Help - Search - Members - Calendar
Full Version: Please help: winfixer popup problem
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
Pages: 1, 2, 3
Delboy56
Dec 23 2005, 06:04 AM
Hello,
I'm hoping someone can tell me what needs to be done to clean up this computer (my teen daughter's). She said she's run all her security scans, and is still having problems with pop-ups. Thank you very much for your help!

Logfile of HijackThis v1.99.1
Scan saved at 12:03:35 AM, on 12/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLHostManager.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Sam\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\gebcc.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O20 - Winlogon Notify: gebcc - C:\WINDOWS\system32\gebcc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
LoPhatPhuud
Dec 23 2005, 07:43 AM
First:
You are currently using hijackthis from a temporary directory, or from the Desktop.
This can cause problems and will leave backups scattered.

Please create a directory on your c: drive called c:\hijackthis and download and unzip hijackthis into that directory.
Run the program from that directory from now on.

It is essential that you follow these steps or certain important features of the program will not function correctly.


Second:
Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this
    QUOTE
    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:
    QUOTE
    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
      C:\WINDOWS\system32\gebcc.dll

  • Press Enter to continue with the fix.
  • Next you will see:
    QUOTE
    Please type in the second filepath as instructed by the forum
    staff then press enter:
  • At this point please type the following file path (make sure to enter it exactly as below!):
      C:\WINDOWS\system32\ccbeg.*
      This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:
      O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\gebcc.dll

      O15 - Trusted Zone: *.musicmatch.com (HKLM)

      O20 - Winlogon Notify: gebcc - C:\WINDOWS\system32\gebcc.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topi
Delboy56
Dec 23 2005, 04:45 PM
Thank you for your reply. I am having difficulty trying to get the desktop open in safe mode, and therefore cannot run KillVundo.bat as indicated. All I get is a blank screen with safe mode in the corners. I tried this multiple times, and the last time I tried I got a blue screen warning, with a message that filled the entire page, which I can't even begin to duplicate here. No cut & paste available at that point. Something to the effect that the computer was being shut down as a file error was detected that may cause damage to the computer, and then something about a physical dump at the bottom???? Help!
LoPhatPhuud
Dec 23 2005, 06:50 PM
Was there any indication of the file that caused the error. We need Safe Mode to correctly remove the infection.
Delboy56
Dec 24 2005, 02:18 AM
I went ahead and took the chance to run the VundoFix in regular mode, as there was no success getting into safe mode. Here are the requested results:




VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\gebcc.dll

The second filepath entered was C:\WINDOWS\system32\ccbeg.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 560 'smss.exe'
Error 0x6 : The handle is invalid.


Killing PID 1508 'explorer.exe'


Killing PID 648 'winlogon.exe'
Error 0x6 : The handle is invalid.

--------------------------------------------------------------------------------------

C:\WINDOWS\system32\gebcc.dll Deleted sucessfully.
C:\WINDOWS\system32\ccbeg.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------



Logfile of HijackThis v1.99.1
Scan saved at 7:17:07 PM, on 12/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLHostManager.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

ActiveScan report:


Incident Status Location

Adware:adware/delfinmedia Not disinfected C:\PROGRAM FILES\COMMON FILES\remove_tools.html
Adware:adware/browseraid Not disinfected C:\WINDOWS\SYSTEM32\inetp60.dll
Spyware:spyware/whazit Not disinfected C:\WINDOWS\SYSTEM32\kyf.dat
Adware:adware/keenvalue Not disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Sam\Application Data\tvmcwrd.dll
Adware:adware/ipinsight Not disinfected C:\WINDOWS\INF\conscorr.inf
Adware:adware/twain-tech Not disinfected C:\WINDOWS\INF\multimpp.inf
Adware:adware/ncase Not disinfected C:\WINDOWS\180ax.log
Adware:adware/effectivebrandtoolbarNot disinfected C:\WINDOWS\games.exe
Adware:adware/topconvert Not disinfected C:\PROGRAM FILES\TopConverting
Adware:adware/wupd Not disinfected C:\PROGRAM FILES\Windows SyncroAd
Adware:adware/sidesearch Not disinfected C:\Documents and Settings\Sam\Application Data\Lycos
Adware:adware/sqwire Not disinfected Windows Registry
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-24659d1d-748615b1.zip[A.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-24659d1d-748615b1.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3e7298f0-796badb3.zip[A.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3e7298f0-796badb3.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-6cd4c48c.zip[GetAccess.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-6cd4c48c.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-6cd4c48c.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-6cd4c48c.zip[Installer.class]
Adware:Adware/Comet Not disinfected C:\Documents and Settings\Sam\My Documents\sinstaller.exe
Adware:Adware/nCase Not disinfected C:\Program Files\backups\backup-20051216-163636-611.dll
Adware:Adware/nCase Not disinfected C:\Program Files\backups\backup-20051216-163638-413.dll
Adware:Adware/DelFinMedia Not disinfected C:\Program Files\Common Files\remove_tools.html
Adware:Adware/Comet Not disinfected C:\Program Files\Screensavers.com\Installer\bin\ScreensaversInst.dll
Adware:Adware/Ucmore Not disinfected C:\WINDOWS\games.exe[IUCMORE.DLL]
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\INF\conscorr.inf
Adware:Adware/MultiMPP Not disinfected C:\WINDOWS\INF\multimpp.inf
Virus:Trj/Qhost.Y Not disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
Adware:Adware/BrowserAid Not disinfected C:\WINDOWS\SYSTEM32\inetp60.dll
Adware:Adware/nCase Not disinfected C:\WINDOWS\SYSTEM32\mscjjn.dll
Adware:Adware/eZula Not disinfected C:\WINDOWS\SYSTEM32\msefoi.dll
Spyware:Spyware/ClientMan Not disinfected C:\WINDOWS\SYSTEM32\msiaih.dll
Adware:Adware/Ipend Not disinfected C:\WINDOWS\SYSTEM32\mskplb.dll
Virus:W32/Sdbot.ftp Not disinfected C:\WINDOWS\SYSTEM32\O
Virus:Trojan Horse Not disinfected C:\WINDOWS\SYSTEM32\O.BAT
LoPhatPhuud
Dec 24 2005, 02:51 AM
Some progress seems to have been made but the active scan report shows a lot of infecitons still there...

Please download, install, and update the free version of Ewido Security Suite:
http://www.ewido.net/en/download/

[1]From the main ewido screen, click on update in the left menu, then click the Start update button.

[2]After the update finishes (the status bar at the bottom will display "Update successful")


Copy the following instructions to have handy as you will need to be offline, in SAFE MODE and with IE closed so you will not be able to view this page during the process.

Next, run a scan with Ewido.

[3]Click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so please be patient

[4]If Ewido finds anything, it will pop up a notification. You can select "remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

[5]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Copy and paste the results from that scan back here please for review :)

*Note: Ewido is a free trial product for 14 days. After that you can purchase it for full features OR you can also keep the free version to use as an on-demand scanner (recommended).
You will still be able to manually update Ewido using the *update* button :)
Delboy56
Dec 24 2005, 05:03 AM
Hi,
Once again, no luck getting computer into safe mode, so I ran it in regular mode, with IE closed. here is the ewido scan results:


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:01:36 PM, 12/23/2005
+ Report-Checksum: A2E5D65A

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{0F2A4ADC-DABF-4980-8DB4-19F67D7B1F95} -> Spyware.ClearSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Dsi -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\ToolBar -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-112418592-3028830273-206835668-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-112418592-3028830273-206835668-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKU\S-1-5-21-112418592-3028830273-206835668-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} -> Spyware.MoneyTree : Cleaned with backup
HKU\S-1-5-21-112418592-3028830273-206835668-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{99410CDE-6F16-42CE-9D49-3807F78F0287} -> Spyware.Zango : Cleaned with backup
HKU\S-1-5-21-112418592-3028830273-206835668-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-112418592-3028830273-206835668-1007\Software\ToolBar -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\Sam\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\backups\backup-20051216-163636-611.dll -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\backups\backup-20051216-163638-413.dll -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\Screensavers.com\Installer\bin\ScreensaversInst.dll -> Spyware.Comet : Cleaned with backup
C:\setup304.exe -> Downloader.Agent.ac : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP582\A0057633.exe -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP582\A0057635.exe -> Spyware.WinShow : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP582\A0057636.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP583\A0057643.dll -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP583\snapshot\MFEX-21.DAT -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP589\A0058831.dll -> Spyware.Comet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP589\A0058998.dll -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP589\A0059004.dll -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP590\A0059047.dll -> Spyware.Comet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP590\A0059207.dll -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP590\A0059213.dll -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP591\A0062383.dll -> Spyware.Comet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP591\A0062539.dll -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP591\A0062545.dll -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP592\A0062653.dll -> Spyware.Comet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP592\A0062809.dll -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP592\A0062815.dll -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\SYSTEM32\mscjjn.dll -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\SYSTEM32\msiaih.dll -> Spyware.Ipend : Cleaned with backup
C:\WINDOWS\SYSTEM32\mskplb.dll -> Spyware.Ipend : Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup


::Report End
LoPhatPhuud
Dec 24 2005, 05:19 AM
OK, please run HiJackThis again and post a new log in this thread.
Delboy56
Dec 24 2005, 05:51 AM
Thanks for replying so quickly. I just got a 'winfixer' pop-up so not sure everything is clean. Here's the log you requested:


Logfile of HijackThis v1.99.1
Scan saved at 11:48:37 PM, on 12/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLHostManager.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [\\OFFICE\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "\\OFFICE\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
LoPhatPhuud
Dec 24 2005, 06:33 AM
Before we go any further, we need to resolve the Safe Mode issue. If we cannot fix the problem, then trying to remove the more difficult infections is like putting a bandaid on a severed artery.

See if you can reboot in Safe Mode with Command Prompt or Safe Mode with Networking and let me know.

I am checking MS to see if I can find any more information. Final stop is to do restore installation.
Delboy56
Dec 24 2005, 05:53 PM
I managed to get into safe mode with networking! What is the next step?
LoPhatPhuud
Dec 24 2005, 09:46 PM
Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this
    QUOTE
    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....


  • At this point press enter one time.

  • Next you will see:
    QUOTE
    Please Type in the filepath as instructed by the forum staff
    and then press enter:


  • At this point please type the following file path (make sure to enter it exactly as below!):
      C:\WINDOWS\system32\gebcc.dll


  • Press Enter to continue with the fix.

  • Next you will see:
    QUOTE
    Please type in the second filepath as instructed by the forum
    staff then press enter:
  • At this point please type the following file path (make sure to enter it exactly as below!):
      C:\WINDOWS\system32\ccbeg.*
      This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:
      (There are no items to remove in HJT at this time
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topi
Delboy56
Dec 25 2005, 05:42 PM
Greetings of the Season!


Here are the results after running VundoFix in Safe Mode:


ActiveScan results:


Incident Status Location

Adware:adware/delfinmedia Not disinfected C:\PROGRAM FILES\COMMON FILES\remove_tools.html
Adware:adware/browseraid Not disinfected C:\WINDOWS\SYSTEM32\inetp60.dll
Spyware:spyware/whazit Not disinfected C:\WINDOWS\SYSTEM32\kyf.dat
Adware:adware/keenvalue Not disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Sam\Application Data\tvmcwrd.dll
Adware:adware/ipinsight Not disinfected C:\WINDOWS\INF\conscorr.inf
Adware:adware/twain-tech Not disinfected C:\WINDOWS\INF\multimpp.inf
Adware:adware/ncase Not disinfected C:\WINDOWS\180ax.log
Adware:adware/effectivebrandtoolbarNot disinfected C:\WINDOWS\games.exe
Adware:adware/topconvert Not disinfected C:\PROGRAM FILES\TopConverting
Adware:adware/wupd Not disinfected C:\PROGRAM FILES\Windows SyncroAd
Adware:adware/sidesearch Not disinfected C:\Documents and Settings\Sam\Application Data\Lycos
Adware:adware/sqwire Not disinfected Windows Registry
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-24659d1d-748615b1.zip[A.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-24659d1d-748615b1.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3e7298f0-796badb3.zip[A.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3e7298f0-796badb3.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-6cd4c48c.zip[GetAccess.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-6cd4c48c.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-6cd4c48c.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Sam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-6cd4c48c.zip[Installer.class]
Adware:Adware/Comet Not disinfected C:\Documents and Settings\Sam\My Documents\sinstaller.exe
Adware:Adware/DelFinMedia Not disinfected C:\Program Files\Common Files\remove_tools.html
Adware:Adware/Ucmore Not disinfected C:\WINDOWS\games.exe[IUCMORE.DLL]
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\INF\conscorr.inf
Adware:Adware/MultiMPP Not disinfected C:\WINDOWS\INF\multimpp.inf
Virus:Trj/Qhost.Y Not disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
Adware:Adware/BrowserAid Not disinfected C:\WINDOWS\SYSTEM32\inetp60.dll
Adware:Adware/eZula Not disinfected C:\WINDOWS\SYSTEM32\msefoi.dll
Virus:W32/Sdbot.ftp Not disinfected C:\WINDOWS\SYSTEM32\O
Virus:Trojan Horse Not disinfected C:\WINDOWS\SYSTEM32\O.BAT



Logfile of HijackThis v1.99.1
Scan saved at 11:40:21 AM, on 12/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: (no name) - Software - (no file)
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [\\OFFICE\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "\\OFFICE\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe




VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\gebcc.dll

The second filepath entered was C:\WINDOWS\system32\ccbeg*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 500 'smss.exe'
Error 0x6 : The handle is invalid.


Killing PID 1408 'explorer.exe'
Killing PID 1408 'explorer.exe'


Killing PID 576 'winlogon.exe'
Error 0x6 : The handle is invalid.

--------------------------------------------------------------------------------------

Could not delete C:\WINDOWS\system32\gebcc.dll.
C:\WINDOWS\system32\ccbeg* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------
Delboy56
Dec 25 2005, 06:49 PM
(message edited in error, and deleted)
LoPhatPhuud
Dec 25 2005, 09:45 PM
Thati s looking much better! Just a few more things to do.

First:
1.Download the Hoster from here: www.funkytoad.com/download/hoster.zip
2. Install the program and run it.
3. Press 'Restore Original Hosts' and press 'OK'
4. Exit Program.

Note: This program also has a Hosts file backup facility that may want to use if you have added custom entries to the Hosts file.


Second:
Run AVG and do a full system scan, letting it remove all it finds.


Last:
Run HiJackThis again and post a new log in this thread.
Delboy56
Dec 26 2005, 05:47 AM
Had a very difficult time getting through the AVG scan. I'd check on the progress only to find this blue screen error message on several occassions.

PAGE_FAULT_IN_NONPAGED-AREA

If this is the first time you've seen this stop error screen, restart your computer.............

The directions continued for a few paragraphs, then at the bottom:

Technical Information
***Stop: 0X00000050 (0XE260D000, 0X00000000, 0X804E7410, 0X0000000)

Beginning dump of physical memory
Physical memory dump complete


Also still getting winfixer popups.

Here's the Hijack This results:

Logfile of HijackThis v1.99.1
Scan saved at 11:36:22 PM, on 12/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLHostManager.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: (no name) - Software - (no file)
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [\\OFFICE\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "\\OFFICE\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
LoPhatPhuud
Dec 27 2005, 12:49 AM
THe AVG failure and your inability to enter plain Safe Mode bothers me. Perhasp wer should be looking for other rootkits, but I want to see if I can resolve this WInfixer issue first.

Your log shows no sign of Winfixer. The fact you get popups is strange. Try this.

DOwnload this program: http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

Install and run it.

THen run HiJAckThis again and finally, Silent Runners.


Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the desktop and double-click on it.
If you get any kind of warning message about scripts, please choose to allow the script to run.
When the scan is finished, a message will pop up and a logfile will have been created on the desktop.
Please post the entire contents of this logfile for me to see.
Delboy56
Dec 27 2005, 02:16 AM
Hello again,

Here are the requested logs:


[12/26/2005, 20:08:06] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\GHUBWXIN\VirtumundoBeGone[1].exe" )
[12/26/2005, 20:08:09] - Detected System Information:
[12/26/2005, 20:08:09] - Windows Version: 5.1.2600, Service Pack 2
[12/26/2005, 20:08:09] - Current Username: Sam (Admin)
[12/26/2005, 20:08:09] - Windows is in NORMAL mode.
[12/26/2005, 20:08:09] - Searching for Browser Helper Objects:
[12/26/2005, 20:08:09] - BHO 1: Software ()
[12/26/2005, 20:08:09] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/26/2005, 20:08:09] - No filename found. Continuing.
[12/26/2005, 20:08:09] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[12/26/2005, 20:08:09] - Finished Searching Browser Helper Objects
[12/26/2005, 20:08:09] - Finishing up...
[12/26/2005, 20:08:09] - Nothing found! Exiting...



Logfile of HijackThis v1.99.1
Scan saved at 8:10:34 PM, on 12/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLHostManager.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: (no name) - Software - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [\\OFFICE\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "\\OFFICE\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Sonic RecordNow!" = (empty string)
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]
"DellSupport" = ""C:\Program Files\Dell Support\DSAgnt.exe" /startup" ["Gteko Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MMTray" = "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" ["Musicmatch, Inc."]
"Dell AIO Printer A920" = ""C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"" ["Dell Computer Corporation"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"\\OFFICE\EPSON Stylus Photo R300 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "\\OFFICE\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"" ["SEIKO EPSON CORPORATION"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" ["Sonic Solutions"]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "6 Months of AOL Included"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll" ["America Online, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshellext.dll" ["RealNetworks"]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a² Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
QuickFinderMenu\(Default) = "{C0E10002-0028-0004-C0E1-C0E1C0E1C0E1}"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL" ["Novell, Inc., c/o Corel Corporation Limited"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Sam\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssflwbox.scr" [MS]


Startup items in "Sam" & "All Users" startup folders:
-----------------------------------------------------

C:\Documents and Settings\Sam\Start Menu\Programs\Startup
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll" ["Yahoo! Inc."]

"{4D46ED77-1429-4CF6-8F63-C84B5D710BAF}" = "SpoofStick" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll" ["CoreStreet, Ltd."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido anti-malware\ewidoguard.exe" ["ewido networks"]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Dell Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 120 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 11 seconds.
---------- (total run time: 152 seconds)
LoPhatPhuud
Dec 27 2005, 02:42 AM
Puzzling. THere is nothing to show Winfixer at all. A Little cleanup and that is all.

Use HiJackTHis (normal mode is fine) to remove this entry:
O2 - BHO: (no name) - Software - (no file)

If you can attach or post a copy of the pop-up window, it would help.
Delboy56
Dec 27 2005, 08:06 PM
Hello,

I did a scan disk, and managed to get the safe mode working. Not sure if that was why, but at least I can get into safe mode now.

I updated and ran Spyware Blaster, and get an entry, that I am unable to check and enable protection against, that reads as follows:

Vundo.B {B313D637-F405-4052-AC37-E2119AB3C8F8}

I have a screen shot of the winfixer pop-up, and will post a link to it as soon as I can figure out how to upload it.
Delboy56
Dec 27 2005, 08:38 PM
Here is the winfixer popup I told you about. I am also getting this amaena popup. Thanks for your help!
LoPhatPhuud
Dec 28 2005, 12:09 AM
What I find strange about those pop-ups is the WIndow TItle. They are both in Internet Explorer yets show Add Remove Programs and Windows Security Center.

Is your copy of explorer not working? Why are those titles showing. Are the actual Control Panels valid???

Something seems drastically wrong on your system.

Check both of the control panels and then check for a rootkit. I doubt there is one, but it needs to be eliminated.


Please download RootKitRevealer from here:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire contents of the log file here for me to see.
Delboy56
Dec 28 2005, 01:51 AM
Sorry, check what control panels? Am I missing something here? From what I can see, the pop-ups are intended to mislead the user of the computer, ME, into thinking there is something wrong with their computer so they will click on the link. Aren't these the winfixer popups everyone is referring to in respect to the Vundo Trojan??? I will download and run the RootKitRevealer, as suggested, but you'll have to be a bit more specific about what control panels I need to check.

Thanks!
LoPhatPhuud
Dec 28 2005, 02:08 AM
If you check the Title Bars in the two screen prints you posted, you will see the first part is either Add Remove Programs or Windows Security Center. The title usually shows the name of the page, etc. followed by the program name (Internet Explorer). I was wondering if the two control panels on your system had been compromised. Check Add/Remove Programs and Securty Center to make sure they function correctly.

Also, if you do not go to the web, do these windows show up? Do you have IE pop-up blocker or another pop=up blocker setup?

From the two screen shots you posted, it would appear that these are web sites displaying them, and not necessarily anything on your system.. As far as I can tell, your system is clean.

YOu should clean all the old temp files and folders as well as the Internet Cache. The best way is via Crap Cleaner. Here are instructions;

Download: Clear the Cache (freeware) http://www.ccleaner.com/ Once installed, run CCleaner click the Windows [tab] Select the following options: (not all are available for Win98/ME)
Next: click Options click Advanced
Uncheck: "Only delete files older than 48 hrs", click Ok Then click Run Cleaner (bottom right) then Exit

CCleaner should be run with the above settings for each user!
Delboy56
Dec 28 2005, 02:30 AM
My Add/Remove Programs works fine. I removed all old versions of Java RTE and updated to the most recent version today, as well as uninstalled and reinstalled A-Squared, which didn't seem to functioning correctly. I will check the Security Center, when I go back to the compromised computer.


I thought I did have a pop-up blocker enabled on that computer (if not, could you suggest one?), but I still think these popups are related to winfixer.com.

Could you reply to my earlier post re: "I updated and ran Spyware Blaster and get an entry that I am unable to check and enable protection against that reads as follows:

Vundo.B {B313D637-F405-4052-AC37-E2119AB3C8F8}"
Delboy56
Dec 28 2005, 02:39 AM
I just went to check the progress of the RootKitRevealer but it froze and there was an IE error message. I disconnected from the internet and am running again.

I will post the log as soon as that finishes, and then run the cache cleaner as suggested.

While checking, I also opened the Windows Security Center, and the Firewall, Automatic Updates & Virus Protection are all on. Is there a diagnostic check you wanted me to do?

Thanks again
Delboy56
Dec 28 2005, 03:05 AM
Here is the root kit revealer result log you requested. Sorry it's so long, but I don't know how to post this as an attachment


HKLM\SOFTWARE\Classes\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8} 12/22/2005 11:50 PM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B313D637-F405-4052-AC37-E2119AB3C8F8} 12/22/2005 11:50 PM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebcc 11/10/2005 3:23 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\IMT20.xml 12/27/2005 8:46 PM 1.95 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\IMT21.xml 12/27/2005 8:46 PM 1.95 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\IMT22.xml 12/27/2005 8:46 PM 1.95 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\IMT23.xml 12/27/2005 8:46 PM 1.95 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\IMT24.xml 12/27/2005 8:46 PM 1.95 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\IMT25.xml 12/27/2005 8:46 PM 1.95 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\IMT26.xml 12/27/2005 8:46 PM 426 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\IMT27.xml 12/27/2005 8:46 PM 426 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\IMT28.xml 12/27/2005 8:46 PM 426 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\IMT29.xml 12/27/2005 8:46 PM 426 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\IMT2A.xml 12/27/2005 8:46 PM 426 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\IMT2B.xml 12/27/2005 8:46 PM 426 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\IMT2C.xml 12/27/2005 8:46 PM 690.76 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\IMT2D.xml 12/27/2005 8:46 PM 690.76 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\IMT2E.xml 12/27/2005 8:46 PM 690.76 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\IMT2F.xml 12/27/2005 8:46 PM 690.76 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\IMT30.xml 12/27/2005 8:46 PM 690.76 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\IMT31.xml 12/27/2005 8:46 PM 690.76 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\MPC10.tmp 12/26/2005 1:03 PM 8.93 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\MPCA.tmp 12/26/2005 1:03 PM 8.93 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\MPCB.tmp 12/26/2005 1:03 PM 8.93 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\MPCC.tmp 12/26/2005 1:03 PM 8.93 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\MPCD.tmp 12/26/2005 1:03 PM 8.93 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\MPCE.tmp 12/26/2005 1:03 PM 8.93 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\MPCF.tmp 12/26/2005 1:03 PM 8.93 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\~DFA6E7.tmp 12/27/2005 8:46 PM 16.00 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\~DFA70B.tmp 12/27/2005 8:46 PM 16.00 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\~DFA710.tmp 12/27/2005 8:46 PM 16.00 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\~DFA712.tmp 12/27/2005 8:46 PM 16.00 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\~DFA714.tmp 12/27/2005 8:46 PM 16.00 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\~DFA718.tmp 12/27/2005 8:46 PM 16.00 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\~DFA733.tmp 12/27/2005 8:46 PM 16.00 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\~DFA73D.tmp 12/27/2005 8:46 PM 512 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\~DFA771.tmp 12/27/2005 8:46 PM 512 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\~DFA791.tmp 12/27/2005 8:46 PM 512 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\~DFA80A.tmp 12/27/2005 8:46 PM 512 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\~DFA880.tmp 12/27/2005 8:46 PM 512 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\~DFAA72.tmp 12/27/2005 8:46 PM 512 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temp\~DFAAEE.tmp 12/27/2005 8:46 PM 512 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\Common[1].js 12/27/2005 8:45 PM 3.08 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\Common[2].js 12/27/2005 8:45 PM 3.08 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\Common[3].js 12/27/2005 8:45 PM 3.08 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\Common[4].js 12/27/2005 8:45 PM 3.08 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\Common[5].js 12/27/2005 8:45 PM 3.08 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\Common[6].js 12/27/2005 8:45 PM 3.08 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\Common[7].js 12/27/2005 8:45 PM 3.08 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\Common[8].js 12/27/2005 8:45 PM 3.08 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\ebutton[1].bmp 12/27/2005 8:45 PM 2.30 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\ebutton[2].bmp 12/27/2005 8:45 PM 2.30 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\ebutton[5].bmp 12/27/2005 8:45 PM 2.30 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\HHWRAPPER[5].htm 12/27/2005 8:46 PM 713 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\locale[1].js 12/27/2005 8:45 PM 8.00 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\MiniNavBar[1].xml 12/27/2005 8:46 PM 1.94 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\MiniNavBar[2].xml 12/27/2005 8:46 PM 1.94 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\MiniNavBar[5].htm 12/27/2005 8:45 PM 4.65 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\NavBar[1].xml 12/27/2005 8:45 PM 2.77 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\NavBar[3].htm 12/27/2005 8:45 PM 22.38 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\shared[10].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\shared[11].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\shared[12].css 12/27/2005 8:46 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\shared[13].css 12/27/2005 8:46 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\shared[14].css 12/27/2005 8:46 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\shared[15].css 12/27/2005 8:46 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\shared[1].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\shared[2].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\shared[3].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\shared[4].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\shared[5].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\shared[6].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\shared[7].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\shared[8].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\01E34TUJ\shared[9].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\Common[1].js 12/27/2005 8:45 PM 3.08 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\Common[2].js 12/27/2005 8:45 PM 3.08 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\coUAprint[1].css 12/27/2005 8:46 PM 2.03 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\ebutton[1].bmp 12/27/2005 8:45 PM 2.30 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\ebutton[2].bmp 12/27/2005 8:45 PM 2.30 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\ebutton[3].bmp 12/27/2005 8:45 PM 2.30 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\firstpage[5].htm 12/27/2005 8:45 PM 714 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\locale[1].js 12/27/2005 8:45 PM 8.00 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\MiniNavBar[1].xml 12/27/2005 8:46 PM 1.94 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\MiniNavBar[2].xml 12/27/2005 8:46 PM 1.94 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\NavBar[1].xml 12/27/2005 8:45 PM 2.77 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\NavBar[2].xml 12/27/2005 8:45 PM 2.77 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[10].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[11].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[12].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[13].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[14].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[15].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[16].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[17].css 12/27/2005 8:46 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[18].css 12/27/2005 8:46 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[19].css 12/27/2005 8:46 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[1].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[1].xml 12/27/2005 8:45 PM 8.00 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[20].css 12/27/2005 8:46 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[21].css 12/27/2005 8:46 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[2].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[2].xml 12/27/2005 8:45 PM 8.00 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[3].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[3].xml 12/27/2005 8:45 PM 8.00 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[4].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[4].xml 12/27/2005 8:45 PM 8.00 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[5].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[5].xml 12/27/2005 8:45 PM 8.00 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[6].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[6].xml 12/27/2005 8:45 PM 8.00 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[7].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[7].xml 12/27/2005 8:45 PM 8.00 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[8].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0J94CS9Q\shared[9].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\8RATUVWX\blank[1].htm 12/27/2005 8:46 PM 608 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\8RATUVWX\Common[1].js 12/27/2005 8:45 PM 3.08 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\8RATUVWX\Common[2].js 12/27/2005 8:45 PM 3.08 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\8RATUVWX\Common[3].js 12/27/2005 8:45 PM 3.08 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\8RATUVWX\Context[2].htm 12/27/2005 8:45 PM 8.96 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\8RATUVWX\NavBar[1].xml 12/27/2005 8:45 PM 2.77 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\8RATUVWX\NavBar[2].xml 12/27/2005 8:45 PM 2.77 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\8RATUVWX\NavBar[3].xml 12/27/2005 8:45 PM 2.77 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\8RATUVWX\NavBar[4].xml 12/27/2005 8:45 PM 2.77 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\8RATUVWX\NavBar[5].xml 12/27/2005 8:45 PM 2.77 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\8RATUVWX\note[1].gif 12/27/2005 8:46 PM 123 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\8RATUVWX\shared[1].css 12/27/2005 8:45 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\8RATUVWX\shared[2].css 12/27/2005 8:46 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\8RATUVWX\shared[3].css 12/27/2005 8:46 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\8RATUVWX\shared[4].css 12/27/2005 8:46 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\8RATUVWX\shared[5].css 12/27/2005 8:46 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\8RATUVWX\shared[5].js 12/27/2005 8:46 PM 70.60 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\8RATUVWX\shared[6].css 12/27/2005 8:46 PM 5.37 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\8RATUVWX\Uabrand[1].gif 12/27/2005 8:46 PM 1.49 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\GHI1K3MN\Behaviors[2].css 12/27/2005 8:46 PM 1.15 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\GHI1K3MN\Common[1].js 12/27/2005 8:45 PM 3.08 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\GHI1K3MN\coUA[1].css 12/27/2005 8:46 PM 10.99 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\GHI1K3MN\ebutton[1].bmp 12/27/2005 8:45 PM 2.30 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\GHI1K3MN\ebutton[2].bmp 12/27/2005 8:45 PM 2.30 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\GHI1K3MN\ebutton[3].bmp 12/27/2005 8:45 PM 2.30 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\GHI1K3MN\ebutton[4].bmp 12/27/2005 8:45 PM 2.30 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\GHI1K3MN\index[1].php 12/27/2005 8:01 PM 18.52 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\GHI1K3MN\locale[1].js 12/27/2005 8:45 PM 8.00 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\GHI1K3MN\locale[2].js 12/27/2005 8:45 PM 8.00 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\GHI1K3MN\locale[3].js 12/27/2005 8:45 PM 8.00 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\GHI1K3MN\locale[4].js 12/27/2005 8:45 PM 8.00 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\GHI1K3MN\locale[5].js 12/27/2005 8:45 PM 8.00 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\GHI1K3MN\NavBar[1].xml 12/27/2005 8:45 PM 2.77 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\GHI1K3MN\NavBar[5].xml 12/27/2005 8:45 PM 2.77 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\GHI1K3MN\shared[1].js 12/27/2005 8:46 PM 70.60 KB Hidden from Windows API.
C:\WINDOWS\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat 12/26/2005 1:03 PM 10.11 KB Hidden from Windows API.
C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\tmp.edb 12/27/2005 8:45 PM 1.01 MB Hidden from Windows API.
C:\WINDOWS\Prefetch\HELPCTR.EXE-0BD5B31B.pf 12/27/2005 8:45 PM 33.09 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\HELPSVC.EXE-1C192440.pf 12/27/2005 8:45 PM 12.68 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-527366BD.pf 12/27/2005 8:43 PM 23.49 KB Hidden from Windows API.
C:\WINDOWS\qaz4.txt 12/27/2005 2:43 PM 3.56 KB Hidden from Windows API.
C:\WINDOWS\SYSTEM32\ccbeg.bak1 12/24/2005 11:27 PM 394.00 KB Hidden from Windows API.
C:\WINDOWS\SYSTEM32\ccbeg.bak2 12/26/2005 11:35 PM 395.42 KB Hidden from Windows API.
C:\WINDOWS\SYSTEM32\gebcc.dll 12/27/2005 10:18 AM 532.02 KB Hidden from Windows API.
LoPhatPhuud
Dec 28 2005, 03:17 AM
Crap Cleaner should take care of a lot of "garbage" on your system.

To be safer, this will remove a few more potential problems:

Download KILLBOX, extract it to your desktop.

Open killbox.exe.

First

Click on Tools>Delete Temp Files

A box will open with a list of all user profiles.

Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.

Temporary Internet Files
Temp Files
XP Prefetch

If you want to clean your cookies, history, and list of recent files run you may check those boxes as well.

Then,,

Check on the Button titled "Delete Selected Temp Files"

Exit by clicking the Button titled "Exit(Save Settings)"

Once back into the main killbox program.

Check the following boxes:

Delete on Reboot

Highlight all the entries in the quote box below and then Copy them.
QUOTE
C:\WINDOWS\qaz4.txt
C:\WINDOWS\SYSTEM32\ccbeg.bak1
C:\WINDOWS\SYSTEM32\ccbeg.bak2
C:\WINDOWS\SYSTEM32\gebcc.dll

Then in killbox click File>>Paste from Clipboard

At this point the "All Files" button should be enabled so you can click it.

Click the "All Files" button.

Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes

A second message will ask to Reboot now? you will need to click Yes to allow the reboot.

Note: Killbox will let you know if a file does not exist.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot


Finally, post a new HiJAckTHis log in this thread.
Delboy56
Dec 28 2005, 04:03 AM
Well, I had to do the files singly, and after the last one, selected the reboot option. I got this message:

Pending File Rename Operations Registry Data has been removed by External Process!

The computer did not automatically reboot, I needed to shut down manually.

Here is a new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:02:29 PM, on 12/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\a-squared\a2guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLHostManager.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [\\OFFICE\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "\\OFFICE\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LCOHIVVCJIFH - Unknown owner - C:\DOCUME~1\Sam\LOCALS~1\Temp\LCOHIVVCJIFH.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


I appreciate your help!
LoPhatPhuud
Dec 28 2005, 04:14 AM
THe file that would not delete is part of Vundo (Winfixer). Let stry this again.

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this
    QUOTE
    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:
    QUOTE
    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
      C:\WINDOWS\SYSTEM32\gebcc.dll

  • Press Enter to continue with the fix.
  • Next you will see:
    QUOTE
    Please type in the second filepath as instructed by the forum
    staff then press enter:
  • At this point please type the following file path (make sure to enter it exactly as below!):
      C:\WINDOWS\SYSTEM32\ccbeg.*
      This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:
      O23 - Service: LCOHIVVCJIFH - Unknown owner - C:\DOCUME~1\Sam\LOCALS~1\Temp\LCOHIVVCJIFH.exe (file missing)
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topi
Delboy56
Dec 28 2005, 06:44 AM
You sure must be getting tired of me ; )

Here's the logfiles after VundoFix, CleanUp & ActiveScan


VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\gebcc.dll

The second filepath entered was C:\WINDOWS\system32\ccbeg.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 132 'smss.exe'
Error 0x6 : The handle is invalid.


Killing PID 740 'explorer.exe'
Killing PID 740 'explorer.exe'


Killing PID 204 'winlogon.exe'
Error 0x6 : The handle is invalid.

--------------------------------------------------------------------------------------

Could not delete C:\WINDOWS\system32\gebcc.dll.
C:\WINDOWS\system32\ccbeg.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------



After running Vundofix, you had indicated selecting the following to remove with HijackThis:

O23 - Service: LCOHIVVCJIFH - Unknown owner - C:\DOCUME~1\Sam\LOCALS~1\Temp\LCOHIVVCJIFH.exe (file missing)

I also noticed & checked the following two items:

O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\gebcc.dll

O20 - Winlogon Notify: gebcc - C:\WINDOWS\system32\gebcc.dll



Logfile of HijackThis v1.99.1
Scan saved at 12:33:15 AM, on 12/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLHostManager.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [\\OFFICE\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "\\OFFICE\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


(I'll post an Active Scan shortly)
Delboy56
Dec 28 2005, 04:00 PM
Good morning,

Just wanted to let you know I turned the computer on this morning to do the Active Scan, and got those same popups. I started the scan, and then got a series of popups, all looking like system messages, prompting me to install and run winfix, and the scan shut down. I'm going to try going back to square one, and do the VundoFix and CleanUp before trying the scan again.


I also had tried and was unable to do a system restore on this computer prior to coming here for help, which brings me to my next question. Many of the other online solutions for the Vuno.Trojan require that the system restore be turned off before going ahead with the fixes. Is this something I should have done?


They also say the compromised computer can infect other network users, which concerns me, because we have three home computers networked. Is there something I should be doing to prevent this from spreading to them? I'm only connecting this computer to the Router/Cable Modem when I have to do the diagnostic scans you suggest and post logs.

Thanks for any suggestions!
Delboy56
Dec 28 2005, 04:30 PM
Ran VundoFix again, here is the log:

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\gebcc.dll

The second filepath entered was C:\WINDOWS\system32\ccbeg.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 132 'smss.exe'
Error 0x6 : The handle is invalid.


Killing PID 736 'explorer.exe'
Killing PID 736 'explorer.exe'


Killing PID 204 'winlogon.exe'
Error 0x6 : The handle is invalid.

--------------------------------------------------------------------------------------

Could not delete C:\WINDOWS\system32\gebcc.dll.
C:\WINDOWS\system32\ccbeg.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------


Then when HijackThis did it's autoscan, I once again noticed & checked the following two items:

O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\gebcc.dll

O20 - Winlogon Notify: gebcc - C:\WINDOWS\system32\gebcc.dll


Logfile of HijackThis v1.99.1
Scan saved at 10:28:29 AM, on 12/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [\\OFFICE\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "\\OFFICE\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


ActiveScan report:


Incident Status Location

Adware:adware/delfinmedia Not disinfected C:\PROGRAM FILES\COMMON FILES\remove_tools.html
Adware:adware/browseraid Not disinfected C:\WINDOWS\SYSTEM32\inetp60.dll
Spyware:spyware/whazit Not disinfected C:\WINDOWS\SYSTEM32\kyf.dat
Adware:adware/keenvalue Not disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Sam\Application Data\tvmcwrd.dll
Adware:adware/ipinsight Not disinfected C:\WINDOWS\INF\conscorr.inf
Adware:adware/twain-tech Not disinfected C:\WINDOWS\INF\multimpp.inf
Adware:adware/ncase Not disinfected C:\WINDOWS\180ax.log
Adware:adware/effectivebrandtoolbarNot disinfected C:\WINDOWS\games.exe
Adware:adware/topconvert Not disinfected C:\PROGRAM FILES\TopConverting
Adware:adware/wupd Not disinfected C:\PROGRAM FILES\Windows SyncroAd
Adware:adware/sidesearch Not disinfected C:\Documents and Settings\Sam\Application Data\Lycos
Adware:adware/sqwire Not disinfected Windows Registry
Adware:Adware/DelFinMedia Not disinfected C:\Program Files\Common Files\remove_tools.html
Adware:Adware/Ucmore Not disinfected C:\WINDOWS\games.exe[IUCMORE.DLL]
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\INF\conscorr.inf
Adware:Adware/MultiMPP Not disinfected C:\WINDOWS\INF\multimpp.inf
Adware:Adware/BrowserAid Not disinfected C:\WINDOWS\SYSTEM32\inetp60.dll
Adware:Adware/eZula Not disinfected C:\WINDOWS\SYSTEM32\msefoi.dll
Virus:W32/Sdbot.ftp Not disinfected C:\WINDOWS\SYSTEM32\O
Virus:Trojan Horse Not disinfected C:\WINDOWS\SYSTEM32\O.BAT
LoPhatPhuud
Dec 29 2005, 12:53 AM
THat seems to have it.

The Active scan listed several files that it caught but apparently did not remove. I suggest you delete each one in Safe Mode.

Reboot, and wait a day or two, then run HiJackThis again and opst back in this thread.
Delboy56
Dec 29 2005, 01:11 AM
Hi and thanks for your reply.

Just so I'm clear on this, which files need to be removed, and how do I remove them??? Using an application or by going into the c:drive and deleting them??

Thanks again!
Pam
LoPhatPhuud
Dec 29 2005, 01:46 AM
Delete all the file listed below. You will have to find each one, then right click on it and select delete. The ot her way is to drag each file to the Recycle Bin and then empty the Recycle Bin when all the files are there. You are free to choose whichever method is the easiest for you. THere is no program to do this.


C:\PROGRAM FILES\COMMON FILES\remove_tools.html
C:\WINDOWS\SYSTEM32\inetp60.dll
C:\WINDOWS\SYSTEM32\kyf.dat
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
C:\Documents and Settings\Sam\Application Data\tvmcwrd.dll
C:\WINDOWS\INF\conscorr.inf
C:\WINDOWS\INF\multimpp.inf
C:\WINDOWS\180ax.log
C:\WINDOWS\games.exe
C:\PROGRAM FILES\TopConverting
C:\PROGRAM FILES\Windows SyncroAd
C:\Program Files\Common Files\remove_tools.html
C:\WINDOWS\games.exe
C:\WINDOWS\INF\conscorr.inf
C:\WINDOWS\INF\multimpp.inf
C:\WINDOWS\SYSTEM32\inetp60.dll
C:\WINDOWS\SYSTEM32\msefoi.dll
C:\WINDOWS\SYSTEM32\O
C:\WINDOWS\SYSTEM32\O.BAT
Delboy56
Jan 4 2006, 04:28 AM
Still having problems with winfixer popups.


Logfile of HijackThis v1.99.1
Scan saved at 8:29:54 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLHostManager.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\dwwin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [\\OFFICE\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "\\OFFICE\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
LoPhatPhuud
Jan 4 2006, 04:49 AM
Update Ewido, run it in Safe Mode and post its log in this thread.
Delboy56
Jan 11 2006, 05:40 PM
Sorry it's taken me so long to post this. Had a problem updating Edwido, then ran it, and couldn't find the report. The first scan removed 9 items, but I think the latest report saved over it, as there was only one file when I did locate the report folder. Can't seem to permanently delete this gebcc.dll file.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:31:48 AM, 1/11/2006
+ Report-Checksum: F38B3A0E

+ Scan result:

[748] C:\WINDOWS\system32\gebcc.dll -> Adware.Virtumonde : Cleaned with backup


::Report End
Mosaic1
Jan 11 2006, 06:07 PM
Hi,

I helped someone with a similar problem a while back. Your problem is that the vundofix is not running correctly. It cannot kill the processes it needs to in order to remove the infection properly. This is a matter of not having SeDebug privilege.

The vundofix log show these entries and they indicate the problem: (The handle is invalid)
Killing PID 132 'smss.exe'
Error 0x6 : The handle is invalid.

Killing PID 204 'winlogon.exe'
Error 0x6 : The handle is invalid.



Did you ever have an L2M infection? At any rate, please do this as a matter of diagnostics.

Download L2mfix from one of these links:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop. Double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. Open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into your next reply here.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
Mosaic1
Jan 11 2006, 06:18 PM
Also please post a new Hihjckthis log. And do disconnect this computer from your network to clean it. Check your other computers for this same problem but do not post logs for those here in this thread.

You may have been reinfected.


There has been an issue found recently with Sun Java.

When newer versions are installed, the older versions are left behind and malware can call these older versions to exploit flaws. Some malware has been found to install this way.

First update to the very latest version of Sun Java.

Then go into Add Remove programs and uninstall any older versions you find listed there.


Be sure your Windows Updates are up to date!
Delboy56
Jan 15 2006, 08:18 PM
L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{252EF2B4-3FA8-4C37-847B-357A08022EA9}"=""
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt"
"{5CA3D70E-1895-11CF-8E15-001234567890}"="DriveLetterAccess"
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}"="6 Months of AOL Included"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{17AFCA6D-AC8C-4FA3-9AD9-E9510956E075}"=""
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}"="aý Context Menu Shell Extension"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is B08D-9F26

Directory of C:\WINDOWS\System32

01/15/2006 02:16 PM 398,771 ccbeg.ini
07/04/2005 08:26 AM <DIR> DLLCACHE
12/08/2003 08:57 PM <DIR> Microsoft
1 File(s) 398,771 bytes
2 Dir(s) 55,074,680,832 bytes free




Logfile of HijackThis v1.99.1
Scan saved at 2:18:09 PM, on 1/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\a-squared\a2guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLHostManager.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1124502653\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [\\OFFICE\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "\\OFFICE\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Mosaic1
Jan 15 2006, 08:33 PM
That looks clean. Are you having any problems currently?

I would like you to run part 2 of the l2m ifx in any event please.


Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread.
Delboy56
Jan 15 2006, 10:58 PM
Still having multiple Winfixer popups. I'm on my other computer, so will run part 2 and post log as soon as possible. Thanks!
Delboy56
Jan 15 2006, 11:08 PM
L2mfix 010406
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/notibac.reg (164 bytes security) (deflated 88%)
Mosaic1
Jan 15 2006, 11:30 PM
Looks like you have something disabled. Seclogon. Let's check.


Go to start >Run and Type cmd.exe
Press enter

Copy and Paste this into the command window when it opens (Right click inthe command window and click on paste)
then press enter:

sc query seclogon >s.txt & Start Notepad s.txt


When s.txt opens, paste in the contents to your next reply please.
Delboy56
Jan 16 2006, 12:01 AM
Here's the s.txt log

SERVICE_NAME: seclogon
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Mosaic1
Jan 16 2006, 12:06 AM
No seclogon is the usual reason we get that kind of a log where second.bat didn't run. If I get any more infromatoin on this issue, I'll post it.

You look to have no current infections. If the problem returns, let us know.
Mosaic1
Jan 16 2006, 12:13 AM
Ok I went back and read again. I seem to have missed one of your posts. You say you are still having winfixer popups?


Let's try this:


Try this app: blacklight Beta from here:

http://www.f-secure.com/blacklight/try.shtml

click "I accept" at bottom of page which takes you to download site.
Download the app to the desktop.
Double click it, accept the agreement, make sure "scan through windows explorer IS checked then hit "scan"
It should only take at most 5 minutes.

If any results Don't rename anything yet!
Sometimes legit items are listed along with baddies.
Just hit next> finish.

Log will be created on desktop that starts with fsbl-datetime.log

Post its results here.
-----------------

And then this one:

Download Rootkitreveal
http://www.sysinternals.com/utilities/rootkitrevealer.html


Extract rootkitreveal

Double click on rootkit revealer and press scan.

It will take some time to do a complete scan. When finished press file/save and post the contents of the log please.
Delboy56
Jan 18 2006, 10:27 PM
fsbl-datetime.log

01/18/06 15:47:32 [Info]: BlackLight Engine 1.0.30 initialized
01/18/06 15:47:32 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/18/06 15:47:36 [Note]: 7019 4
01/18/06 15:47:36 [Note]: 7005 0
01/18/06 15:48:25 [Note]: 7006 0
01/18/06 15:48:25 [Note]: 7011 1496
01/18/06 15:48:26 [Note]: FSRAW library version 1.7.1014
01/18/06 15:51:37 [Info]: Hidden file: C:\WINDOWS\qaz4.txt
01/18/06 15:51:37 [Note]: 7002 0
01/18/06 15:51:37 [Note]: 7003 1
01/18/06 15:51:37 [Note]: 10002 1
01/18/06 15:54:47 [Note]: 7007 0

rootkit reavealer

HKLM\SOFTWARE\Classes\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8} 12/28/2005 10:14 AM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\ID 1/18/2006 6:00 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name 1/18/2006 6:00 PM 38 bytes Windows API length not consistent with raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B313D637-F405-4052-AC37-E2119AB3C8F8} 12/28/2005 10:14 AM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebcc 12/28/2005 10:14 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\0HM3092Z\index[1].htm 1/18/2006 6:03 PM 9.23 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\1YI7G2NF\WinFixer2005FreeInstall[1].exe 1/18/2006 6:03 PM 8.00 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\3RHCG5RJ\bar[1].gif 1/18/2006 6:03 PM 5.33 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\3RHCG5RJ\top_pic_new[1].gif 1/18/2006 6:03 PM 7.29 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\58CCMZ2L\win_fixer_banner[1].swf 1/18/2006 6:03 PM 4.56 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\7UJOMUVQ\ico4[1].gif 1/18/2006 6:03 PM 232 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\81KFGJM5\logo[1].gif 1/18/2006 6:03 PM 3.52 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\85UBGH6B\top1_menu[1].gif 1/18/2006 6:03 PM 1.36 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\85UJGLEJ\checksoft[1].js 1/18/2006 6:03 PM 5.23 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\A14J69QV\spacer[1].gif 1/18/2006 6:03 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\E2Y2IOF6\arrow[1].gif 1/18/2006 6:03 PM 739 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\KLYBC1YF\styles[1].css 1/18/2006 6:03 PM 5.77 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\NLVKJBDE\CAAVS1YJ.HTM 1/18/2006 6:03 PM 1.08 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\NLVKJBDE\top1[1].gif 1/18/2006 6:03 PM 347 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\NYEOL5QS\functions.js[1].htm 1/18/2006 6:03 PM 2.28 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\SF81Y3YP\ico1[1].gif 1/18/2006 6:03 PM 137 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\SMULAU30\button2[1].gif 1/18/2006 6:03 PM 4.08 KB Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\SMULAU30\ico2[1].gif 1/18/2006 6:03 PM 307 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\ST6789MO\ico5[1].gif 1/18/2006 6:03 PM 294 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\W0383U58\ico3[1].gif 1/18/2006 6:03 PM 303 bytes Hidden from Windows API.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\XLW88NX5\download2[1].htm 1/18/2006 6:03 PM 1.77 KB Hidden from Windows API.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530 10/19/2005 8:20 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049210.ini 10/1/2005 11:50 AM 1.19 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049211.bk1 10/18/2005 2:54 PM 2.68 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049212.lnk 10/18/2005 2:43 PM 2.29 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049213.lnk 10/12/2005 2:54 PM 659 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049214.lnk 10/17/2005 10:00 PM 445 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049215.lnk 10/13/2005 7:19 PM 699 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049216.lnk 10/13/2005 8:19 PM 733 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049217.lnk 10/12/2005 2:54 PM 755 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049218.lnk 10/13/2005 8:19 PM 826 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049219.lnk 10/13/2005 8:19 PM 792 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049220.lnk 10/12/2005 2:55 PM 702 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049221.lnk 10/16/2005 6:48 PM 699 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049222.lnk 10/17/2005 9:45 PM 567 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049223.lnk 10/12/2005 2:55 PM 683 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049224.lnk 9/17/2005 8:20 PM 567 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049225.lnk 10/17/2005 9:55 PM 555 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049226.lnk 10/13/2005 8:19 PM 828 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049227.lnk 10/13/2005 8:20 PM 768 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049228.lnk 10/16/2005 6:46 PM 562 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049229.lnk 10/17/2005 9:59 PM 562 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049230.lnk 10/16/2005 6:48 PM 562 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049231.lnk 10/17/2005 9:59 PM 663 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049232.lnk 10/7/2005 3:32 PM 670 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049233.lnk 10/17/2005 10:00 PM 670 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049234.lnk 10/16/2005 9:53 PM 627 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049235.lnk 10/17/2005 3:08 PM 955 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049236.lnk 9/17/2005 8:20 PM 567 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049237.INI 10/17/2005 10:03 PM 178 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049238.INI 10/18/2005 2:12 PM 62 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049239.INI 10/18/2005 2:12 PM 62 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049240.INI 10/18/2005 2:12 PM 62 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049241.ini 10/18/2005 2:12 PM 213 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049242.lnk 10/18/2005 2:12 PM 1.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049243.cfg 10/18/2005 4:48 PM 469 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049244.lnk 10/18/2005 2:12 PM 1.49 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049245.cfg 10/18/2005 2:12 PM 161 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049246.lnk 10/18/2005 2:12 PM 1.49 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049247.ini 10/18/2005 2:12 PM 4.23 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049248.nfo 10/18/2005 2:12 PM 2.64 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049249.cfg 10/17/2005 2:10 PM 320 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049250.cfg 10/18/2005 2:12 PM 21 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049251.cfg 10/18/2005 2:12 PM 320 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049252.lnk 10/18/2005 10:07 PM 538 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049253.lnk 10/18/2005 10:18 PM 445 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049254.lnk 9/29/2005 2:35 PM 735 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049255.lnk 10/18/2005 10:08 PM 586 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049256.lnk 10/18/2005 10:10 PM 658 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049257.lnk 10/18/2005 10:11 PM 562 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049258.cfg 10/18/2005 4:48 PM 1.40 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049259.cfg 10/18/2005 4:48 PM 203 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049260.cfg 10/18/2005 4:48 PM 32 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049261.lnk 10/18/2005 10:11 PM 562 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049262.lnk 10/13/2005 8:25 PM 524 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049263.lnk 10/18/2005 10:12 PM 651 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049264.ini 4/9/2005 1:30 AM 10.68 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049265.ini 10/18/2005 6:48 PM 1.19 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049266.lnk 10/18/2005 9:39 PM 2.29 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049267.lnk 10/18/2005 2:44 PM 514 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049268.lnk 10/18/2005 10:15 PM 598 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049269.lnk 10/18/2005 9:59 PM 867 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049270.lnk 10/10/2005 12:49 PM 661 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049271.lnk 10/18/2005 10:15 PM 670 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0049272.lnk 10/18/2005 10:18 PM 687 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\change.log.1 10/18/2005 10:21 PM 47.84 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\change.log.2 10/19/2005 7:30 PM 40.90 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\drivetable.txt 10/19/2005 8:20 PM 132 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\RestorePointSize 10/20/2005 6:03 AM 8 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\rp.log 10/18/2005 5:15 PM 536 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot 10/18/2005 5:15 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\_REGISTRY_MACHINE_SAM 10/18/2005 5:15 PM 24.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\_REGISTRY_MACHINE_SECURITY 10/18/2005 5:15 PM 464.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\_REGISTRY_MACHINE_SOFTWARE 10/18/2005 5:15 PM 16.62 MB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\_REGISTRY_MACHINE_SYSTEM 10/18/2005 5:15 PM 5.89 MB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\_REGISTRY_USER_.DEFAULT 10/18/2005 5:15 PM 232.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18 12/8/2003 9:08 PM 256.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19 10/18/2005 5:15 PM 224.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20 10/18/2005 5:15 PM 224.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-112418592-3028830273-206835668-1007 10/18/2005 5:15 PM 4.50 MB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-18 12/8/2003 9:42 PM 256.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19 10/18/2005 5:15 PM 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20 10/18/2005 5:15 PM 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-112418592-3028830273-206835668-1007 10/18/2005 5:15 PM 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\ComDb.Dat 1/1/2004 11:52 AM 23.05 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\domain.txt 10/18/2005 5:15 PM 34 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\Repository 10/18/2005 5:15 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\Repository\$WinMgmt.CFG 10/18/2005 2:12 PM 20 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\Repository\FS 10/18/2005 5:15 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\Repository\FS\INDEX.BTR 10/18/2005 2:12 PM 1.89 MB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\Repository\FS\INDEX.MAP 10/18/2005 5:15 PM 1012 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\Repository\FS\MAPPING.VER 10/18/2005 5:15 PM 4 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\Repository\FS\MAPPING1.MAP 10/18/2005 5:15 PM 6.14 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\Repository\FS\MAPPING2.MAP 10/18/2005 4:55 PM 6.14 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\Repository\FS\OBJECTS.DATA 10/18/2005 2:12 PM 10.22 MB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\snapshot\Repository\FS\OBJECTS.MAP 10/18/2005 5:15 PM 5.15 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531 10/20/2005 8:53 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\A0049273.INI 10/18/2005 10:21 PM 178 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\A0049274.INI 10/19/2005 2:19 PM 62 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\A0049275.INI 10/19/2005 2:19 PM 62 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\A0049276.INI 10/19/2005 2:19 PM 62 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\A0049277.ini 10/19/2005 2:19 PM 213 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\A0049278.lnk 10/19/2005 2:19 PM 1.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\A0049279.cfg 10/19/2005 5:14 PM 469 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\A0049280.ini 10/19/2005 2:19 PM 4.23 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\A0049281.lnk 10/19/2005 2:19 PM 1.49 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\A0049282.lnk 10/19/2005 2:19 PM 1.49 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\A0049283.lnk 9/29/2005 2:35 PM 658 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\A0049284.lnk 10/19/2005 7:30 PM 445 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\A0049285.cfg 10/12/2005 7:00 AM 129 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\A0049286.cfg 10/19/2005 2:19 PM 161 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\A0049287.nfo 10/19/2005 2:19 PM 2.68 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\A0049288.cfg 10/19/2005 5:14 PM 1.40 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\A0049289.cfg 10/19/2005 5:14 PM 203 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\A0049290.cfg 10/19/2005 5:14 PM 32 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\A0049291.lnk 10/18/2005 10:01 PM 586 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\A0049292.lnk 10/18/2005 10:03 PM 735 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\A0049293.lnk 10/19/2005 5:32 PM 522 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\A0049294.lnk 10/18/2005 10:06 PM 718 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\A0049295.lnk 10/18/2005 10:06 PM 615 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\A0049296.lnk 10/18/2005 10:06 PM 718 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\change.log.1 10/19/2005 9:02 PM 892 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\change.log.2 10/20/2005 6:33 PM 18.94 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\drivetable.txt 10/20/2005 8:53 PM 132 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\RestorePointSize 10/21/2005 7:39 PM 8 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\rp.log 10/19/2005 8:20 PM 536 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot 10/19/2005 8:20 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\_REGISTRY_MACHINE_SAM 10/19/2005 8:20 PM 24.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\_REGISTRY_MACHINE_SECURITY 10/19/2005 8:20 PM 464.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\_REGISTRY_MACHINE_SOFTWARE 10/19/2005 8:20 PM 16.62 MB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\_REGISTRY_MACHINE_SYSTEM 10/19/2005 8:20 PM 5.89 MB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\_REGISTRY_USER_.DEFAULT 10/19/2005 8:20 PM 232.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18 12/8/2003 9:08 PM 256.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19 10/19/2005 8:20 PM 224.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20 10/19/2005 8:20 PM 224.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-112418592-3028830273-206835668-1007 10/19/2005 8:20 PM 4.51 MB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-18 12/8/2003 9:42 PM 256.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19 10/19/2005 8:20 PM 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20 10/19/2005 8:20 PM 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-112418592-3028830273-206835668-1007 10/19/2005 8:20 PM 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\ComDb.Dat 1/1/2004 11:52 AM 23.05 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\domain.txt 10/19/2005 8:20 PM 34 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\Repository 10/19/2005 8:20 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\Repository\$WinMgmt.CFG 10/19/2005 2:19 PM 20 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\Repository\FS 10/19/2005 8:20 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\Repository\FS\INDEX.BTR 10/19/2005 2:19 PM 1.89 MB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\Repository\FS\INDEX.MAP 10/19/2005 8:20 PM 1012 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\Repository\FS\MAPPING.VER 10/19/2005 8:20 PM 4 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\Repository\FS\MAPPING1.MAP 10/19/2005 8:20 PM 6.14 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\Repository\FS\MAPPING2.MAP 10/19/2005 7:35 PM 6.14 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\Repository\FS\OBJECTS.DATA 10/19/2005 2:19 PM 10.22 MB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP531\snapshot\Repository\FS\OBJECTS.MAP 10/19/2005 8:20 PM 5.15 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\qaz4.txt 1/15/2006 10:57 PM 3.56 KB Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 1/18/2006 6:00 PM 64.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\SYSTEM32\ccbeg.bak1 12/28/2005 11:17 AM 395.22 KB Hidden from Windows API.
C:\WINDOWS\SYSTEM32\ccbeg.bak2 1/18/2006 3:23 PM 400.69 KB Hidden from Windows API.
C:\WINDOWS\SYSTEM32\gebcc.dll 1/11/2006 11:30 AM 532.02 KB Hidden from Windows API.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.