Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HJT Log help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HJT Log help

Unread postby whisperer » January 14th, 2006, 4:26 pm

My wife has been complaining that her computer is running peculiarly. Earlier I noticed that she had an empty 'Programmes' folder in her startup, this has now come back.
She had done a full ewido scan and found over 400 problems but before I could stop her she had removed all found (possible cause of the missing programmes). I have tried to boot into safe mode but can not currently get in there, similarly I have tried to do an online scan using ie with both Kaspersky and Panda - in neither case could I get started, the Panda window with the Scan Now button would not stay there closing within one second of opening. Please find below her HJT log. I could find nothing obvious. :(

Logfile of HijackThis v1.99.1
Scan saved at 20:25:36, on 14/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\LVCOMSX.EXE
I:\ewido\security suite\ewidoctrl.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
I:\Firewall\ZoneAlarm\zlclient.exe
I:\Ad-Aware SE Plus\Ad-Watch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
U:\asus\AsusProb.exe
F:\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
F:\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
I:\Bandwidthmeter\BandwidthMeter.exe
U:\PowerQuest\Datakeeper\DataKeeper.exe
I:\MailWasher Pro\MailWasher.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jennnifer\Desktop\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\SpyBot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [zSPGuard] \\gordons\i - gordon\spguard\spguard.exe /s
O4 - HKLM\..\Run: [Zone Labs Client] I:\Firewall\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AWMON] "I:\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ASUS Probe] u:\asus\AsusProb.exe
O4 - HKLM\..\Run: [WorkFlowTray] "F:\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
O4 - HKLM\..\Run: [Opware14] "F:\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Bandwidth Meter.lnk = I:\Bandwidthmeter\BandwidthMeter.exe
O4 - Startup: DataKeeper.lnk = U:\PowerQuest\Datakeeper\DataKeeper.exe
O4 - Startup: MailWasherPro.lnk = I:\MailWasher Pro\MailWasher.exe
O4 - Startup: OUTLOOK.EXE.lnk = P:\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = P:\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://P:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - P:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/defaul ... oader1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7000043031
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/ins ... utions.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b34246.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?325
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - I:\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall
Advertisement
Register to Remove

Unread postby Susan528 » January 14th, 2006, 6:37 pm

Hello Whisperer,

I did not see anything wrong with your hijackthis log either. Let's try the MWAV scan.

STEP 1.
======
MWAV Scan
Please download MWAV to a convenient location.
This scan only produces a report, it doesn't clean your system. I will analyze the report and recommend a course of action depending on the results.
This scan might take around 3+ hours to finish when set to scan everything.

Double-click on mwav.exe.
Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Folder - then click "browse" to change the directory to C: (default is C:\Windows)
  • Registry
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files

Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items", please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby whisperer » January 15th, 2006, 6:18 am

Instructions noted, scan started at 10 GMT and will post the results when available

Thanks :)
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

MWAV Scan

Unread postby whisperer » January 15th, 2006, 10:57 am

Susan528,
Please find below the results of the MWAV scan. A total of 237 errors with 6 critical objects found:

Object "searchexe Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "downloader-ak Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "clientman Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "clipgenie Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "P:\Microsoft Office\Office10\GRAPH.EXE". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "P:\Microsoft Office\Office10\REFEDIT.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "P:\Microsoft Office\Office10\AW.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "P:\Microsoft Office\Office10\1033\MSOHELP.EXE". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "P:\Microsoft Office\Office10\MSACCESS.EXE". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "P:\Microsoft Office\Office10\MSCAL.OCX". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "P:\Microsoft Office\Office10\1033\MSOLANG.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "P:\Microsoft Office\Office10\MSACNV30.EXE". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "P:\Microsoft Office\Office10\HLP95EN.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "P:\Microsoft Office\Office10\MSRTEDIT.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "P:\Microsoft Office\Office10\1033\GRINTL32.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "P:\Microsoft Office\Office10\SIGNER.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "P:\Microsoft Office\Office10\MSOSTYLE.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "P:\Microsoft Office\Office10\SAEXT.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "P:\Microsoft Office\Office10\UNBIND.EXE". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "P:\Microsoft Office\Office10\1033\UNBIND10.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "P:\Microsoft Office\Office10\MSQRY32.EXE". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "P:\Microsoft Office\Office10\1033\QRYINT32.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "P:\Microsoft Office\Office10\PROFLWIZ.EXE". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "P:\Microsoft Office\Office10\MSCAL.CNT". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "P:\Microsoft Office\Office10\1033\OFMAIN10.CHM". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "P:\Microsoft Office\Office10\1033\VBAOF10.CHM". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Real\GToolbar\BarControl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\ZoneLabs\html.tdr". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\unvise32qt.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\DIMM.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe" refers to invalid object "C:\WINDOWS\System32\cmmgr32.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ga_main.exe" refers to invalid object "". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\install.exe" refers to invalid object "C:\Program Files\APC\APC PowerChute Personal Edition\install.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\puzzle pack.exe" refers to invalid object "G:\puzzle pack.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\QuickCam.exe" refers to invalid object "C:\Program Files\Logitech\Video\QuickCam.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\yourapp.Exe" refers to invalid object "u:\asus\asusupdate\yourapp.Exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "P:\Microsoft Office\Office10\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "P:\Microsoft Office\Office10\1033\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\MSN Toolbar Suite\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\MSN Toolbar Suite\AU\". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".$$$". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".Brd". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".class". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".Dpp". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".mp1". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".mpga". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pgs". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sav". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sdp". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ssm". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".STP". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".tmp". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".xpl". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object "OpenWithList". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (1.0)". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (1.0.1)". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (1.0.3)". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "MSN Toolbar". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{0496D9E8-224B-4AFA-8F37-23B98D52F1EB}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{4E9C3F2D-C654-453E-B1AD-9F231905A50D}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{607EC8AE-B5AD-4240-A267-E8BA50AA16A4}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{73819BA2-2E8B-430B-A6C9-0D89657DC865}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{7BF7B688-4A95-4003-BA98-EA8A79DA0ABA}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{81CFF79E-04E6-41BC-B4FA-D2FF4DE58A15}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{91110409-6000-11D3-8CFE-0050048383C9}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{9C2EDC9C-EF3B-443A-BB2C-3488DAC7247E}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{A27F2A64-3D23-4449-B395-75335CED458E}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{ABEB838C-A1A7-4C5D-B7E1-8B4314600137}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{ABEB838C-A1A7-4C5D-B7E1-8B4314600205}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{ABEB838C-A1A7-4C5D-B7E1-8B4314600777}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{ABEB838C-A1A7-4C5D-B7E1-8B4314600813}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{ABEB838C-A1A7-4C5D-B7E1-8B4314600816}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AC76BA86-0000-7EC8-7489-000000000702}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AC76BA86-0000-7EC8-7489-000000000703}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AC76BA86-0000-7EC8-7489-000000000704}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AC76BA86-7AD7-1033-7B44-000000000001}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{B6F867E8-F092-4C5E-7D72-AC7057DBEF45}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{B901999B-27BF-46D1-8F53-5497FC957F29}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{BD23F73B-3A4A-43B4-BA66-B6FBA6C191AF}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{C6F1E87D-F3E1-4874-97EC-F87DAB6D6878}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{F804C9A8-B5F7-4855-9B8E-F4C036AF77F5}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{FA5C2EE8-4072-49DE-9DAA-C9363B18B623}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{FB015BB0-5518-4767-9DE4-F9A5C7C62E46}". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{15E87072-3276-4D71-8196-90506F8EC702}" refers to invalid object "P:\Microsoft Office\Office10\AW.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2716AF5F-0841-4C94-9C67-A186F45F277E}" refers to invalid object "C:\Program Files\Common Files\Microsoft Shared\MSPaper\MSPSCAN.EXE /StiDevice:%1 /StiEvent:%2". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{31E0DFD7-2621-11D2-AFD7-006097C9A284}" refers to invalid object "P:\MICROS~1\Office10\1033\msohelp.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7FBDAB78-8361-11D0-A19B-00A0C9084C89}" refers to invalid object "F:\Bin\WORDAC~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{83D4679F-B6D7-11D2-BF36-00C04FB90A03}" refers to invalid object "C:\PROGRA~1\MESSEN~1\rtcimsp.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A950EBB5-BFEC-11D0-A1E7-00A0C9084C89}" refers to invalid object "F:\Bin\EXCELA~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B58C2440-A1A3-11D2-B024-006097C9A284}" refers to invalid object "P:\MICROS~1\Office10\1033\msohelp.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B58C2441-A1A3-11D2-B024-006097C9A284}" refers to invalid object "P:\MICROS~1\Office10\1033\msohelp.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CC0B082D-A7FB-11D3-BC35-00C04F79E594}" refers to invalid object "P:\Microsoft Office\Office10\1033\MSOLANG.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D169983A-4EDD-4D58-A702-A594F3151725}" refers to invalid object "P:\Microsoft Office\Office10\WINWORD.EXE /IMG_WIA". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{364EA1A3-8100-11D0-A196-00A0C9084C89}" refers to invalid object "C:\WINDOWS\system32\WordAcc.tlb". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{5328A245-A8B6-11D3-BC35-00C04F79E594}" refers to invalid object "P:\MICROS~1\Office10\1033\MSOLANG.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{80CC9890-575B-4817-8F68-6A1D189FF537}" refers to invalid object "C:\DOCUME~1\JENNNI~1\LOCALS~1\Temp\Word8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{84676818-CF04-40D8-BA09-C8C60E6E8451}" refers to invalid object "C:\DOCUME~1\JENNNI~1\LOCALS~1\Temp\Word8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{B4D00D4D-79B6-11D2-88BE-00C04F8F5759}" refers to invalid object "C:\Program Files\Common Files\ScanSoft Shared\ScanWizComponent.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{D38659B2-BFD0-11D0-A1E6-00A0C9084C89}" refers to invalid object "C:\WINDOWS\system32\ExcelAcc.tlb". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{DCB43485-19FB-4D6D-BB3D-73C7F48D5F00}" refers to invalid object "C:\Program Files\Messenger\rtcimsp.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{E255C79C-D616-4D3A-A583-9B8A71339F43}" refers to invalid object "C:\DOCUME~1\JENNNI~1\LOCALS~1\Temp\Excel8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\Access.ADEFile.10\shell\open\command" refers to invalid object ""P:\Microsoft Office\Office10\MSACCESS.EXE" /NOSTARTUP "%1"". Action Taken: No Action Taken.
Entry "HKCR\Access.Application.10\shell\open\command" refers to invalid object ""P:\Microsoft Office\Office10\MSACCESS.EXE" /NOSTARTUP "%1"". Action Taken: No Action Taken.
Entry "HKCR\Access.BlankDatabaseTemplate.10\shell\open\command" refers to invalid object ""P:\Microsoft Office\Office10\MSACCESS.EXE" /NOSTARTUP /NEWDB "%1"". Action Taken: No Action Taken.
Entry "HKCR\Access.BlankProjectTemplate.10\shell\open\command" refers to invalid object ""P:\Microsoft Office\Office10\MSACCESS.EXE" /NOSTARTUP /NEWDB "%1"". Action Taken: No Action Taken.
Entry "HKCR\Access.DatabaseWizardTemplate.10\shell\open\command" refers to invalid object ""P:\Microsoft Office\Office10\MSACCESS.EXE" /NOSTARTUP /DBWIZ "%1"". Action Taken: No Action Taken.
Entry "HKCR\Access.Extension.10\shell\open\command" refers to invalid object "P:\MICROS~1\Office10\MSACCESS.EXE /NOSTARTUP "%1"". Action Taken: No Action Taken.
Entry "HKCR\Access.MDEFile.10\shell\open\command" refers to invalid object ""P:\Microsoft Office\Office10\MSACCESS.EXE" /NOSTARTUP "%1"". Action Taken: No Action Taken.
Entry "HKCR\Access.Project.10\shell\open\command" refers to invalid object ""P:\Microsoft Office\Office10\MSACCESS.EXE" /NOSTARTUP "%1"". Action Taken: No Action Taken.
Entry "HKCR\Access.WizardDataFile.10\shell\open\command" refers to invalid object ""P:\Microsoft Office\Office10\MSACCESS.EXE" /NOSTARTUP "%1"". Action Taken: No Action Taken.
Entry "HKCR\Access.Workgroup.10\shell\open\command" refers to invalid object ""P:\Microsoft Office\Office10\MSACCESS.EXE" /NOSTARTUP "%1"". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Connection Manager Profile\shell\open\command" refers to invalid object "C:\WINDOWS\System32\CMMGR32.EXE "%1"". Action Taken: No Action Taken.
Entry "HKCR\grsfile\shell\open\command" refers to invalid object ""I:\GetRight\getright.exe" %1". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\Office.ProfileSettings.10\shell\open\command" refers to invalid object ""P:\Microsoft Office\Office10\PROFLWIZ.EXE" /p /u /r "%1"". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\ppifile\shell\open\command" refers to invalid object "%SystemRoot%\System32\msppcnfg.exe /Config %1". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\popcaploader.dll tagged as not-a-virus:Downloader.Win32.PopCap.c. No Action Taken.
File K:\DataKeeper Backup Of C\Documents and Settings\Jennnifer\Local Settings\Temporary Internet Files\Content.IE5\IAB3VTOY\popcaploader1[1].cab.zvaa.dkb tagged as not-a-virus:Downloader.Win32.PopCap.c. No Action Taken.

Glad I did not get the HJT log wrong! Looking forward to your next advice.

Whisperer :)
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Further info:

Unread postby whisperer » January 15th, 2006, 11:34 am

Further to the last, a warning had appeared on the desktop. On investigation of its properties it was found to be a picture linked to

http://adopt.euroclick.com/contents/2506/300x250v2.gif

My wife had clicked the depicted No button that took her to a site offering to sell her the antivirus programme - there ought to be a law about these type of scammers, if there is how do I take steps against them.

It is obviously a popup type of advert and in its defense the word 'Advertisement' appeared in grey text in the bottom right corner of the pseudo-window

I have done a search for the picture which was in th temporary internt files and have removed it. I have also done a tidy up of her cache, retaining only known cookies
Last edited by whisperer on January 15th, 2006, 11:42 am, edited 1 time in total.
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby Susan528 » January 15th, 2006, 11:36 am

Hello Wisperer,

Other than not being able to use safe mode and run Panda and Kapersky, anything else that you notice being wrong?

STEP 1.
======
Cleaning Files

Navigate to C:\Windows\Prefetch
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see an checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

Please delete the following files
C:\WINDOWS\Downloaded Program Files\popcaploader.dll
The steps above should have deleted the Temporary Internet files but double-check and make sure you cannot find the following:
K:\DataKeeper Backup Of C\Documents and Settings\Jennnifer\Local Settings\Temporary Internet Files\Content.IE5\IAB3VTOY\popcaploader1

STEP 2.
======
WinPFind
Please Download the following tools to assist us in removing this infection! Download WinPFind

  1. Right Click the Zip Folder and Select Extract All
  2. Extract it somewhere you will remember like the Desktop
  3. Don’t do anything with it yet!
Reboot.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode



  1. Doubleclick WinPFind.exe
  2. Click on Configure Scan Options.
  3. Remove all the checkmarks under Folder Options on the left side by clicking the button Remove All, uncheck Run Addon's and click Apply.
  4. Click Start Scan
    It will scan the entire System, so please be patient! This scan may take awhile
Once the Scan is Complete

  1. Reboot your computer into normal mode.
  2. Go to the WinPFind folder
  3. Locate WinPFind.txt
  4. Copy the results from the WinPFind.txt file and post the results in your next reply.


Blacklight

Download Blacklight Beta from here:
http://www.f-secure.com/blacklight/try.shtml
  • Hit I accept. It will take you to download page.
  • Download blbeta.exe and save it to the Desktop.
  • Once saved... double click blbeta.exe to install the program.
  • Click accept agreement and Click scan
    This app too may fire off a warning from antivirus. Let the driver load.
    Wait for it to finish.
  • If it displays any items...don't do anything with them yet. Just hit exit (close)
  • It will drop a log on Desktop that starts with fsbl....big number

Please post contents of log.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

WinPFind

Unread postby whisperer » January 15th, 2006, 12:45 pm

The WinpFind programme will not operate in safe mode. Both Scan and Configure buttons are shown when run but as soon as 'Configure' is selected the 'Scan' greys out. There are no extra buttons below the options as there are in Normal mode, similarly the right side of the window is chopped off.

I will continue with the BLBeta, and is it OK to run WinPFind in Normal mode where all options appear to be available?
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

BlackLight

Unread postby whisperer » January 15th, 2006, 12:52 pm

The BlackLight shows clean - log below:

01/15/06 16:47:39 [Info]: BlackLight Engine 1.0.30 initialized
01/15/06 16:47:39 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/15/06 16:47:39 [Note]: 7019 4
01/15/06 16:47:39 [Note]: 7005 0
01/15/06 16:47:48 [Note]: 7006 0
01/15/06 16:47:48 [Note]: 7011 1668
01/15/06 16:47:48 [Note]: FSRAW library version 1.7.1014
01/15/06 16:48:39 [Note]: 7006 0
01/15/06 16:48:39 [Note]: 7011 1668
01/15/06 16:48:39 [Note]: FSRAW library version 1.7.1014
01/15/06 16:49:52 [Note]: 7007 0

Awaiting instructions re WinPFind :D All other instructions completed
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby Susan528 » January 15th, 2006, 10:54 pm

Hello Whisperer,

Let's try this instead.

STEP 1.
======
Silent Runners

Download Silentrunners.zip from here and unzip it a new folder on your desktop.
  • Run the SilentRunners.vbs file.
  • You will receive a prompt: "Do you want to skip supplementary searches?" - click NO
  • If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run.
  • This script is not malicious so please allow it.
  • A text file will appear in the folder - it's not done, let it run (it won't appear to be doing anything!)
  • Once the "All Done!" prompt flashes up, open the text file and copy & paste it in your next reply.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby whisperer » January 16th, 2006, 5:51 am

Hi Susan528,

Please find below the results of the Silent Runner :)

"Silent Runners.vbs", revision 43, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LogitechSoftwareUpdate" = ""C:\Program Files\Logitech\Video\ManifestEngine.exe" boot" ["Logitech Inc."]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LVCOMSX" = "C:\WINDOWS\system32\LVCOMSX.EXE" ["Logitech Inc."]
"LogitechVideoRepair" = "C:\Program Files\Logitech\Video\ISStart.exe" ["Logitech Inc."]
"LogitechVideoTray" = "C:\Program Files\Logitech\Video\LogiTray.exe" ["Logitech Inc."]
"zSPGuard" = "\\gordons\i - gordon\spguard\spguard.exe /s" [** WMI GetObject error **]
"Zone Labs Client" = "I:\Firewall\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"AWMON" = ""I:\Ad-Aware SE Plus\Ad-Watch.exe"" ["Lavasoft Sweden"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"ASUS Probe" = "u:\asus\AsusProb.exe" [null data]
"WorkFlowTray" = ""F:\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"" ["ScanSoft, Inc."]
"Opware14" = ""F:\ScanSoft\OmniPagePro14.0\Opware14.exe"" ["ScanSoft, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "I:\SpyBot\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "U:\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "U:\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "U:\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "U:\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}" = "Trend Micro Anti-Spyware Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "I:\Trend Spyware\sshook.dll" ["Trend Micro Incorporated"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "P:\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "P:\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "P:\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Logitech\Video\Namespc2.dll" ["Logitech Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "I:\Microsoft\Microsoft AntiSpyware\shellextension.dll" [MS]
INFECTION WARNING! "{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}" = "Trend Micro Anti-Spyware Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "I:\Trend Spyware\sshook.dll" ["Trend Micro Incorporated"]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "I:\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "I:\ewido\security suite\context.dll" ["ewido networks"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "U:\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "I:\ewido\security suite\context.dll" ["ewido networks"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "U:\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "U:\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Blue Lace 16.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\sspipes.scr" [MS]


Startup items in "Jennnifer" & "All Users" startup folders:
-----------------------------------------------------------

C:\Documents and Settings\Jennnifer\Start Menu\Programs\Startup
"Bandwidth Meter" -> shortcut to: "I:\Bandwidthmeter\BandwidthMeter.exe" [null data]
"DataKeeper" -> shortcut to: "U:\PowerQuest\Datakeeper\DataKeeper.exe -c "C:\Documents and Settings\Jennnifer\Local Settings\Application Data\DataKeeper\March05.dks"" ["PowerQuest Corporation"]
"MailWasherPro" -> shortcut to: "I:\MailWasher Pro\MailWasher.exe I:\MailWasher Pro\MailWasher.exe" ["Firetrust Ltd"]
"OUTLOOK.EXE" -> shortcut to: "P:\Microsoft Office\OFFICE11\OUTLOOK.EXE" [MS]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"APC UPS Status" -> shortcut to: "C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe" ["American Power Conversion Corporation"]
"Microsoft Office" -> shortcut to: "P:\Microsoft Office\Office10\OSA.EXE -b -l" [file not found]
"Watch" -> shortcut to: "C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe" ["Common Group"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "P:\MICROS~1\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

APC UPS Service, APC UPS Service, "C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe" ["American Power Conversion Corporation"]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "I:\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 33 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 18 seconds.
---------- (total run time: 101 seconds)
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby Susan528 » January 16th, 2006, 6:24 pm

Hello Whisperer,

Let's try the following:

start > Run > copy and paste in:
sfc /scannow
Click 'OK'
You will need your XP/2000/ME disk. If you don't have it and instead only have a recovery CD, there is a work around. View the following link for a tutorial:

http://www.updatexp.com/scannow-sfc.html

sfc - system file checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

If you want to see what was replaced, right click My Computer > manage, expand event viewer > system.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

sfc check

Unread postby whisperer » January 17th, 2006, 2:58 pm

Hi Susan528,

I have carried out a full sfc /scannow check in spite of the fact that my Wife had stated that all previous symptoms appear to have gone.

So I think it is time to close this thread off with a thank you for your expertise. I must now get back to PL4.... to refresh my own knowledge.

Again thanks for your help

Whisperer :wav:
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby Susan528 » January 17th, 2006, 4:56 pm

You are welcome. Glad the previous symptoms are gone and you have joined us! :)
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby Nick-YF19 » February 5th, 2006, 11:23 am

Glad we could be of assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 39 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware