Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

I can not download the ActiveX control for Panda ActiveScan!

This is a discussion on I can not download the ActiveX control for Panda ActiveScan! within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. Hello, My computer is infected with some type of malicious software. I followed the " IMPORTANT - Read This Before


 
 
Thread Tools Search this Thread
Old 02-07-2008, 11:23 PM   #1
Registered Member
 
Join Date: Feb 2008
Posts: 34
OS: XP



Hello,

My computer is infected with some type of malicious software. I followed the " IMPORTANT - Read This Before Posting For Malware Removal Help".

1.) I removed Viewpoint Manager and Viewpoint Media Player from the add/remove list.

2.)
This is where I ran into problems, my computer would not download the ActiveX control from the Panda ActiveScan website. All pop up blockers were disabled. My current spyware programs were disabled. There was no download bar or security pop up that I could click on.

I really am frustrated, internet options setting keep resetting even though the internet is impossible to use. I can not install java (from actual site) or some desktop programs (wmp). Sometimes I can not copy/paste/delete files from folders or even preview images in folders. The computer settings won't stick (ex. performance settings in mycomputer properties). I have run spyware scans/defragged/disk cleanup/different users. I am getting very worried because I have some sensitive programs that I have to use this weekend for a client and I may just have to go out and purchase another computer if I can not fix this in time

I want to add the Panda log and give you the proper information to diagnose my situation. I look forward to your replies.

(accidental double post)

__________________
cerebro is offline  
Old 02-07-2008, 11:45 PM   #2
TSF Team, Emeritus
 
jwbirdsong's Avatar
 
Join Date: Sep 2007
Posts: 289
OS: ARCH Linux



If you can't do the Panda go ahead and skip it and move to next step.

Make SURE to at least get us a DSS log (Step 5)

__________________


Please donate to the site to help us help you DONATE


PROUD member Since 2004
jwbirdsong is offline  
Old 02-07-2008, 11:46 PM   #3
Registered Member
 
Join Date: Feb 2008
Posts: 34
OS: XP



I will do that right now, and post shortly...

Thank you!
__________________
cerebro is offline  
Old 02-08-2008, 12:06 AM   #4
Registered Member
 
Join Date: Feb 2008
Posts: 34
OS: XP



I just ran DSS, here are the results:






Deckard's System Scanner v20071014.68
Run by Owner on 2008-02-08 01:56:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
18: 2008-02-08 06:56:59 UTC - RP723 - Deckard's System Scanner Restore Point
17: 2008-02-07 07:22:06 UTC - RP722 - Installed Ad-Aware 2007
16: 2008-02-06 20:15:31 UTC - RP721 - System Checkpoint
15: 2008-02-05 08:11:06 UTC - RP720 - System Checkpoint
14: 2008-02-03 17:40:53 UTC - RP719 - Encore (might be fixed with blue screen)


-- First Restore Point --
1: 2008-02-03 17:21:38 UTC - RP706 - Removed PHM Registry Editor


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:59:17 AM, on 2/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Application Data\U3\0D818A60B0F379A1\LaunchPad.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Metamail IEPlugin - {C09C9904-FD44-11D6-A711-00105AC8F168} - (no file)
O2 - BHO: (no name) - {FC31AA3F-F567-4525-967B-6952116B1A60} - C:\WINDOWS\system32\jkklk.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [MXOBG] "C:\Documents and Settings\Thortex\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] "C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe"
O4 - HKLM\..\Run: [b4bda793] "rundll32.exe" "C:\WINDOWS\system32\vyshvesb.dll",b
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DVD@ccess.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb...LStreaming.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} (LotusDRSControl Class) - http://gigbuilder.com/download/dolcontrol.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {82B56B47-90DC-4F58-9A7D-D27BA46D3C0F} (MyPhotoAlbum Easy Upload Tool Combo Control) - http://encorepartydjs.myphotoalbum.c...eUploader4.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - http://mvnet.xlontech.net/qm/fox/061...ie06101001.cab
O16 - DPF: {F9F3920B-2F24-437A-A224-D49F0004A172} - http://www.net-viewer.com/dls/AutoInstall.exe
O20 - Winlogon Notify: ddcccaw - ddcccaw.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9561 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - "regedit.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsushita Electric Industrial Co.,Ltd.; >
R1 SerTVOutCtlr (TOSHIBA Controls Driver -EPIOMngr) - c:\windows\system32\drivers\epiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 SrvcEKIOMngr - c:\windows\system32\drivers\ekiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 SrvcSSIOMngr - c:\windows\system32\drivers\ssiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 tmtdi (Trend Micro TDI Driver) - c:\windows\system32\drivers\tmtdi.sys <Not Verified; Trend Micro Inc.; Trend Micro TDI Driver>
R1 TPwSav (Common Driver) - c:\windows\system32\drivers\tpwsav.sys <Not Verified; TOSHIBA; >
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.6.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.6.0>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 DLPortIO (DriverLINX Port I/O Driver) - c:\windows\system32\drivers\dlportio.sys
R2 DVDAccss - c:\windows\system32\drivers\dvdaccss.sys <Not Verified; Apple Computer, Inc.; DVDAccss Driver>
R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Network Device Usermode I/O protocol>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R2 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys
R3 AgereSoftModem (TOSHIBA V92 Software Modem) - c:\windows\system32\drivers\agrsm.sys <Not Verified; Agere Systems; Agere SoftModem Driver>
R3 ApfiltrService (Alps Pointing-device Filter Driver) - c:\windows\system32\drivers\apfiltr.sys <Not Verified; Alps Electric Co., Ltd.; Alps Pointing-device Driver for Windows 2000/XP>
R3 ialm - c:\windows\system32\drivers\ialmnt5.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 IWCA (Intel Wireless Connection Agent Miniport for Win XP) - c:\windows\system32\drivers\iwca.sys <Not Verified; Intel Corporation; Intel Wireless Connection Agent>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 sdbus - c:\windows\system32\drivers\sdbus.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 Tvs (Toshiba Virtual Sound with SRS technologies) - c:\windows\system32\drivers\tvs.sys <Not Verified; TOSHIBA Corporation; Audio Filter>
R3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys <Not Verified; America Online, Inc.; Wan Miniport (ATW)>

S3 bfastfao - c:\docume~1\owner\locals~1\temp\bfastfao.sys (file missing)
S3 MXOFX (USB Storage Adapter FX (MXO)) - c:\windows\system32\drivers\mxofx.sys <Not Verified; Cypress Semiconductor; Cypress USB Mass Storage Adapter>
S3 MXOPSWD (Maxtor OneTouch Security Driver) - c:\windows\system32\drivers\mxopswd.sys <Not Verified; Maxtor Corp.; Maxtor Corp. 1394/USB Onetouch Storage>
S3 WpdUsb - c:\windows\system32\drivers\wpdusb.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree(TM)>
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsushita Electric Industrial Co., Ltd.; >
R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R2 RetroExpLauncher (Retrospect Express HD Launcher) - "c:\program files\dantz\retrospect express hd\retrorun.exe" <Not Verified; Dantz Development Corporation; Retrospect>
R2 Swupdtmr - c:\toshiba\ivp\swupdate\swupdtmr.exe
R2 Tmntsrv (Trend NT Realtime Service) - "c:\program files\trend micro\antivirus\tmntsrv.exe" <Not Verified; Trend Micro Incorporated.; Trend Pc-cillin 11>
R2 tmproxy (Trend Micro Proxy Service) - c:\program files\trend micro\antivirus\tmproxy.exe <Not Verified; Trend Micro Incorporated.; Trend Pc-cillin 11>
R2 UPSentry_Smart (UPS - UPSentry Service) - "c:\program files\belkin bulldog plus\upsd.exe" <Not Verified; Delta; UPSentry Smart 2000>

S2 RetroExp Helper (Retrospect Express HD Restore Helper) - "c:\program files\dantz\retrospect express hd\rthlpsvc.exe" <Not Verified; Dantz Development Corporation; Retrospect>
S3 QBFCService (Intuit QuickBooks FCS) - "c:\program files\common files\intuit\quickbooks\fcs\intuit.quickbooks.fcs.exe" <Not Verified; Intuit Inc.; QuickBooks 2007>
S4 navapsvc (Norton AntiVirus Auto-Protect Service) - "c:\program files\norton antivirus\navapsvc.exe" (file missing)
S4 QBCFMonitorService - "c:\program files\common files\intuit\quickbooks\qbcfmonitorservice.exe"


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/Wireless 2200BG Network Connection
Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_27418086&REV_05\4&AD1B67F&0&10F0
Manufacturer: Intel(R) Corporation
Name: Intel(R) PRO/Wireless 2200BG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_27418086&REV_05\4&AD1B67F&0&10F0
Service: w29n51


