1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Win.Fixer trojan just wont dissapear!

Discussion in 'Virus & Other Malware Removal' started by StevieA1079, Aug 6, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. StevieA1079

    StevieA1079 Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    13
    Hi,

    I am having problems with getting rid of the Win.Fixer trojan. Luckily for me its more of an annoyance than anything and it's not being much more than that right now.

    However I would like to rid my new computer of this trojan before it becomes dangerous.

    I have a Dell Dimension 9150, 1Gb Ram, 250 Gb HD, 250 mb Nvidia 7300Le and am running Windows Xp Pro.

    I have started running explorer through Firefox and so far the system is a lot more stable and not locking up so often. The win.fixer trojan in IE was giving me pop ups and telling me that I had problems with my computer and that I should download the software. Of course I didn't but it still somehow found its way onto my computer.

    I have ran superantispyware and other various anti virus software including win defender.

    Tried to run

    Ive also managed to download Hijack this and have the results below :

    Logfile of HijackThis v1.99.1
    Scan saved at 16:58:01, on 06/08/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton Ghost\Agent\GhostTray.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\AOL 9.0\aoltray.exe
    C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
    C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    O4 - HKLM\..\Run: [HPWQTOOLBOX] C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe "-i"
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [01a4371.exe] C:\Documents and Settings\Stephen Ashworth\Local Settings\Application Data\01a4371.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
    O4 - Global Startup: Dell Network Assistant.lnk = ?
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154556645843
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154556636281
    O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe




    Any help would be appretiated. THANKS!
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,012
    Hi and welcome to TSG,

    It is likely that you have a variant of the Vundo trojan that hides itself from HijackThis.exe so if we rename HijackThis, the entries should become visible.

    Go to the C:\Program Files\HijackThis folder. Right click on the HijackThis.exe file and select "Rename". Rename it puppy.exe. Make sure it has the .exe extension or it will not work.

    Then run HijackThis again and post a new log please.
     
  3. StevieA1079

    StevieA1079 Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    13
    Thanks! Ok Ive renamed It. Heres the log that you asked for :




    Logfile of HijackThis v1.99.1
    Scan saved at 17:26:51, on 06/08/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton Ghost\Agent\GhostTray.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\AOL 9.0\aoltray.exe
    C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
    C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Hijackthis\puppy.exe.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk
    O2 - BHO: (no name) - {14EF68AB-02A4-4848-864D-B5594FE13E53} - C:\WINDOWS\system32\awtss.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    O4 - HKLM\..\Run: [HPWQTOOLBOX] C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe "-i"
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [01a4371.exe] C:\Documents and Settings\Stephen Ashworth\Local Settings\Application Data\01a4371.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
    O4 - Global Startup: Dell Network Assistant.lnk = ?
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154556645843
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154556636281
    O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
    O20 - Winlogon Notify: awtss - C:\WINDOWS\system32\awtss.dll
    O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing)
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,012
    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Put a check next to Run VundoFix as a task.
    • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
    • When VundoFix re-opens, click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt and a new HijackThis log.
     
  5. StevieA1079

    StevieA1079 Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    13
    Hi,

    Again thanks for your help. I have just installed ewido and done a check so I will post those results below :

    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 18:58:31 06/08/2006

    + Scan result:



    HKLM\SOFTWARE\Classes\Interface\{60D3A642-0B03-46AD-B8B0-8D45989A0055} -> Adware.Generic : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\Interface\{81CDDAE8-3B92-4F0D-86C1-8DD5DB6A8471} -> Adware.Generic : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\Interface\{8C88AAE2-A341-4DE8-B064-062194307E5F} -> Adware.Generic : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\Interface\{C28EB22A-6966-4E4B-8592-E84C28D38402} -> Adware.Generic : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\TypeLib\{506146FD-9499-49A8-AEDE-692C173B2AA4} -> Adware.Generic : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\TypeLib\{B1C54189-72F0-4353-987B-18FA221BEF09} -> Adware.Generic : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\TypeLib\{EFA1EC0F-8359-41B7-A178-7DD6805A0C79} -> Adware.Generic : Cleaned with backup (quarantined).
    C:\i386\ismon.exe -> Downloader.Zlob.abu : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\5X4E3FT1\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\955ANNHE\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\955ANNHE\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\955ANNHE\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\955ANNHE\popup[4].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\955ANNHE\popup[5].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\AVC3IDON\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\JPLF2EU9\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\JPLF2EU9\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\JPLF2EU9\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\KZEZALA5\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\KZEZALA5\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\KZEZALA5\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\KZEZALA5\popup[4].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\KZEZALA5\popup[5].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\MAJZ9CBV\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\MLKRMLWD\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\MZ0NE5UJ\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\MZ0NE5UJ\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\MZ0NE5UJ\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\OTEFEV4X\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\OTEFEV4X\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\OTEFEV4X\popup[3].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\OTEFEV4X\popup[4].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\OTEFEV4X\popup[5].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\OTEFEV4X\popup[6].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\OTEFEV4X\popup[7].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\OTEFEV4X\popup[8].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\OTEFEV4X\popup[9].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Stephen Ashworth\Local Settings\Temporary Internet Files\Content.IE5\QP2ZMFCL\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
    :mozilla.53:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
    :mozilla.54:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
    :mozilla.74:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
    :mozilla.75:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
    :mozilla.13:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
    :mozilla.20:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Bfast : Cleaned.
    :mozilla.28:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
    C:\Documents and Settings\Stephen Ashworth\Cookies\stephen [email protected][2].txt -> TrackingCookie.Clickbank : Cleaned.
    :mozilla.34:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
    C:\Documents and Settings\Stephen Ashworth\Cookies\stephen [email protected][1].txt -> TrackingCookie.Clickhype : Cleaned.
    :mozilla.42:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Com : Cleaned.
    C:\Documents and Settings\Stephen Ashworth\Cookies\stephen [email protected][1].txt -> TrackingCookie.Com : Cleaned.
    :mozilla.39:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
    C:\Documents and Settings\Stephen Ashworth\Cookies\stephen [email protected][2].txt -> TrackingCookie.Euroclick : Cleaned.
    :mozilla.15:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
    :mozilla.16:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
    :mozilla.17:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
    :mozilla.18:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
    :mozilla.19:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
    :mozilla.85:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
    C:\Documents and Settings\Stephen Ashworth\Cookies\stephen [email protected][2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
    C:\Documents and Settings\Stephen Ashworth\Cookies\stephen [email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned.
    :mozilla.38:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
    :mozilla.76:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
    :mozilla.77:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
    :mozilla.78:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
    :mozilla.79:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
    :mozilla.6:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
    :mozilla.66:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
    :mozilla.67:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
    :mozilla.29:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
    :mozilla.30:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
    :mozilla.31:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
    :mozilla.32:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
    :mozilla.33:C:\Documents and Settings\Stephen Ashworth\Application Data\Mozilla\Firefox\Profiles\09qlc8gh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
    C:\Documents and Settings\Stephen Ashworth\Cookies\stephen [email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.


    ::Report end



    And now I will post the vundofix information for you below :



    VundoFix V5.1.6

    Running as SYSTEM
    from c:\windows\system32\VundoFix.exe

    Checking Java version...

    Java version is 1.4.2.3

    Scan started at 13:23:06 06/08/2006

    Listing files found while scanning....

    No infected files were found.


    VundoFix V5.1.6

    Running as SYSTEM
    from c:\windows\system32\VundoFix.exe

    Checking Java version...

    Java version is 1.4.2.3

    Scan started at 19:06:04 06/08/2006

    Listing files found while scanning....

    No infected files were found.


    Beginning removal...




    And the most recent Hijackthis log below : *EDIT 19.14 uk time RESTARTED THIS TIME RESULTS BELOW*

    Logfile of HijackThis v1.99.1
    Scan saved at 19:15:16, on 06/08/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton Ghost\Agent\GhostTray.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\AOL 9.0\aoltray.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
    C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\puppy.exe.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk
    O2 - BHO: (no name) - {F738EA16-1516-43BD-AA34-4817E764CEFF} - C:\WINDOWS\system32\awtss.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    O4 - HKLM\..\Run: [HPWQTOOLBOX] C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe "-i"
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [01a4371.exe] C:\Documents and Settings\Stephen Ashworth\Local Settings\Application Data\01a4371.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
    O4 - Global Startup: Dell Network Assistant.lnk = ?
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154556645843
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154556636281
    O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
    O20 - Winlogon Notify: awtss - C:\WINDOWS\system32\awtss.dll
    O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing)
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe






    Again thanks for all your help! It seems that ewido found a lot but the others didn't.
     
  6. StevieA1079

    StevieA1079 Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    13
    Still having the problems however and am getting DEP Errors when using the computer and surfing the Internet in both explorer and firefox.

    Windows explorer errors (DEP) are becoming quite constant now and are becoming annoying.
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,012
    Please do the following:

    Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"


    Go to the following link, fill in your username and the link to this thread, then click on browse and locate this file on your computer, then click on "send file".

    http://www.uploadmalware.com/


    C:\WINDOWS\system32\awtss.dll


    Please let us know if you were able to do this.

    Start Add more files fix:

    • Double-click VundoFix.exe to run it.
    • Put a check next to Run VundoFix as a task.
    • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
    • When VundoFix re-opens, click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • In case it says that nothing has been found, Right click the list box (white box) in the main VundoFix window.
    • Select Add More Files? from the menu that comes up. This will open a new VundoFix window.
    • In the Window: copy and paste the following in the first field: C:\WINDOWS\system32\awtss.dll
    • Copy and paste the following in the second field: C:\WINDOWS\System32\sstwa.*
    • Click the Add Files button.
    • Click the Close Window button.
    • Click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • A log will be created, C:\vundofix.txt which you will need to include in your next reply along with a new HijackThis log.
     
  8. StevieA1079

    StevieA1079 Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    13
    I have managed to select all the options that you stated. I also managed to upload the file you requested :)

    I will now use Vundo.exe and follow your instructions and get back to you as soon as possible. Thanks again!
     
  9. StevieA1079

    StevieA1079 Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    13
    Copy and paste the following in the second field: C:\WINDOWS\System32\sstwa.*

    Im up to this part adding the files to vundofix and this wont add. Only C:\WINDOWS\system32\awtss.dll will add to it.
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,012
    There should be a second field to enter that one.
     
  11. StevieA1079

    StevieA1079 Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    13
    There was a second field but only the first file would add. When I tried to add two files at once only C:\WINDOWS\system32\awtss.dll added successfully. The other file just would not add no matter what.
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,012
    Run it with only the one then and post the results.


    Then please do this, which should show if there are any of the reverse named files.

    Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Don’t do anything with it yet!


    Click here for info on how to boot to safe mode if you don't already know how.


    Reboot into Safe Mode.


    Double click WinPFind.exe
    • Click "Start Scan"
    • It will scan the entire System, so please be patient and let it complete.


    Reboot back to Normal Mode!


    • Go to the WinPFind folder
    • Locate WinPFind.txt
    • Copy and paste WinPFind.txt in your next post here please.
     
  13. StevieA1079

    StevieA1079 Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    13
    Ok i think it worked this time :)

    Here is the vundofix log below :


    VundoFix V5.1.6

    Running as SYSTEM
    from c:\windows\system32\VundoFix.exe

    Checking Java version...

    Java version is 1.4.2.3

    Scan started at 13:23:06 06/08/2006

    Listing files found while scanning....

    No infected files were found.


    VundoFix V5.1.6

    Running as SYSTEM
    from c:\windows\system32\VundoFix.exe

    Checking Java version...

    Java version is 1.4.2.3

    Scan started at 19:06:04 06/08/2006

    Listing files found while scanning....

    No infected files were found.


    Beginning removal...

    VundoFix V5.1.6

    Running as SYSTEM
    from c:\windows\system32\VundoFix.exe

    Checking Java version...

    Java version is 1.4.2.3

    Scan started at 20:50:16 06/08/2006

    Listing files found while scanning....

    No infected files were found.


    Beginning removal...

    The process smss.exe was successfully stopped

    The process winlogon.exe was successfully stopped

    The process explorer.exe was successfully stopped

    The process iexplore.exe was successfully stopped

    The process rundll32.exe was successfully stopped

    Attempting to delete C:\WINDOWS\system32\awtss.dll
    C:\WINDOWS\system32\awtss.dll Could not be deleted.

    Performing Repairs to the registry.
    Done!



    And below is the Hijackthis log file :

    Logfile of HijackThis v1.99.1
    Scan saved at 21:04:16, on 06/08/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton Ghost\Agent\GhostTray.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\AOL 9.0\aoltray.exe
    C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
    C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Hijackthis\puppy.exe.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    O4 - HKLM\..\Run: [HPWQTOOLBOX] C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe "-i"
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [01a4371.exe] C:\Documents and Settings\Stephen Ashworth\Local Settings\Application Data\01a4371.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
    O4 - Global Startup: Dell Network Assistant.lnk = ?
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154556645843
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154556636281
    O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing)
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


    Your a star by the way :) I appretiate your help!

    *EDIT* I just noticed you replied the same time as me so I will do what you said above and post that information for you as soon as possible. :)
     
  14. StevieA1079

    StevieA1079 Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    13
    Ok heres the winpfind results below. Didn't take too long.. one of the benefits of a week old pc i suppose :)

    Here you go:


    WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

    If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

    »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
    Internet Explorer Version: 6.0.2900.2180

    »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

    Checking %SystemDrive% folder...

    Checking %ProgramFilesDir% folder...

    Checking %WinDir% folder...

    Checking %System% folder...
    aspack 22/07/2005 19:59:04 2319568 C:\WINDOWS\SYSTEM32\d3dx9_27.dll
    PEC2 04/08/2004 05:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
    PTech 19/06/2006 16:19:42 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
    aspack 06/07/2006 18:21:48 6757792 C:\WINDOWS\SYSTEM32\MRT.exe
    aspack 04/08/2004 05:00:00 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
    Umonitor 04/08/2004 05:00:00 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
    winsync 04/08/2004 05:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
    PTech 19/06/2006 16:19:26 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe

    Checking %System%\Drivers folder and sub-folders...

    Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
    06/08/2006 21:09:50 S 2048 C:\WINDOWS\bootstat.dat
    02/08/2006 23:11:00 H 0 C:\WINDOWS\inf\oem15.inf
    01/08/2006 12:15:18 H 77595 C:\WINDOWS\Minidump\Mini080106-02.dmp
    25/07/2006 15:49:04 RHS 21378 C:\WINDOWS\pchealth\helpctr\PackageStore\package_10.cab
    25/07/2006 15:49:38 RHS 152621 C:\WINDOWS\pchealth\helpctr\PackageStore\package_11.cab
    25/07/2006 15:50:14 RHS 271353 C:\WINDOWS\pchealth\helpctr\PackageStore\package_12.cab
    25/07/2006 15:48:18 RHS 7166 C:\WINDOWS\pchealth\helpctr\PackageStore\package_8.cab
    25/07/2006 15:48:34 RHS 7888 C:\WINDOWS\pchealth\helpctr\PackageStore\package_9.cab
    01/08/2006 14:20:46 HS 141243 C:\WINDOWS\system32\sstwa.bak1
    06/08/2006 20:35:58 HS 268982 C:\WINDOWS\system32\sstwa.bak2
    03/08/2006 00:16:40 HS 187973 C:\WINDOWS\system32\sstwa.ini
    06/08/2006 20:59:44 HS 270097 C:\WINDOWS\system32\sstwa.ini2
    03/08/2006 00:16:46 HS 187717 C:\WINDOWS\system32\sstwa.tmp
    22/06/2006 12:18:30 S 13309 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
    19/06/2006 16:20:58 S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
    06/08/2006 21:09:52 H 12288 C:\WINDOWS\system32\config\default.LOG
    06/08/2006 21:10:02 H 1024 C:\WINDOWS\system32\config\SAM.LOG
    06/08/2006 21:09:52 H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
    06/08/2006 21:10:48 H 163840 C:\WINDOWS\system32\config\software.LOG
    06/08/2006 21:10:04 H 864256 C:\WINDOWS\system32\config\system.LOG
    02/08/2006 22:41:04 H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
    04/08/2006 12:44:40 S 688 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
    04/08/2006 12:44:42 S 70226 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\F482C95F83F1B59228F1B1E720F2EDF1
    04/08/2006 12:44:40 S 94 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
    04/08/2006 12:44:42 S 128 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\F482C95F83F1B59228F1B1E720F2EDF1
    25/07/2006 15:44:10 HS 2128 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt
    25/07/2006 16:00:00 HS 24 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Protect\CREDHIST
    25/07/2006 16:00:00 HS 388 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Protect\S-1-5-21-880026405-987626788-2466577560-500\66a9eae9-07a0-40ca-9e48-fdfc1adb46f6
    25/07/2006 16:00:00 HS 24 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Protect\S-1-5-21-880026405-987626788-2466577560-500\Preferred
    25/07/2006 16:09:14 HS 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
    25/07/2006 16:10:18 H 3734952 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IconCache.db
    25/07/2006 16:10:44 H 262144 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
    06/08/2006 16:13:14 H 1024 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
    31/07/2006 09:36:06 HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
    31/07/2006 09:36:06 HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
    31/07/2006 09:36:06 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
    31/07/2006 09:36:06 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
    31/07/2006 09:36:06 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2XGH0J2L\desktop.ini
    31/07/2006 09:36:06 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6P8RM56V\desktop.ini
    31/07/2006 09:36:06 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GZODQXSH\desktop.ini
    31/07/2006 09:36:06 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O1WRSNO7\desktop.ini
    02/08/2006 23:25:08 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\57b22f58-2331-4522-b16b-4ada613ddc75
    02/08/2006 23:25:08 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
    31/07/2006 09:36:06 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\81e8d8cf-58f0-4636-8c65-b9976f8f571f
    31/07/2006 09:36:06 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\8df3f830-7915-4c9f-b67a-1b14c9f1c008
    31/07/2006 09:36:06 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\ef583787-f66e-4878-b421-79f03e060f33
    31/07/2006 09:36:06 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
    06/08/2006 21:12:56 H 330 C:\WINDOWS\Tasks\MP Scheduled Scan.job
    06/08/2006 21:09:08 H 6 C:\WINDOWS\Tasks\SA.DAT
    31/07/2006 09:37:26 HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
    31/07/2006 09:37:26 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
    31/07/2006 09:37:26 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\89YBO1QF\desktop.ini
    31/07/2006 09:37:26 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C1QFSHIV\desktop.ini
    31/07/2006 09:37:26 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\OD23SHIJ\desktop.ini
    31/07/2006 09:37:26 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\SHUJWLYN\desktop.ini

    Checking for CPL files...
    Microsoft Corporation 04/08/2004 05:00:00 68608 C:\WINDOWS\SYSTEM32\access.cpl
    Microsoft Corporation 04/08/2004 05:00:00 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
    Microsoft Corporation 04/08/2004 05:00:00 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
    Sonic Solutions 03/05/2006 14:31:56 1019904 C:\WINDOWS\SYSTEM32\cmdvdpak.cpl
    Microsoft Corporation 04/08/2004 05:00:00 135168 C:\WINDOWS\SYSTEM32\desk.cpl
    Microsoft Corporation 04/08/2004 05:00:00 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
    Microsoft Corporation 04/08/2004 05:00:00 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
    Microsoft Corporation 04/08/2004 05:00:00 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
    Microsoft Corporation 04/08/2004 05:00:00 129536 C:\WINDOWS\SYSTEM32\intl.cpl
    Microsoft Corporation 04/08/2004 05:00:00 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
    InstallShield Software Corporation10/06/2005 10:43:18 73728 C:\WINDOWS\SYSTEM32\ISUSPM.cpl
    Microsoft Corporation 04/08/2004 05:00:00 68608 C:\WINDOWS\SYSTEM32\joy.cpl
    Sun Microsystems 19/11/2003 17:48:12 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
    Microsoft Corporation 04/08/2004 05:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
    Microsoft Corporation 04/08/2004 05:00:00 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
    Microsoft Corporation 04/08/2004 05:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
    Microsoft Corporation 04/08/2004 05:00:00 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
    Microsoft Corporation 04/08/2004 05:00:00 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
    Microsoft Corporation 04/08/2004 05:00:00 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
    Microsoft Corporation 04/08/2004 05:00:00 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
    Microsoft Corporation 04/08/2004 05:00:00 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
    Intel(R) Corporation 18/11/2004 10:02:36 77824 C:\WINDOWS\SYSTEM32\PRApplet.cpl
    RealNetworks, Inc. 25/07/2006 16:01:20 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
    Apple Computer, Inc. 06/01/2004 16:02:36 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
    SigmaTel, Inc. 16/11/2005 14:35:44 159825 C:\WINDOWS\SYSTEM32\stac97.cpl
    Microsoft Corporation 04/08/2004 05:00:00 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
    Microsoft Corporation 04/08/2004 05:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
    Microsoft Corporation 04/08/2004 05:00:00 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
    Microsoft Corporation 04/08/2004 05:00:00 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
    Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
    Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

    »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

    Checking files in %ALLUSERSPROFILE%\Startup folder...
    31/07/2006 12:56:36 1918 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    25/07/2006 16:01:56 730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
    06/08/2006 21:01:10 2333 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
    11/08/2004 17:15:06 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

    Checking files in %ALLUSERSPROFILE%\Application Data folder...
    11/08/2004 17:07:12 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

    Checking files in %USERPROFILE%\Startup folder...
    11/08/2004 17:15:06 HS 84 C:\Documents and Settings\Stephen Ashworth\Start Menu\Programs\Startup\desktop.ini

    Checking files in %USERPROFILE%\Application Data folder...
    11/08/2004 17:07:12 HS 62 C:\Documents and Settings\Stephen Ashworth\Application Data\desktop.ini

    »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    SV1 =

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
    {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
    {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7D4D6379-F301-4311-BEBA-E26EB0561882}
    = C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
    &Tip of the Day = %SystemRoot%\system32\shdocvw.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
    Real.com = C:\WINDOWS\system32\Shdocvw.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    MenuText = Sun Java Console :
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    ButtonText = Real.com :
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
    ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
    {2318C2B1-4965-11D4-9B18-009027A5CD4F} = :

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    SigmatelSysTrayApp stsystra.exe
    IAAnotif C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    DMXLauncher C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    Norton Ghost 10.0 "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
    ISUSPM Startup "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    ISUSScheduler "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

    AOLDialer C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    RealTray C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    AOL Spyware Protection "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    DLA C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    Corel Photo Downloader C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    HPWQTOOLBOX C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe "-i"
    MSKDetectorExe C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
    Windows Defender "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    !ewido "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
    01a4371.exe C:\Documents and Settings\Stephen Ashworth\Local Settings\Application Data\01a4371.exe

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
    system.ini 0
    win.ini 0
    bootini 2
    services 0
    startup 0


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments
    ScanWithAntiVirus 2


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
    {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
    {0DF44EAA-FF21-4412-828E-260A8728E7F1} =


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    dontdisplaylastusername 0
    legalnoticecaption
    legalnoticetext
    shutdownwithoutlogon 1
    undockwithoutlogon 1


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun 145

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    {480CEE99-0AE9-1033-0530-06022306002c} "C:\Program Files\Common Files\{480CEE99-0AE9-1033-0530-06022306002c}\Update.exe" mc-110-12-0000272

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
    DisableRegistryTools 0


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
    CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
    WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
    SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,
    Shell = Explorer.exe
    System =

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
    = WgaLogon.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winpsa32
    = winpsa32.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
    Debugger = ntsd -d

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs


    »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
    Scan completed on 06/08/2006 21:16:59



    If you need anything else please let me know and i'll get it asap :)
     
  15. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,012
    Go to Control Panel – Add/Remove programs and remove the following, if there:

    Java 2 Runtime Environment, SE v1.4.2 (We will replace it with a newer version as this one has more vulnerabilities and is how you got infected with vundo)


    Now go here and install the latest version of Java.


    I'm attaching a FixPoliciesRun.zip file to this post. Save it to your desktop but don't do anything with it yet. We will use it later in safe mode. This will remove the policies set by this variant that keeps reloading it.


    Click Here and download Killbox and save it to your desktop but don’t run it yet.


    Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.


    O4 - HKCU\..\Run: [01a4371.exe] C:\Documents and Settings\Stephen Ashworth\Local Settings\Application Data\01a4371.exe

    O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing)


    Then boot to safe mode:


    How to restart to safe mode


    Double-click on Killbox.exe to run it.
    • Put a tick by Standard File Kill.
    • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

      C:\WINDOWS\system32\awtss.dll

      C:\WINDOWS\system32\sstwa.bak1

      C:\WINDOWS\system32\sstwa.bak2

      C:\WINDOWS\system32\sstwa.ini

      C:\WINDOWS\system32\sstwa.ini2

      C:\WINDOWS\system32\sstwa.tmp

      C:\Documents and Settings\Stephen Ashworth\Local Settings\Application Data\01a4371.exe

      C:\Program Files\Common Files\{480CEE99-0AE9-1033-0530-06022306002c}


    • Click on the button that has the red circle with the X in the middle after you enter each file.
    • It will ask for confirmation to delete the file.
    • Click Yes.
    • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
    • Killbox may tell you that one or more files do not exist.
    • If that happens, just continue on with all the files. Be sure you don't miss any.
    • Next in Killbox go to Tools > Delete Temp Files
    • In the window that pops up, put a check by ALL the options there except these three:
      • XP Prefetch
      • Recent
      • History
    • Now click the Delete Selected Temp Files button.
    • Exit the Killbox.


    Unzip the FixPoliciesRun.zip file that you saved to your desktop earlier. Double click the Fix PoliciesRun.reg file and allow it to enter into the registry.

    Boot back to Windows normally and post another HijackThis log along with a new WinpFind log please.
     

    Attached Files:

  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/489887

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice