2002)

Hi, I have had to change some things in the fix so if you did save it already, could you just redo it using what is now in the code box...I'm very sorry but I did not have all the entries- I found several files that were listed twice in the WinPFind3u log so I figured they could be listed in the fix just once, however they need to all be in the fix so just rerun it using the text in the code box in my last reply....sorry that happened.

If you have not done the fix in my last reply with WinPFind3u, then go ahead when you are set.


----------



## IITMocker (Feb 6, 2004)

Oh good ! I just got it to run for 3 hrs. but it wasn't finished...I was going to ask you if it is normal to take that long.


----------



## Byteman (Jan 24, 2002)

Hi, No - it should not take very long at all. You absolutely have to turn off whatever large programs might be running, I turn off my Antivirus program and some others and have no problem. 

I don't think you have any antivirus program, but if you have try exiting from the lower right tray, usually they have an icon there and you can right click up a menu, one option may be "Disable" or "Turn off AVG Control Center" (for example). 

Seems quite a few have this trouble. I don't know what to have you try except try again.

Not sure if you can do the fix from Safe Mode, but that is one thing to try. Let me look at some other threads first and I will post right back here.

There isn't anything new in the edited fix except more items so I doubt that it will make it work faster.

We may need to simply delete a bunch of files and run some scans, but it is best to get rid of the rootkit first. Using the WinPFind3u fix should remove the rootkit the best way, however we can use something else to delete some of the files.

If you try it again a few times and from Safe Mode and it will not work post back.
Let the fix run for no more than 15 minutes so you don't spend too much time on them.


----------



## Byteman (Jan 24, 2002)

Hi, Here is what to do in case the fix does not complete if you try a few times:

Avenger will run through the files etc to delete, and then restart your computer *twice* you don't have to do the restarts, it will for you.

1. Please *download* *The Avenger* by Swandog46 to your *Desktop*.
Click on Avenger.zip to open the file
Extract *avenger.exe* to your desktop

2. Copy *all the text* contained in the quote box below including the *" Files to delete:" *line, to your Clipboard by highlighting it and pressing (*Ctrl+C*):


```
Drivers to unload:
winmgmt6f27-2975
windev-6f27-2975.sys


Files to delete:
%SystemDrive%\stmjv.exe
%SystemDrive%\rwswny.exe
%System32%\g.dll
%System32%\encxfjm.dll
%SystemRoot%\pdp.exe
%SystemRoot%\retadpu2000352.exe
%System32%\hpikgcnwntwaz.dll
%System32%\cent.exe
%SystemRoot%\cent.exe
%SystemRoot%\nsrB3.tmp
%SystemRoot%\nsyB7.tmp
%System32%\windev-6f27-2975.sys
%System32%\windev-peers.ini
C:\WINDOWS\system32\tcpipmon.exe
C:\WINDOWS\system32\max1d1641.exe
C:\WINDOWS\system32\rpcc.dll
C:\WINDOWS\system32\iiffcbx.dll
C:\WINDOWS\system32\pfxzmtymsg.dll
C:\WINDOWS\system32\pfxzmtwbmail.dll
C:\WINDOWS\system32\pfxzmticq.dll
C:\WINDOWS\system32\pfxzmtgtal.dll
C:\WINDOWS\system32\pfxzmtforum.dll
C:\WINDOWS\system32\pfxzmtaim.dll
C:\WINDOWS\system32\sporder.dll

Registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|"tcpipmon"="tcpipmon.exe"
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run|"runner1"="C:\\WINDOWS\\retadpu2000352.exe"  

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\winmgmt6f27-2975
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffcbx
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc
```
_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, *start The Avenger program* by clicking on its icon on your desktop.
 Under "*Script file to execute*" choose "*Input Script Manually*".
Now click on the *Magnifying Glass icon* which will open a new window titled "*View/edit script*" 
 Paste the text copied to clipboard into this window by pressing (*Ctrl+V*).
 Click *Done* 
 Now click on the *Green Light* to begin execution of the script 
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Unload*", The Avenger will actually *restart your system twice.*) 
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avenger's actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply.


----------



## IITMocker (Feb 6, 2004)

I tried the fix a couple of times, including in safe mode. The program seems to be running at first (or at least i assume so from the noise emitted from the computer). 
But then the screen becomes blank and the program then stalled...I will you know if Avenger will work

((The editing was done in an effort to make the text boxes less wide, I tried moving what you wrote back to normal but it did not
seem to help, I also removed that long string of numbers from the fix as you see, but that did not help either))


----------



## Byteman (Jan 24, 2002)

OK, post back if you get a log from Avenger- usually that will work just fine. I will check this thread for your reply.


----------



## IITMocker (Feb 6, 2004)

Here is the log...but there was an error when it ran...the error is listed below...

-----------

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run|"runner1"="C:\\WINDOWS\\retadpu2000352.exe" 

//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tslcpmse

*******************

Script file located at: \??\C:\Documents and Settings\fvcgfoys.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Registry key \Registry\Machine\System\CurrentControlSet\Services\winmgmt6f27-2975 not found!
Unload of driver winmgmt6f27-2975 failed!

Could not process line:
winmgmt6f27-2975
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\windev-6f27-2975.sys not found!
Unload of driver windev-6f27-2975.sys failed!

Could not process line:
windev-6f27-2975.sys
Status: 0xc0000034



File C:\stmjv.exe not found!
Deletion of file C:\stmjv.exe failed!

Could not process line:
C:\stmjv.exe
Status: 0xc0000034



File C:\rwswny.exe not found!
Deletion of file C:\rwswny.exe failed!

Could not process line:
C:\rwswny.exe
Status: 0xc0000034



Could not open file %System32%\g.dll for deletion
Deletion of file %System32%\g.dll failed!

Could not process line:
%System32%\g.dll
Status: 0xc000003a



Could not open file %System32%\encxfjm.dll for deletion
Deletion of file %System32%\encxfjm.dll failed!

Could not process line:
%System32%\encxfjm.dll
Status: 0xc000003a



File C:\WINDOWS\pdp.exe not found!
Deletion of file C:\WINDOWS\pdp.exe failed!

Could not process line:
C:\WINDOWS\pdp.exe
Status: 0xc0000034



File C:\WINDOWS\retadpu2000352.exe not found!
Deletion of file C:\WINDOWS\retadpu2000352.exe failed!

Could not process line:
C:\WINDOWS\retadpu2000352.exe
Status: 0xc0000034



Could not open file %System32%\hpikgcnwntwaz.dll for deletion
Deletion of file %System32%\hpikgcnwntwaz.dll failed!

Could not process line:
%System32%\hpikgcnwntwaz.dll
Status: 0xc000003a



Could not open file %System32%\cent.exe for deletion
Deletion of file %System32%\cent.exe failed!

Could not process line:
%System32%\cent.exe
Status: 0xc000003a



File C:\WINDOWS\cent.exe not found!
Deletion of file C:\WINDOWS\cent.exe failed!

Could not process line:
C:\WINDOWS\cent.exe
Status: 0xc0000034



File C:\WINDOWS\nsrB3.tmp not found!
Deletion of file C:\WINDOWS\nsrB3.tmp failed!

Could not process line:
C:\WINDOWS\nsrB3.tmp
Status: 0xc0000034



File C:\WINDOWS\nsyB7.tmp not found!
Deletion of file C:\WINDOWS\nsyB7.tmp failed!

Could not process line:
C:\WINDOWS\nsyB7.tmp
Status: 0xc0000034



Could not open file %System32%\windev-6f27-2975.sys for deletion
Deletion of file %System32%\windev-6f27-2975.sys failed!

Could not process line:
%System32%\windev-6f27-2975.sys
Status: 0xc000003a



Could not open file %System32%\windev-peers.ini for deletion
Deletion of file %System32%\windev-peers.ini failed!

Could not process line:
%System32%\windev-peers.ini
Status: 0xc000003a



File C:\WINDOWS\system32\tcpipmon.exe not found!
Deletion of file C:\WINDOWS\system32\tcpipmon.exe failed!

Could not process line:
C:\WINDOWS\system32\tcpipmon.exe
Status: 0xc0000034



File C:\WINDOWS\system32\max1d1641.exe not found!
Deletion of file C:\WINDOWS\system32\max1d1641.exe failed!

Could not process line:
C:\WINDOWS\system32\max1d1641.exe
Status: 0xc0000034



File C:\WINDOWS\system32\rpcc.dll not found!
Deletion of file C:\WINDOWS\system32\rpcc.dll failed!

Could not process line:
C:\WINDOWS\system32\rpcc.dll
Status: 0xc0000034



File C:\WINDOWS\system32\iiffcbx.dll not found!
Deletion of file C:\WINDOWS\system32\iiffcbx.dll failed!

Could not process line:
C:\WINDOWS\system32\iiffcbx.dll
Status: 0xc0000034



File C:\WINDOWS\system32\pfxzmtymsg.dll not found!
Deletion of file C:\WINDOWS\system32\pfxzmtymsg.dll failed!

Could not process line:
C:\WINDOWS\system32\pfxzmtymsg.dll
Status: 0xc0000034



File C:\WINDOWS\system32\pfxzmtwbmail.dll not found!
Deletion of file C:\WINDOWS\system32\pfxzmtwbmail.dll failed!

Could not process line:
C:\WINDOWS\system32\pfxzmtwbmail.dll
Status: 0xc0000034



File C:\WINDOWS\system32\pfxzmticq.dll not found!
Deletion of file C:\WINDOWS\system32\pfxzmticq.dll failed!

Could not process line:
C:\WINDOWS\system32\pfxzmticq.dll
Status: 0xc0000034



File C:\WINDOWS\system32\pfxzmtgtal.dll not found!
Deletion of file C:\WINDOWS\system32\pfxzmtgtal.dll failed!

Could not process line:
C:\WINDOWS\system32\pfxzmtgtal.dll
Status: 0xc0000034



File C:\WINDOWS\system32\pfxzmtforum.dll not found!
Deletion of file C:\WINDOWS\system32\pfxzmtforum.dll failed!

Could not process line:
C:\WINDOWS\system32\pfxzmtforum.dll
Status: 0xc0000034



File C:\WINDOWS\system32\pfxzmtaim.dll not found!
Deletion of file C:\WINDOWS\system32\pfxzmtaim.dll failed!

Could not process line:
C:\WINDOWS\system32\pfxzmtaim.dll
Status: 0xc0000034



File C:\WINDOWS\system32\sporder.dll not found!
Deletion of file C:\WINDOWS\system32\sporder.dll failed!

Could not process line:
C:\WINDOWS\system32\sporder.dll
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Services\winmgmt6f27-2975 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\winmgmt6f27-2975 failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\winmgmt6f27-2975
Status: 0xc0000034



Could not delete registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|tcpipmon"="tcpipmon.exe
Deletion of registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|tcpipmon"="tcpipmon.exe failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffcbx not found!
Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffcbx failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc not found!
Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


----------



## IITMocker (Feb 6, 2004)

could I go in and delete these manually?


----------



## Byteman (Jan 24, 2002)

Hi, Let's try once more with Avenger, I have fixed that one Registry item so you should not get the syntax error.
It does look like also that most of that list of files is not present, but some are, they however are 
"in use" so cannot be deleted....we run into this quite often.

*Boot into Safe Mode* to try with Avenger this time, please.

Log onto your normal user account, *not the Admin one.*

Start up Avenger....

Copy *all the text* contained in the quote box below including the *" Files to delete:" *line, to your Clipboard by highlighting it and pressing (*Ctrl+C*):


```
Registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|"tcpipmon"
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run|"runner1"

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\winmgmt6f27-2975
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffcbx
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc
  
Files to delete:
%SystemRoot%\retadpu2000352.exe
%System32%\hpikgcnwntwaz.dll
%System32%\cent.exe
%SystemRoot%\cent.exe
%System32%\windev-peers.ini 
%System32%\windev-6f27-2975.sys
```
 _*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, *start The Avenger program* by clicking on its icon on your desktop.
 Under "*Script file to execute*" choose "*Input Script Manually*".
Now click on the *Magnifying Glass icon* which will open a new window titled "*View/edit script*" 
 Paste the text copied to clipboard into this window by pressing (*Ctrl+V*).
 Click *Done* 
 Now click on the *Green Light* to begin execution of the script 
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Unload*", The Avenger will actually *restart your system twice.*) 
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avenger's actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply.

About manually deleting the files:

You could possibly but the files that are there will probably not let you have access, even in Safe Mode...but who can say> anything is possible so, yes, try but make sure you are in Safe Mode.

Quite often, files are "in use" whenever Windows is running> sometimes they can be deleted, though.

We might be able to use the command line to delete them, too.

Keep track of exactly what files do get deleted, use the list in the fix as a guide so we know where we stand.

Also, after you try deleting files, I would like to see a new WinPFind3u log please.


----------



## IITMocker (Feb 6, 2004)

Hi, I still get the same problem...I will post the error below. After my computer crashed (probably due to trojan/virus), I could only log in as HP_Admin. My user account were somehow deleted...Should i create another user account and try avenger from there? 

========
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run|"runner1


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\usbsetkw

*******************

Script file located at: \??\C:\mduqtqon.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Registry key HKLM\SYSTEM\CurrentControlSet\Services\winmgmt6f27-2975 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\winmgmt6f27-2975 failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\winmgmt6f27-2975
Status: 0xc0000034



File C:\WINDOWS\retadpu2000352.exe not found!
Deletion of file C:\WINDOWS\retadpu2000352.exe failed!

Could not process line:
C:\WINDOWS\retadpu2000352.exe
Status: 0xc0000034



Could not open file %System32%\hpikgcnwntwaz.dll for deletion
Deletion of file %System32%\hpikgcnwntwaz.dll failed!

Could not process line:
%System32%\hpikgcnwntwaz.dll
Status: 0xc000003a



Could not open file %System32%\cent.exe for deletion
Deletion of file %System32%\cent.exe failed!

Could not process line:
%System32%\cent.exe
Status: 0xc000003a



File C:\WINDOWS\cent.exe not found!
Deletion of file C:\WINDOWS\cent.exe failed!

Could not process line:
C:\WINDOWS\cent.exe
Status: 0xc0000034



Could not open file %System32%\windev-peers.ini for deletion
Deletion of file %System32%\windev-peers.ini failed!

Could not process line:
%System32%\windev-peers.ini
Status: 0xc000003a



Could not open file %System32%\windev-6f27-2975.sys for deletion
Deletion of file %System32%\windev-6f27-2975.sys failed!

Could not process line:
%System32%\windev-6f27-2975.sys
Status: 0xc000003a

Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|tcpipmon deleted successfully.


Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffcbx not found!
Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffcbx failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc not found!
Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


----------



## Byteman (Jan 24, 2002)

Were you using Safe Mode when you did that last Avenger fix?

I see at least one Registry entry was taken care of.

((Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|tcpipmon deleted successfully.))


Let's see a new WinPFind3u log please.

We will also be getting a deleting tool that can delete files between restarts, so it may work better than Avenger.


----------



## IITMocker (Feb 6, 2004)

Yeah, I used safe mode...but it also took a long time too...


----------



## Byteman (Jan 24, 2002)

Hi, Did you have any luck manually trying to delete any files?

I cannot find anything to fix now in this last WinPFind3u log. 

The best I can say is try things for a while, and perhaps tomorrow 
a couple of scans, maybe Panda online scan or Kaspersky just to see if anything is still hanging around or comes back.

The problem with Avenger fixes was the way the Registry value has to appear in the fix, I lacked one space before the | symbol and one after, is all. A friend here PMd me about what to try but, it appears we don't need to with your log....


----------



## IITMocker (Feb 6, 2004)

I could not find any of those files manually...and as I told you, my computer search function is gone...I altered the fix for Avenger like you said, and it did go through pretty quick...However, it indicated that it could not find the files that I wanted to delete....So does that mean that the files are gone?

-----------------------------------------
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gwmcjlma

*******************

Script file located at: \??\C:\WINDOWS\cjwhheaq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Registry key HKLM\SYSTEM\CurrentControlSet\Services\winmgmt6f27-2975 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\winmgmt6f27-2975 failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\winmgmt6f27-2975
Status: 0xc0000034



File C:\WINDOWS\retadpu2000352.exe not found!
Deletion of file C:\WINDOWS\retadpu2000352.exe failed!

Could not process line:
C:\WINDOWS\retadpu2000352.exe
Status: 0xc0000034



Could not open file %System32%\hpikgcnwntwaz.dll for deletion
Deletion of file %System32%\hpikgcnwntwaz.dll failed!

Could not process line:
%System32%\hpikgcnwntwaz.dll
Status: 0xc000003a



Could not open file %System32%\cent.exe for deletion
Deletion of file %System32%\cent.exe failed!

Could not process line:
%System32%\cent.exe
Status: 0xc000003a



File C:\WINDOWS\cent.exe not found!
Deletion of file C:\WINDOWS\cent.exe failed!

Could not process line:
C:\WINDOWS\cent.exe
Status: 0xc0000034



Could not open file %System32%\windev-peers.ini for deletion
Deletion of file %System32%\windev-peers.ini failed!

Could not process line:
%System32%\windev-peers.ini
Status: 0xc000003a



Could not open file %System32%\windev-6f27-2975.sys for deletion
Deletion of file %System32%\windev-6f27-2975.sys failed!

Could not process line:
%System32%\windev-6f27-2975.sys
Status: 0xc000003a



Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffcbx not found!
Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffcbx failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc not found!
Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


----------



## Byteman (Jan 24, 2002)

hi, Yes, that should mean those files are gone- I asked since you were mentioning manual deletion, so I wondered if you had successfully done that. I have no answer for why they are suddenly gone. 

Unless> you were logged into a different user account at some point?


----------



## IITMocker (Feb 6, 2004)

Thank you very much for your help. (It must be frustrating at times!!!  ) I think the programs you asked me to download got ride of them even though I was not aware that they had worked. Anyway, I deleted IE 7.0 and it seems like everything works well now (the search function miraculously came back). I read somewhere that McAfee was having problem with IE 7.0 and and Firefox, that's why the McAfee could not be downloaded...So I am off to finding a new security software or just deleting IE, I guess. Do you have any recommendation for any software? (Norton, other shields, etc...) Again, thanks for everything.


----------



## Byteman (Jan 24, 2002)

Hi, Your last step, if you want to stop here, would be to cleanup System Restore Points, as using one of them would simply put back any backed up malware stored there...Here is what to do>

*Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab. ( If there is a check in "Turn Off System Restore...."= it is Off.)
Check Turn off System Restore.
Click Apply, and then click OK.Wait for hourglass to stop and it says
"Turned Off"

Restart your computer, turn System Restore back on and create a restore point.
To turn System Restore back on, take the checkmark out of the box where you did.
Wait till you see "Monitoring" for the status.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

\Next: I would do one online scan, so I can sleep nights 

*HERE* to run Panda's ActiveScan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report

If nothing found but Cookies then you should be good to go!

However you don't have any Antispyware program or firewall....

You can get this: The free trial is full featured but may not have all the protection as the reasonably priced full version...

Please download *WebRoot SpySweeper* from *HERE* (It's a 2 week trial):
Click the *Download Free Trial* link to download the program.
Install it. Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click *Yes*.
Once the definitions are installed, click *Options* on the left side.
Click the *Sweep Options* tab.
Under *What to Sweep* please put a check next to the following:
Sweep Memory Objects
Sweep Windows Registry
Sweep Cookies
Sweep All User Accounts
Enable Direct Disk Sweeping
Sweep Compressed Files
Sweep for Rootkits
Please *UNCHECK* Sweep System Restore Folder.

Click *Sweep Now* on the left side.
Click the *Start* button.
When it's done scanning, click the *Next* button.
Make sure everything has a check next to it, then click the *Next* button.
It will remove all of the items found.
Click *Session Log* in the upper right corner, copy everything in that window.
Click the *Summary* tab and click *Finish*.
Paste the contents of the session log you copied into your next reply.

*If you get that, please post the results from it! We did not do much scanning for other malware....which is why I would like to see the Panda online scan, there are others if that will not work...

Tools we used and what to do

You can remove any tools we downloaded, things like ComboFix should be discarded as they are very frequently updated by new versions (available at the same link as we used) so should be checked and replaced often if you do keep them around.....and, hide them well if you do, so someone without knowledge cannot play around with them, they can do damage without proper directions.

1. ""If we used Pocket Killbox during your cleanup, do the below
Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
You can delete all files in the following folders. They are backups made during the process of removal.
C:\!KillBox
C:\VundoFix Backups
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine

You should delete: 
C:\Qoobox (from combofix, where the backups are present)

And, also any log files left over we used.

Hijackthis of course you should keep, and any installed programs like AVG Antispyware or whatever we installed. Avenger is a handy thing to keep. Avenger has backups also, so if something is found in scan, remember to look well at the location the file is in these may be deleted too...The deleted files will be backed up and saved to C:\avenger\backup.zip.

_ _ _ _

I see what you mean...McAfee vs. IE7

http://ts.mcafeehelp.com/faq3.asp?docid=410052

But, if you follow that guide, after doing the nine Information Bar accepts, the product is supposed to work correctly, but the decision is of course, up to you!

I use AVG Antivirus Free Edition, AVG Antispyware Free Edition, both at v. 7.5 now....

McAfee Site Advisor <<--- this is great!
SpyBot Search and Destroy
Ad-Aware SE personal edition
Spywareblaster
IE_SpyAd

I have broadband Internet, and use a router, therefore I do not have a software firewall and I do not have any problems.

I'm not the best behaved Internet user, either, but don't seem to get infected these days.

It took some learning to get it right.

Watch what users download, try to educate kids and keep them safe, if they care about the computer and care for it, you may find they come to like the feel of responsibility. Investigate spyware together- maybe a family scanning time frame- with prizes for who has the least found...use your imagination.

Don't use too much protection, that is just as bad as poor browsing or download habits- Don't go for the free key cracks, hacks, and mostly, stay away from P2P filesharing programs, unless you can verify that they are spyware free- Some of these P2Ps are becoming "legitimate" in that they are allowing only legal stuff to be shared, but i have yet to determine just how they can.

Good luck! Was a pleasure helping you.:up:

If you experience any problems feel free to post back in your thread here.

~~~~~~~Anyone else....please always start your own new thread for malware removal in the Security forum!~~~~~~*


----------