-- Scheduled Tasks -------------------------------------------------------------

2008-02-07 18:03:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-01-22 23:05:00 436 --a------ C:\WINDOWS\Tasks\EasyShare Registration Task.job


-- Files created between 2008-01-08 and 2008-02-08 -----------------------------

2008-02-07 02:22:10 0 d-------- C:\Program Files\Lavasoft
2008-02-07 02:21:37 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-07 00:58:24 0 d-------- C:\TEMP
2008-02-02 21:55:55 327168 --a------ C:\WINDOWS\system32\jkklk.dll
2008-02-02 18:53:57 0 d-------- C:\Program Files\PCDJ.CO.UK EasyASPI
2008-02-02 13:53:12 88128 --a------ C:\WINDOWS\system32\vyshvesb.dll
2008-02-02 13:51:17 88128 --a------ C:\WINDOWS\system32\ruvvkfaf.dll
2008-02-02 13:48:17 96832 --a------ C:\WINDOWS\system32\jtuloclk.dll
2008-02-02 13:45:28 96832 --a------ C:\WINDOWS\system32\xnpihgux.dll
2008-02-01 12:28:19 92224 --a------ C:\WINDOWS\system32\wrrsuhqo.dll
2008-02-01 12:25:18 92224 --a------ C:\WINDOWS\system32\xtislsyb.dll
2008-02-01 12:22:47 92736 --a------ C:\WINDOWS\system32\jedcxllq.dll
2008-01-30 22:21:14 92736 --a------ C:\WINDOWS\system32\puamtoxb.dll
2008-01-30 22:20:57 92736 --a------ C:\WINDOWS\system32\vaxlbxqr.dll
2008-01-30 22:20:51 74304 --a------ C:\WINDOWS\system32\pdwbjiko.exe <Not Verified; ; DDC>
2008-01-28 10:53:59 153 --a------ C:\DelUS.bat
2008-01-27 19:42:13 15360 --a------ C:\WINDOWS\system32\ctfmon .exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-01-27 19:19:43 330752 --a------ C:\WINDOWS\system32\jkklk.exe
2008-01-27 19:19:15 362758 --ahs---- C:\WINDOWS\system32\klkkj.ini2
2008-01-27 19:14:22 0 d-------- C:\Program Files\QdrModule
2008-01-27 19:13:59 0 d-------- C:\Program Files\?asks
2008-01-27 19:13:59 0 d-------- C:\Program Files\QdrDrive
2008-01-26 02:16:07 0 d-------- C:\Retrospect Restore Points
2008-01-18 14:46:06 140288 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe


-- Find3M Report ---------------------------------------------------------------

2008-02-08 01:58:57 642 --a------ \HijackThis.lnk
2008-02-08 01:58:56 0 d-------- C:\Program Files\Trend Micro
2008-02-08 01:56:59 0 d-------- \WINDOWS
2008-02-08 01:56:40 0 d-------- \Deckard
2008-02-08 00:29:58 0 d-------- \Program Files
2008-02-07 19:55:56 0 d-------- C:\Program Files\iTunes
2008-02-07 19:55:55 0 d-------- C:\Program Files\QuickTime
2008-02-07 14:49:37 1598029824 --ahs---- \pagefile.sys
2008-02-07 02:22:46 0 d--hs---- \Config.Msi
2008-02-07 02:21:37 0 d-------- C:\Program Files\Common Files
2008-02-07 01:18:52 0 d-------- C:\Program Files\MWSnap
2008-02-07 00:58:24 0 d-------- \TEMP
2008-02-02 18:53:14 720896 --a----c- C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-02-02 18:48:50 0 d-------- C:\Program Files\TagRename
2008-02-02 18:47:52 0 d-------- C:\Program Files\SmartDraw 7
2008-02-02 18:43:02 0 d-------- C:\Program Files\MP3Gain
2008-02-02 18:38:49 0 d-------- C:\Program Files\FreeStyler
2008-02-02 18:35:19 0 d-------- \audiograbber
2008-02-02 14:32:06 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-02-02 03:11:50 0 d-------- C:\Program Files\?asks
2008-01-29 16:49:05 0 d-------- C:\Program Files\Bonjour
2008-01-29 13:18:52 0 d-------- \Retrospect Restore Points
2008-01-28 10:53:59 153 --a------ \DelUS.bat
2008-01-13 16:54:57 0 d-------- C:\Program Files\Lotus iNotes
2008-01-02 20:37:04 0 d-------- C:\Program Files\Belkin Bulldog Plus
2007-12-26 12:00:09 147230 --a------ C:\logfile
2007-12-26 12:00:09 147230 --a------ \logfile
2007-11-23 15:57:05 115200 --a------ C:\outsound.bin
2007-11-23 15:57:05 115200 --a------ \outsound.bin


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC31AA3F-F567-4525-967B-6952116B1A60}]
02/02/2008 09:55 PM 327168 --a------ C:\WINDOWS\system32\jkklk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MXOBG"="C:\Documents and Settings\Thortex\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE" [02/07/2008 07:55 PM]
"pccguide.exe"="C:\Program Files\Trend Micro\Antivirus\pccguide.exe" [02/07/2008 07:55 PM]
"PCClient.exe"="C:\Program Files\Trend Micro\Antivirus\PCClient.exe" [02/07/2008 07:55 PM]
"TM Outbreak Agent"="C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" [02/07/2008 07:55 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [02/07/2008 07:55 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/07/2008 07:55 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [02/07/2008 07:55 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/07/2008 07:55 PM]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [02/07/2008 07:55 PM]
"b4bda793"="rundll32.exe" [08/04/2004 07:00 AM C:\WINDOWS\system32\rundll32.exe]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [02/07/2008 02:50 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcccaw]
ddcccaw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 10/15/2004 01:27 PM 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkklk

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MUPS.lnk]
backup=C:\WINDOWS\pss\MUPS.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
backup=C:\WINDOWS\pss\RAMASST.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1137814586\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]
C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
"C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
c:\toshiba\ivp\ism\pinger.exe /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RetroExpress]
"C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe" /h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVPWUTIL]
C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSHIBA Accessibility]
C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]
C:\Program Files\Toshiba\Tvs\TvsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoomingHook]
ZoomingHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"navapsvc"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-02-08 02:01:38 ------------
Attached Files
File Type: txt extra.txt (27.2 KB, 8 views)
__________________
cerebro is offline  
Old 02-08-2008, 12:36 AM   #5
TSF Team, Emeritus
 
jwbirdsong's Avatar
 
Join Date: Sep 2007
Posts: 289
OS: ARCH Linux



Well now we know where to go/what to remove to fix you up.
You got a Vudo/purity combo infection at the very least.
It will take a few steps to get you cleaned up.

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

NEXT please visit the webpage HERE for instructions for downloading and running ComboFix.

Post the log from ComboFix when you've accomplished that, along with C:\vundofix.txt from above
__________________


Please donate to the site to help us help you DONATE


PROUD member Since 2004
jwbirdsong is offline  
Old 02-08-2008, 12:42 AM   #6
Registered Member
 
Join Date: Feb 2008
Posts: 34
OS: XP



That is funny, because my spyware keeps quarantining that file. I will run the .exe and post shortly. You have no idea how much I appreciate this, I will definately donate when this is all done!
__________________
cerebro is offline  
Old 02-08-2008, 03:07 AM   #7
Registered Member
 
Join Date: Feb 2008
Posts: 34
OS: XP



I have installed and ran Vundofix.exe, Windows XP Recovery Console, and ComboFix.

Below is the log for Vundofix. However a log could not be created by ComboFix. Windows would automatically reboot with a message error in the blue screen showing the directory with the directory where spysweeperui.exe was located. Right before this reboot, ComboFix would preform all 41 or 43 stages and say that that the report would pop up (even though it was not located in the directory after the reboot). All programs were disabled/not running. I also made sure to not touch my computer or move the mouse. I have also attached other files that were found in the C:\ there is one file that I could not attach named logfile because it had an invalid file extension. Next recommendation?







Beginning removal...

VundoFix V6.7.8

Checking Java version...

Scan started at 2:44:21 AM 2/8/2008

Listing files found while scanning....

C:\WINDOWS\Easy CD-DA Extractor\uninstall.exe
C:\WINDOWS\system32\jedcxllq.dll
C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\jkklk.exe
C:\WINDOWS\system32\jtuloclk.dll
C:\WINDOWS\system32\klkkj.ini
C:\WINDOWS\system32\klkkj.ini2
C:\WINDOWS\system32\pdwbjiko.exe
C:\WINDOWS\system32\puamtoxb.dll
C:\WINDOWS\system32\ruvvkfaf.dll
C:\WINDOWS\system32\vaxlbxqr.dll
C:\WINDOWS\system32\vyshvesb.dll
C:\WINDOWS\system32\wrrsuhqo.dll
C:\WINDOWS\system32\xnpihgux.dll
C:\WINDOWS\system32\xtislsyb.dll

Beginning removal...

Beginning removal...

Attempting to delete C:\WINDOWS\Easy CD-DA Extractor\uninstall.exe
C:\WINDOWS\Easy CD-DA Extractor\uninstall.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\jedcxllq.dll
C:\WINDOWS\system32\jedcxllq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\jkklk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkklk.exe
C:\WINDOWS\system32\jkklk.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\jtuloclk.dll
C:\WINDOWS\system32\jtuloclk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\klkkj.ini
C:\WINDOWS\system32\klkkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\klkkj.ini2
C:\WINDOWS\system32\klkkj.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pdwbjiko.exe
C:\WINDOWS\system32\pdwbjiko.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\puamtoxb.dll
C:\WINDOWS\system32\puamtoxb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ruvvkfaf.dll
C:\WINDOWS\system32\ruvvkfaf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vaxlbxqr.dll
C:\WINDOWS\system32\vaxlbxqr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyshvesb.dll
C:\WINDOWS\system32\vyshvesb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wrrsuhqo.dll
C:\WINDOWS\system32\wrrsuhqo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xnpihgux.dll
C:\WINDOWS\system32\xnpihgux.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xtislsyb.dll
C:\WINDOWS\system32\xtislsyb.dll Has been deleted!

Performing Repairs to the registry.
Done!
Attached Files
File Type: txt CF-RC.txt (327 Bytes, 6 views)
File Type: txt logdll.txt (2.5 KB, 5 views)
__________________
cerebro is offline  
Old 02-08-2008, 03:30 AM   #8
Registered Member
 
Join Date: Feb 2008
Posts: 34
OS: XP



I run ComboFix well but it doesnt show any log file on C:\. I have attached flies that I found in c:\ComboFix\. ComboDel looks similiar to what I seen on the blue screen in ComboFix before it rebooted my computer. Does this indicate that process hasn't fininshed well?


I think it has removed some of the infected files from my notebook. I have also noticed that a zipped file named 'catchme' is now located on my desktop, is that expected?
Attached Files
File Type: txt ComboDel.txt (2.4 KB, 2 views)
File Type: txt ComboFix.txt (134 Bytes, 2 views)
File Type: txt pend.txt (583 Bytes, 10 views)
__________________
cerebro is offline  
Old 02-08-2008, 03:54 AM   #9
TSF Team, Emeritus
 
jwbirdsong's Avatar
 
Join Date: Sep 2007
Posts: 289
OS: ARCH Linux



Correct, CF has NOT finished properly.
Let's try one more time running it a little differently.
  • Make SURE that Combofix is saved to your Desktop
  • Physically disconnect from the internet and STOP al your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.

    Quote:
    "%userprofile%\desktop\ComboFix.exe" /KillAll

  • Click OK and this will start ComboFix in a special way.
  • When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* After you have saved the logs, restart your system to re-enable all the programs that were disabled during the running of ComboFix.

* Reconnect to the internet

* Post the following logs/Reports:
  • ComboFix.txt

If that doesn't work well try something different.
__________________


Please donate to the site to help us help you DONATE


PROUD member Since 2004
jwbirdsong is offline  
Old 02-08-2008, 03:59 AM   #10
Registered Member
 
Join Date: Feb 2008
Posts: 34
OS: XP



Quote:
Originally Posted by jwbirdsong View Post
Correct, CF has NOT finished properly.
Let's try one more time running it a little differently.
  • Make SURE that Combofix is saved to your Desktop
  • Physically disconnect from the internet and STOP al your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.

  • Click OK and this will start ComboFix in a special way.
  • When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* After you have saved the logs, restart your system to re-enable all the programs that were disabled during the running of ComboFix.

* Reconnect to the internet

* Post the following logs/Reports:
  • ComboFix.txt

If that doesn't work well try something different.
ComboFix is currently saved to the desktop and I am physically disconnected from the internet. I will double check to make sure these programs are not running. I will now run ComboFix from the run command and post shortly.
__________________
cerebro is offline  
Old 02-08-2008, 04:09 AM   #11
Registered Member
 
Join Date: Feb 2008
Posts: 34
OS: XP



The system restarted again after the 41 or 43 steps completed. The last thing I seen on the blue screen was

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

There was no mouse clicks or ComboFix.txt file. I was unable to save any file as well.
__________________
cerebro is offline  
Old 02-08-2008, 04:35 AM   #12
TSF Team, Emeritus
 
jwbirdsong's Avatar
 
Join Date: Sep 2007
Posts: 289
OS: ARCH Linux



I see you are still on line......Just as a 'trail' if you will while I am getting our next step together would you try Combofix in SafeMode to see if it will complete a run. I'll be back in 15 minutes or so with further directions.
Thanks.
__________________


Please donate to the site to help us help you DONATE


PROUD member Since 2004
jwbirdsong is offline  
Old 02-08-2008, 04:35 AM   #13
Registered Member
 
Join Date: Feb 2008
Posts: 34
OS: XP



how do i run ComboFix in safemode?
__________________
cerebro is offline  
Old 02-08-2008, 04:44 AM   #14
Registered Member
 
Join Date: Feb 2008
Posts: 34
OS: XP



I just googled it, I will run in safe mode and try to get the log for you.
__________________
cerebro is offline  
Old 02-08-2008, 04:52 AM   #15
Registered Member
 
Join Date: Feb 2008
Posts: 34
OS: XP



I just got an error when attempting to launch ComboFix in safe mode:

Windows can not find "C:\Windows\System32\Kmd.exe", make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click search.

Would you like me to keep the computer in safe mode or reboot and have it return to normal?
__________________
cerebro is offline  
Old 02-08-2008, 04:55 AM   #16
TSF Team, Emeritus
 
jwbirdsong's Avatar
 
Join Date: Sep 2007
Posts: 289
OS: ARCH Linux



return to normal mode.
Almost ready to post
__________________


Please donate to the site to help us help you DONATE


PROUD member Since 2004
jwbirdsong is offline  
Old 02-08-2008, 05:20 AM   #17
TSF Team, Emeritus
 
jwbirdsong's Avatar
 
Join Date: Sep 2007
Posts: 289
OS: ARCH Linux



Download WinPFind35U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.
  • Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
  • Under Additional Scans check the box beside Reg - Disabled MS Config Items and Bot scan.
  • Under Rootkit Search change that to Yes.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

Make sure you attach the report in your reply instead of pasting it in.
__________________


Please donate to the site to help us help you DONATE


PROUD member Since 2004
jwbirdsong is offline  
Old 02-08-2008, 05:26 AM   #18
Registered Member
 
Join Date: Feb 2008
Posts: 34
OS: XP



I will follow these steps and post shortly.
__________________
cerebro is offline  
Old 02-08-2008, 05:44 AM   #19
Registered Member
 
Join Date: Feb 2008
Posts: 34
OS: XP



The last line in the report is [code] followed by a line break. I did not know if you wanted me to delete this portion of the file. I have attached .txt, I couldn't find the "botscan" button but there was a "Disabled MS Config Items" button.
Attached Files
File Type: txt WinPFind35.Txt (156.0 KB, 8 views)
__________________
cerebro is offline  
Old 02-08-2008, 06:27 AM   #20
TSF Team, Emeritus
 
jwbirdsong's Avatar
 
Join Date: Sep 2007
Posts: 289
OS: ARCH Linux



Actually it's BotCheck...typo on my end..no big deal..look like even though it didn't finish CF and or Vundofix has done most of the work for me.

Start WinPFind3U. Copy/Paste the information in the Codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code:
 [Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> b4bda793 -> %System32%\vyshvesb.DLL
YN -> combofix -> %System32%\kmd
< RunOnce [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
YN -> combofix -> %System32%\home:=\Combobatch.bat
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {FC31AA3F-F567-4525-967B-6952116B1A60} [HKEY_LOCAL_MACHINE] -> %System32%\jkklk.dll [Reg Error: Value  does not exist or could not be read.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> {BA52B914-B692-46c4-B683-905236F6F655} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
[Files/Folders - Created Within 30 days]
NY -> justafix -> %SystemDrive%\justafix
YN -> bsevhsyv.ini -> %System32%\bsevhsyv.ini
YN -> fafkvvur.ini -> %System32%\fafkvvur.ini
YN -> skpqgadr.ini -> %System32%\skpqgadr.ini
[Files/Folders - Modified Within 30 days]
YN -> bsevhsyv.ini -> %System32%\bsevhsyv.ini
NY -> 6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> fafkvvur.ini -> %System32%\fafkvvur.ini
YN -> skpqgadr.ini -> %System32%\skpqgadr.ini
[Empty Temp Folders]
[Start Explorer]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan and a Hijackthis log, separately (the Hijackthis can be pasted on the reply).

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above.

__________________


Please donate to the site to help us help you DONATE


PROUD member Since 2004
jwbirdsong is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 11:22 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts