confused and out of steam

sasysusie · 2007-11-06T15:46:36.000Z

oldman post:272:

So far so good. Gotta go to work, will check back when I get a chance and see how it’s going. If that file is infected, don’t panic just follow the instructions I gave you.

I need one more report, it’s pretty intensive and may take a while. Mauserme will have a look. Then we’ll just wait to see what he has to say. ;D

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

This log will be quite long. You can either use multiple post or attach the log file if its easier. In either case make sure the last line is < End of Report >.

im not making myself clear here i don’t think this is where i have stalled out from this reply you game me when you left for work, could you please read over your instructions to me in the quote above its the thrid bullet i am asking about… ?

sasysusie · 2007-11-06T15:51:13.000Z

oldman post:277:

My apologies, I meant to l have made a note, no nothing under extra scans.

Did you see a complete list of the 32 scanners that tested the file?

and in answer to the question about about did i see the 32 scanners that tested the file yes i did… that is what i was asking if you wanted me to do it again so you could see the list of the 32 scanners? I have NOT done anything past this yet as ive been confused as you can see! sorry… O have stalled out at reply 271… but my last post was directed to that!
Thanks susie

oldman960 · 2007-11-06T16:09:08.000Z

Hi

No, don’t check anthing under additional scans, just skip down to the next step. ;D 8)

Sure, I’d like to see the report on the file you submitted.

system · 2007-11-06T16:16:42.000Z

Suzie - just make it look like this

sasysusie · 2007-11-06T16:33:26.000Z

here is the report from VirusTotal

File tmp.reg received on 11.06.2007 17:19:32 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)
Loading server information…
Your file is queued in position: 6.
Estimated start time is between 61 and 87 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.11.7.0 2007.11.06 -
AntiVir 7.6.0.30 2007.11.06 -
Authentium 4.93.8 2007.11.05 -
Avast 4.7.1074.0 2007.11.05 -
AVG 7.5.0.503 2007.11.06 -
BitDefender 7.2 2007.11.06 -
CAT-QuickHeal 9.00 2007.11.06 -
ClamAV 0.91.2 2007.11.06 -
DrWeb 4.44.0.09170 2007.11.06 -
eSafe 7.0.15.0 2007.10.28 -
eTrust-Vet 31.2.5270 2007.11.05 -
Ewido 4.0 2007.11.06 -
FileAdvisor 1 2007.11.06 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.06 -
F-Secure 6.70.13030.0 2007.11.06 -
Ikarus T3.1.1.12 2007.11.06 -
Kaspersky 7.0.0.125 2007.11.06 -
McAfee 5156 2007.11.05 -
Microsoft 1.3007 2007.11.06 -
NOD32v2 2641 2007.11.06 -
Norman 5.80.02 2007.11.06 -
Panda 9.0.0.4 2007.11.06 -
Prevx1 V2 2007.11.06 -
Rising 20.17.12.00 2007.11.06 -
Sophos 4.23.0 2007.11.06 -
Sunbelt 2.2.907.0 2007.11.02 -
Symantec 10 2007.11.06 -
TheHacker 6.2.9.117 2007.11.06 -
VBA32 3.12.2.4 2007.11.06 -
VirusBuster 4.3.26:9 2007.11.05 -
Webwasher-Gateway 6.0.1 2007.11.06 -
Additional information
File size: 6238 bytes
MD5: 6bbd0b95dd8e5278a2801fe5af9c2f5e
SHA1: 00eb322355e6c04755e32c89b6404939f76c4dfa
packers: Unicode
packers: Unicode

oldman960 · 2007-11-06T16:58:25.000Z

Thanks for the scan results. I was just curious about the last part with the numbers. Might be able to find a match. Carry on with your scan. Will check back later. If everything goes well we’ll do the cleanup tonight. ;D

sasysusie · 2007-11-06T17:02:33.000Z

Here is the WinPFind3u report log… and ty for sticking with me even in my thick moments… im off to work myself but wanted to leave this for you all before i left… take care thanks again!

WinPFind3 logfile created on: 11/6/2007 8:37:41 AM
WinPFind3U by OldTimer - Version 1.0.42 Folder = C:\Documents and Settings\HP_Owner\Desktop\WinPFind3u
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

503.48 Mb Total Physical Memory | 182.95 Mb Available Physical Memory | 36.34% Memory free
1.20 Gb Paging File | 0.89 Gb Available in Paging File | 74.30% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;

Computer Name: YOUR-4F1261A8E5
Current User Name: HP_Owner
Logged in as Administrator.
Current Boot Mode: Normal

[Processes - Non-Microsoft Only]
agrsmmsg.exe → %SystemRoot%\AGRSMMSG.exe → Agere Systems [Ver = 2.1.41.10 2.1.41.10 06/29/2004 09:06:35 | Size = 88363 bytes | Modified Date = 6/29/2004 4:06:38 PM | Attr = ]
alcxmntr.exe → %SystemRoot%\ALCXMNTR.EXE → Realtek Semiconductor Corp. [Ver = 1.5 | Size = 57344 bytes | Modified Date = 9/7/2004 7:47:52 PM | Attr = ]
aolacsd.exe → %CommonProgramFiles%\AOL\ACS\AOLacsd.exe → AOL LLC [Ver = 4.6.1.2 | Size = 46640 bytes | Modified Date = 10/23/2006 4:50:36 AM | Attr = R ]
aolsp scheduler.exe → %CommonProgramFiles%\AOL\AOL Spyware Protection\AOLSP Scheduler.exe → [Ver = 1, 0, 0, 74 | Size = 79448 bytes | Modified Date = 10/18/2004 3:42:18 PM | Attr = ]
aoltray.exe → %ProgramFiles%\America Online 9.0\aoltray.exe → America Online, Inc. [Ver = 9.00.001 | Size = 156784 bytes | Modified Date = 8/24/2004 3:08:44 PM | Attr = H ]
ashdisp.exe → %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 9/6/2007 2:06:10 AM | Attr = ]
ashmaisv.exe → %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 9/6/2007 2:05:42 AM | Attr = ]
ashserv.exe → %ProgramFiles%\Alwil Software\Avast4\ashServ.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 9/6/2007 2:06:04 AM | Attr = ]
ashwebsv.exe → %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 9/6/2007 2:04:44 AM | Attr = ]
aswupdsv.exe → %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 9/6/2007 1:54:58 AM | Attr = ]
cmdagent.exe → %ProgramFiles%\Comodo\Firewall\cmdagent.exe → COMODO [Ver = 2.4.0.20 | Size = 361040 bytes | Modified Date = 11/5/2007 8:29:46 AM | Attr = ]
cpf.exe → %ProgramFiles%\Comodo\Firewall\cpf.exe → COMODO [Ver = 2.4.0.58 | Size = 1115728 bytes | Modified Date = 11/5/2007 8:29:46 AM | Attr = ]
fxsvr2.exe → %ProgramFiles%\Logitech\Video\FxSvr2.exe → Logitech Inc. [Ver = 8.4.7.1034 | Size = 192512 bytes | Modified Date = 6/8/2005 1:44:56 PM | Attr = ]
googletoolbarnotifier.exe → %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe → Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 6/9/2007 5:53:56 PM | Attr = ]
hkcmd.exe → %System32%\hkcmd.exe → Intel Corporation [Ver = 3.0.0.3943 | Size = 126976 bytes | Modified Date = 11/2/2004 2:59:42 PM | Attr = ]
hpgs2wnd.exe → %ProgramFiles%\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe → Hewlett-Packard [Ver = 2,4,0,26 | Size = 57344 bytes | Modified Date = 7/3/2001 9:11:52 AM | Attr = ]
hpgs2wnf.exe → %ProgramFiles%\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe → [Ver = 2,4,0,26 | Size = 65536 bytes | Modified Date = 7/3/2001 9:17:04 AM | Attr = ]
hphmon06.exe → %System32%\hphmon06.exe → Hewlett-Packard [Ver = 6,0,72 | Size = 659456 bytes | Modified Date = 6/7/2004 5:42:30 PM | Attr = ]
hpobrt07.exe → %ProgramFiles%\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe → Hewlett-Packard Co. [Ver = 2.00 | Size = 491580 bytes | Modified Date = 2/3/2003 4:46:20 PM | Attr = ]
hpoevm07.exe → %ProgramFiles%\Hewlett-Packard\AiO\Shared\Bin\hpoevm07.exe → Hewlett-Packard Co. [Ver = 1.00 | Size = 299008 bytes | Modified Date = 4/30/2002 4:46:44 PM | Attr = ]
hpoipm07.exe → %System32%\hpoipm07.exe → HP [Ver = 4, 5, 0, 767 | Size = 69632 bytes | Modified Date = 4/30/2002 4:23:18 PM | Attr = ]
hposts07.exe → %ProgramFiles%\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe → Hewlett-Packard Co. [Ver = 1.00 | Size = 290816 bytes | Modified Date = 4/30/2002 4:59:48 PM | Attr = ]
hpqtra08.exe → %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe → Hewlett-Packard Co. [Ver = 45.4.157.000 | Size = 258048 bytes | Modified Date = 11/5/2004 2:28:24 AM | Attr = ]
hpsysdrv.exe → %SystemRoot%\system\hpsysdrv.exe → Hewlett-Packard Company [Ver = 1, 7, 0, 0 | Size = 52736 bytes | Modified Date = 5/7/1998 3:04:38 PM | Attr = ]
ipodservice.exe → %ProgramFiles%\iPod\bin\iPodService.exe → Apple Inc. [Ver = 7.1.1.5 | Size = 500800 bytes | Modified Date = 3/14/2007 6:05:42 PM | Attr = ]
ituneshelper.exe → %ProgramFiles%\iTunes\iTunesHelper.exe → Apple Inc. [Ver = 7.1.1.5 | Size = 257088 bytes | Modified Date = 3/14/2007 6:05:48 PM | Attr = ]
jusched.exe → %ProgramFiles%\Java\jre1.6.0_03\bin\jusched.exe → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 12:11:36 AM | Attr = ]
kbd.exe → %SystemDrive%\hp\KBD\kbd.exe → Hewlett-Packard Company [Ver = 1.0.2.0 | Size = 61440 bytes | Modified Date = 2/11/2003 6:02:48 PM | Attr = ]
keyexp.exe → %ProgramFiles%\keyexp\KEYEXP.EXE → [Ver = | Size = 838656 bytes | Modified Date = 2/24/2000 4:38:08 PM | Attr = ]
logitray.exe → %ProgramFiles%\Logitech\Video\LogiTray.exe → Logitech Inc. [Ver = 8.4.7.1034 | Size = 217088 bytes | Modified Date = 6/8/2005 2:14:44 PM | Attr = ]
lvcomsx.exe → %System32%\LVCOMSX.EXE → Logitech Inc. [Ver = 8.4.7.1036 | Size = 221184 bytes | Modified Date = 7/19/2005 4:32:18 PM | Attr = ]
qttask.exe → %ProgramFiles%\QuickTime\qttask.exe → Apple Inc. [Ver = 7.1.6 | Size = 282624 bytes | Modified Date = 4/27/2007 8:41:54 AM | Attr = ]
superantispyware.exe → %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe → SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 6/21/2007 1:06:28 PM | Attr = ]
updates from hp.exe → %ProgramFiles%\Updates from HP\309731\Program\Updates from HP.exe → Hewlett-Packard [Ver = 6,3, 2, 1 | Size = 45056 bytes | Modified Date = 2/15/2005 9:23:14 AM | Attr = ]
wanmpsvc.exe → %SystemRoot%\wanmpsvc.exe → America Online, Inc. [Ver = 9, 0, 0, 0 | Size = 65536 bytes | Modified Date = 8/27/2003 10:29:46 AM | Attr = ]
weather.exe → %ProgramFiles%\AWS\WeatherBug\Weather.exe → AWS Convergence Technologies, Inc. [Ver = 6, 6, 0, 0 | Size = 1343488 bytes | Modified Date = 1/6/2006 9:57:20 AM | Attr = ]
winpfind3u.exe → %UserDesktop%\WinPFind3u\WinPFind3U.exe → OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 9/4/2007 10:47:26 AM | Attr = ]
ymsgr_tray.exe → %ProgramFiles%\Yahoo!\Messenger\ymsgr_tray.exe → Yahoo! Inc. [Ver = 8,1,0,0 | Size = 103664 bytes | Modified Date = 8/30/2007 4:43:18 PM | Attr = ]

sasysusie · 2007-11-06T17:03:49.000Z

[Win32 Services - Non-Microsoft Only]
(AOL ACS) AOL Connectivity Service [Win32_Own | Auto | Running] → %CommonProgramFiles%\AOL\ACS\AOLacsd.exe → AOL LLC [Ver = 4.6.1.2 | Size = 46640 bytes | Modified Date = 10/23/2006 4:50:36 AM | Attr = R ]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] → %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 9/6/2007 1:54:58 AM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] → %ProgramFiles%\Alwil Software\Avast4\ashServ.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 9/6/2007 2:06:04 AM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] → %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 9/6/2007 2:05:42 AM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] → %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 9/6/2007 2:04:44 AM | Attr = ]
(CmdAgent) Comodo Application Agent [Win32_Own | Auto | Running] → %ProgramFiles%\Comodo\Firewall\cmdagent.exe → COMODO [Ver = 2.4.0.20 | Size = 361040 bytes | Modified Date = 11/5/2007 8:29:46 AM | Attr = ]
(CWShredder Service) CWShredder Service [Win32_Own | Auto | Stopped] → %ProgramFiles%\InterMute\SpySubtract\CWShredder.exe → File not found
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] → %System32%\dmadmin.exe → Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 10:00:00 AM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] → %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe → Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 2/14/2007 6:28:46 AM | Attr = ]
(iPod Service) iPod Service [Win32_Own | On_Demand | Running] → %ProgramFiles%\iPod\bin\iPodService.exe → Apple Inc. [Ver = 7.1.1.5 | Size = 500800 bytes | Modified Date = 3/14/2007 6:05:42 PM | Attr = ]
(WANMiniportService) WAN Miniport (ATW) Service [Win32_Own | Auto | Running] → %SystemRoot%\wanmpsvc.exe → America Online, Inc. [Ver = 9, 0, 0, 0 | Size = 65536 bytes | Modified Date = 8/27/2003 10:29:46 AM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
AGRSMMSG → %SystemRoot%\AGRSMMSG.exe → Agere Systems [Ver = 2.1.41.10 2.1.41.10 06/29/2004 09:06:35 | Size = 88363 bytes | Modified Date = 6/29/2004 4:06:38 PM | Attr = ]
AlcxMonitor → %SystemRoot%\ALCXMNTR.EXE → Realtek Semiconductor Corp. [Ver = 1.5 | Size = 57344 bytes | Modified Date = 9/7/2004 7:47:52 PM | Attr = ]
AOL Spyware Protection → %CommonProgramFiles%\AOL\AOL Spyware Protection\AOLSP Scheduler.exe → [Ver = 1, 0, 0, 74 | Size = 79448 bytes | Modified Date = 10/18/2004 3:42:18 PM | Attr = ]
AOLDialer → %CommonProgramFiles%\AOL\ACS\AOLDial.exe → AOL LLC [Ver = 4.6.1.2 | Size = 71216 bytes | Modified Date = 10/23/2006 4:50:38 AM | Attr = R ]
avast! → %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 9/6/2007 2:06:10 AM | Attr = ]
COMODO Firewall Pro → %ProgramFiles%\Comodo\Firewall\cpf.exe → COMODO [Ver = 2.4.0.58 | Size = 1115728 bytes | Modified Date = 11/5/2007 8:29:46 AM | Attr = ]
HostManager → %CommonProgramFiles%\AOL\1158686903\ee\AOLSoftware.exe → America Online, Inc. [Ver = 1.5.6.1 | Size = 50736 bytes | Modified Date = 9/25/2006 4:52:48 PM | Attr = ]
HotKeysCmds → %System32%\hkcmd.exe → Intel Corporation [Ver = 3.0.0.3943 | Size = 126976 bytes | Modified Date = 11/2/2004 2:59:42 PM | Attr = ]
HPHmon06 → %System32%\hphmon06.exe → Hewlett-Packard [Ver = 6,0,72 | Size = 659456 bytes | Modified Date = 6/7/2004 5:42:30 PM | Attr = ]
HPHUPD06 → %ProgramFiles%\HP{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe → Hewlett-Packard [Ver = 6,0,72 | Size = 49152 bytes | Modified Date = 6/7/2004 5:53:26 PM | Attr = ]
hpsysdrv → %SystemRoot%\system\hpsysdrv.exe → Hewlett-Packard Company [Ver = 1, 7, 0, 0 | Size = 52736 bytes | Modified Date = 5/7/1998 3:04:38 PM | Attr = ]
iTunesHelper → %ProgramFiles%\iTunes\iTunesHelper.exe → Apple Inc. [Ver = 7.1.1.5 | Size = 257088 bytes | Modified Date = 3/14/2007 6:05:48 PM | Attr = ]
KBD → %SystemDrive%\hp\KBD\kbd.exe → Hewlett-Packard Company [Ver = 1.0.2.0 | Size = 61440 bytes | Modified Date = 2/11/2003 6:02:48 PM | Attr = ]
LogitechVideoRepair → %ProgramFiles%\Logitech\Video\ISStart.exe → Logitech Inc. [Ver = 8.4.7.1034 | Size = 458752 bytes | Modified Date = 6/8/2005 2:24:32 PM | Attr = ]
LogitechVideoTray → %ProgramFiles%\Logitech\Video\LogiTray.exe → Logitech Inc. [Ver = 8.4.7.1034 | Size = 217088 bytes | Modified Date = 6/8/2005 2:14:44 PM | Attr = ]
LSBWatcher → %SystemDrive%\hp\drivers\hplsbwatcher\lsburnwatcher.exe → Hewlett-Packard Company [Ver = 4, 10, 14, 0 | Size = 253952 bytes | Modified Date = 10/14/2004 8:54:32 PM | Attr = ]
LVCOMSX → %System32%\LVCOMSX.EXE → Logitech Inc. [Ver = 8.4.7.1036 | Size = 221184 bytes | Modified Date = 7/19/2005 4:32:18 PM | Attr = ]
NapsterShell → %ProgramFiles%\Napster\napster.exe → File not found
ProfileWatcher → %ProgramFiles%\ProfileWatcher\profilewatcher.exe → File not found
PS2 → %System32%\ps2.EXE → Hewlett-Packard Company [Ver = 1.0.2.2.112404 | Size = 90112 bytes | Modified Date = 10/25/2004 8:17:56 PM | Attr = ]
QuickTime Task → %ProgramFiles%\QuickTime\qttask.exe → Apple Inc. [Ver = 7.1.6 | Size = 282624 bytes | Modified Date = 4/27/2007 8:41:54 AM | Attr = ]
Recguard → %SystemRoot%\SMINST\Recguard.exe → [Ver = 5, 0, 44, 2 | Size = 233472 bytes | Modified Date = 4/14/2004 7:43:46 PM | Attr = ]
Reminder → %SystemRoot%\CREATOR\Remind_XP.exe → SoftThinks [Ver = 6, 0, 52, 2 | Size = 663552 bytes | Modified Date = 12/14/2004 1:23:44 AM | Attr = ]
Share-to-Web Namespace Daemon → %ProgramFiles%\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe → Hewlett-Packard [Ver = 2,4,0,26 | Size = 57344 bytes | Modified Date = 7/3/2001 9:11:52 AM | Attr = ]
SunJavaUpdateSched → %ProgramFiles%\Java\jre1.6.0_03\bin\jusched.exe → Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 12:11:36 AM | Attr = ]
TkBellExe → %CommonProgramFiles%\Real\Update_OB\realsched.exe → RealNetworks, Inc. [Ver = 0.1.0.3034 | Size = 180269 bytes | Modified Date = 2/15/2005 9:09:30 AM | Attr = ]
UserFaultCheck → → File not found
< OptionalComponents [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ →
IMAIL → Installed = 1 →
MAPI → Installed = 1 →
MSFS → Installed = 1 →

sasysusie · 2007-11-06T17:05:06.000Z

sasysusie · 2007-11-06T17:06:48.000Z

sasysusie · 2007-11-06T17:07:21.000Z

sasysusie · 2007-11-06T17:08:32.000Z

sasysusie · 2007-11-06T17:10:20.000Z

[Files/Folders - Modified Within 30 days]
avenger → %SystemDrive%\avenger → [Folder | Modified Date = 11/5/2007 11:44:56 PM | Attr = ]
boot.ini → %SystemDrive%\boot.ini → [Ver = | Size = 283 bytes | Modified Date = 11/5/2007 8:36:48 AM | Attr = RHS]
Config.Msi → %SystemDrive%\Config.Msi → [Folder | Modified Date = 11/3/2007 9:31:46 PM | Attr = H ]
Deckard → %SystemDrive%\Deckard → [Folder | Modified Date = 11/4/2007 7:50:04 AM | Attr = ]
Documents and Settings → %SystemDrive%\Documents and Settings → [Folder | Modified Date = 11/5/2007 11:41:02 PM | Attr = ]
hiberfil.sys → %SystemDrive%\hiberfil.sys → [Ver = | Size = 528011264 bytes | Modified Date = 11/6/2007 8:13:52 AM | Attr = HS]
Program Files → %ProgramFiles% → [Folder | Modified Date = 11/5/2007 8:29:48 AM | Attr = ]
qoobox → %SystemDrive%\qoobox → [Folder | Modified Date = 11/2/2007 7:07:32 PM | Attr = ]
sqmdata08.sqm → %SystemDrive%\sqmdata08.sqm → [Ver = | Size = 232 bytes | Modified Date = 10/9/2007 5:56:08 AM | Attr = H ]
sqmdata09.sqm → %SystemDrive%\sqmdata09.sqm → [Ver = | Size = 232 bytes | Modified Date = 10/24/2007 4:49:36 AM | Attr = H ]
sqmnoopt08.sqm → %SystemDrive%\sqmnoopt08.sqm → [Ver = | Size = 244 bytes | Modified Date = 10/9/2007 5:56:08 AM | Attr = H ]
sqmnoopt09.sqm → %SystemDrive%\sqmnoopt09.sqm → [Ver = | Size = 244 bytes | Modified Date = 10/24/2007 4:49:36 AM | Attr = H ]
System Volume Information → %SystemDrive%\System Volume Information → [Folder | Modified Date = 11/6/2007 12:13:40 AM | Attr = HS]
Temp → %SystemDrive%\Temp → [Folder | Modified Date = 11/4/2007 9:08:34 PM | Attr = ]
WINDOWS → %SystemRoot% → [Folder | Modified Date = 11/6/2007 6:27:50 AM | Attr = ]
_OTMoveIt → %SystemDrive%_OTMoveIt → [Folder | Modified Date = 11/4/2007 1:51:12 PM | Attr = ]
$hf_mig$ → %SystemRoot%$hf_mig$ → [Folder | Modified Date = 10/10/2007 10:50:12 PM | Attr = H ]
$NtUninstallKB933729$ → %SystemRoot%$NtUninstallKB933729$ → [Folder | Modified Date = 10/10/2007 10:50:14 PM | Attr = H ]
$NtUninstallKB939653$ → %SystemRoot%$NtUninstallKB939653$ → [Folder | Modified Date = 10/10/2007 10:49:58 PM | Attr = H ]
$NtUninstallKB941202$ → %SystemRoot%$NtUninstallKB941202$ → [Folder | Modified Date = 10/10/2007 10:48:42 PM | Attr = H ]
absolute key logger.lnk → %SystemRoot%\absolute key logger.lnk → [Ver = | Size = 9472 bytes | Modified Date = 11/4/2007 8:11:26 AM | Attr = ]
aconti.ini → %SystemRoot%\aconti.ini → [Ver = | Size = 24832 bytes | Modified Date = 11/4/2007 8:11:30 AM | Attr = ]
aconti.sdb → %SystemRoot%\aconti.sdb → [Ver = | Size = 19712 bytes | Modified Date = 11/4/2007 8:11:30 AM | Attr = ]
bootstat.dat → %SystemRoot%\bootstat.dat → [Ver = | Size = 2048 bytes | Modified Date = 11/6/2007 8:13:54 AM | Attr = S]
catchme.exe → %SystemRoot%\catchme.exe → [Ver = | Size = 136192 bytes | Modified Date = 10/29/2007 6:56:20 PM | Attr = ]
cookies.ini → %SystemRoot%\cookies.ini → [Ver = | Size = 917 bytes | Modified Date = 11/5/2007 6:49:04 AM | Attr = ]
default.htm → %SystemRoot%\default.htm → [Ver = | Size = 1679 bytes | Modified Date = 11/4/2007 1:55:16 PM | Attr = ]
Downloaded Program Files → %SystemRoot%\Downloaded Program Files → [Folder | Modified Date = 11/5/2007 4:14:46 PM | Attr = S]
erdnt → %SystemRoot%\erdnt → [Folder | Modified Date = 11/4/2007 9:09:16 PM | Attr = ]
Help → %SystemRoot%\Help → [Folder | Modified Date = 11/2/2007 6:01:02 PM | Attr = ]
imsins.BAK → %SystemRoot%\imsins.BAK → [Ver = | Size = 1943 bytes | Modified Date = 10/21/2007 9:11:26 AM | Attr = ]
inf → %SystemRoot%\inf → [Folder | Modified Date = 10/22/2007 6:10:26 AM | Attr = H ]
Installer → %SystemRoot%\Installer → [Folder | Modified Date = 11/3/2007 9:31:48 PM | Attr = HS]
Prefetch → %SystemRoot%\Prefetch → [Folder | Modified Date = 11/6/2007 7:07:50 AM | Attr = ]
Registration → %SystemRoot%\Registration → [Folder | Modified Date = 11/5/2007 4:01:42 PM | Attr = ]
SoftwareDistribution → %SystemRoot%\SoftwareDistribution → [Folder | Modified Date = 10/25/2007 10:55:40 PM | Attr = ]
system32 → %System32% → [Folder | Modified Date = 11/5/2007 11:41:04 PM | Attr = ]
Tasks → %SystemRoot%\Tasks → [Folder | Modified Date = 11/4/2007 9:08:52 PM | Attr = S]
Temp → %SystemRoot%\Temp → [Folder | Modified Date = 11/6/2007 8:15:30 AM | Attr = ]
viassary-hp.reg → %SystemRoot%\viassary-hp.reg → [Ver = | Size = 3645 bytes | Modified Date = 11/2/2007 5:13:10 PM | Attr = ]
AppleSoftwareUpdate.job → %SystemRoot%\tasks\AppleSoftwareUpdate.job → [Ver = | Size = 284 bytes | Modified Date = 11/1/2007 1:26:02 PM | Attr = ]
Norton AntiVirus - Scan my computer - HP_Owner.job → %SystemRoot%\tasks\Norton AntiVirus -

sasysusie · 2007-11-06T17:11:00.000Z

[File String Scan - Non-Microsoft Only]
WSUD , → %System32%\ALSNDMGR.CPL → Realtek Semiconductor Corp. [Ver = 2.2.0.34 | Size = 16121856 bytes | Modified Date = 9/20/2004 9:20:44 PM | Attr = ]
UPX! , UPX0 , → %System32%\asw51.tmp → [Ver = 4, 6, 763, 0 | Size = 503296 bytes | Modified Date = 1/27/2006 2:38:10 PM | Attr = ]
UPX! , UPX0 , → %System32%\aswBoot.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 801144 bytes | Modified Date = 9/6/2007 2:09:50 AM | Attr = ]
PEC2 , → %System32%\dfrg.msc → [Ver = | Size = 41397 bytes | Modified Date = 8/4/2004 10:00:00 AM | Attr = ]
Thawte Consulting , → %System32%\SmartUI2.ocx → Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com [Ver = 2.00.6553 | Size = 870152 bytes | Modified Date = 3/15/2007 11:22:38 AM | Attr = ]
UPX! , UPX0 , → %System32%\SrchSTS.exe → S!Ri [Ver = | Size = 288417 bytes | Modified Date = 4/27/2006 4:49:30 PM | Attr = ]
UPX! , UPX0 , → %System32%\swreg.exe → SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 7/22/2007 6:39:28 PM | Attr = ]
UPX! , UPX0 , → %System32%\VCCLSID.exe → S!Ri [Ver = | Size = 289144 bytes | Modified Date = 9/5/2007 11:22:24 PM | Attr = ]
winsync , → %System32%\wbdbase.deu → [Ver = | Size = 1309184 bytes | Modified Date = 8/3/2004 8:00:00 PM | Attr = ]
UPX! , UPX0 , → %System32%\WS2Fix.exe → [Ver = | Size = 25600 bytes | Modified Date = 10/3/2007 11:36:46 PM | Attr = ]
Thawte Consulting , → %System32%\XceedCry.dll → Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com [Ver = 1.1.6461.0 | Size = 526184 bytes | Modified Date = 3/15/2007 11:19:58 AM | Attr = ]
Thawte Consulting , → %System32%\XceedZip.dll → Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com [Ver = 6.0.6621.0 | Size = 497496 bytes | Modified Date = 3/15/2007 11:23:16 AM | Attr = ]

< End of report >

system · 2007-11-06T19:22:01.000Z

Here’s the fix I’ve prepared from the WinPFind log. Let oldman take a look before running it.

Note to oldman: I’m ending our behind the scenes debate about tmp.reg with this fix in that I’ve included it in the deletions. If you would rather investigate further it can be removed (ie kept/not deleted). My only hesitation is a curiosity to see its contents which could point to the workings of some of the malware.

To use the fix start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button. Please note there are duplicates so the results will show some “File Not Found”, especially in the second half.

[Registry - Non-Microsoft Only]
< ShellExecuteHooks [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YN → {634BBAB7-3F60-4426-944F-A62B9007F67F} [HKLM] → Reg Data - Key not found
UserInit → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit
YN → C:\WINDOWS\system32\vvgeowbv.exe → %System32%\vvgeowbv.exe
< Internet Explorer ToolBars [HKCU] > → HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar
YN → WebBrowser\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] → Reg Data - Key not found [Reg Data - Key not found]
[Files/Folders - Created Within 30 days]
NY → sqmdata08.sqm → %SystemDrive%\sqmdata08.sqm
NY → sqmdata09.sqm → %SystemDrive%\sqmdata09.sqm
NY → sqmnoopt08.sqm → %SystemDrive%\sqmnoopt08.sqm
NY → sqmnoopt09.sqm → %SystemDrive%\sqmnoopt09.sqm
NY → absolute key logger.lnk → %SystemRoot%\absolute key logger.lnk
NY → aconti.ini → %SystemRoot%\aconti.ini
NY → aconti.sdb → %SystemRoot%\aconti.sdb
NY → cookies.ini → %SystemRoot%\cookies.ini
NY → default.htm → %SystemRoot%\default.htm
NY → bygwdcie.ini → %System32%\bygwdcie.ini
NY → eqswbyjp.ini → %System32%\eqswbyjp.ini
NY → fifesjcq.ini → %System32%\fifesjcq.ini
NY → gjjlm.ini → %System32%\gjjlm.ini
NY → hbqkbaas.ini → %System32%\hbqkbaas.ini
NY → jpewocmz.ini → %System32%\jpewocmz.ini
NY → jrtwykgc.ini → %System32%\jrtwykgc.ini
NY → mcrh.tmp → %System32%\mcrh.tmp
NY → rqtss.ini → %System32%\rqtss.ini
NY → sznf.ascii → %System32%\sznf.ascii
NY → uonalcrh.ini → %System32%\uonalcrh.ini
NY → wxqghjia.ini → %System32%\wxqghjia.ini
NY → xbbewnmx.ini → %System32%\xbbewnmx.ini
[Files/Folders - Modified Within 30 days]
NY → sqmdata08.sqm → %SystemDrive%\sqmdata08.sqm
NY → sqmdata09.sqm → %SystemDrive%\sqmdata09.sqm
NY → sqmnoopt08.sqm → %SystemDrive%\sqmnoopt08.sqm
NY → sqmnoopt09.sqm → %SystemDrive%\sqmnoopt09.sqm
NY → absolute key logger.lnk → %SystemRoot%\absolute key logger.lnk
NY → aconti.ini → %SystemRoot%\aconti.ini
NY → aconti.sdb → %SystemRoot%\aconti.sdb
NY → bootstat.dat → %SystemRoot%\bootstat.dat
NY → viassary-hp.reg → %SystemRoot%\viassary-hp.reg
NY → bygwdcie.ini → %System32%\bygwdcie.ini
NY → eqswbyjp.ini → %System32%\eqswbyjp.ini
NY → fifesjcq.ini → %System32%\fifesjcq.ini
NY → gjjlm.ini → %System32%\gjjlm.ini
NY → hbqkbaas.ini → %System32%\hbqkbaas.ini
NY → jpewocmz.ini → %System32%\jpewocmz.ini
NY → jrtwykgc.ini → %System32%\jrtwykgc.ini
NY → mcrh.tmp → %System32%\mcrh.tmp
NY → rqtss.ini → %System32%\rqtss.ini
NY → sznf.ascii → %System32%\sznf.ascii
NY → tmp.reg → %System32%\tmp.reg
NY → uonalcrh.ini → %System32%\uonalcrh.ini
NY → wxqghjia.ini → %System32%\wxqghjia.ini
NY → xbbewnmx.ini → %System32%\xbbewnmx.ini

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information in your next response with a fresh WinPFind log.

Also let me know of any problems you encounter performing these steps or any continuing problems you are having with the computer.

Also please upload these two files to Virus Total and post the results:

c:\windows\system32\din.ip
c:\windows\system32\process.exe

Edit: If you see Absolute Key Logger in your Add/Remove Programs please uninstall it.

essexboy · 2007-11-06T19:44:06.000Z

Good work with Avenger guys and yes all files will be backed up in either the OTmoveit folder or Qoobox folder. Process.exe is used by combo fix. din.ip is part of a reverse DNS file I don’t think Susie will need that. Taking out the ini files is good as that would help make it easier for a re-infection if they remained. Actual infections were Virtumondo a couple of Trojan droppers a bit of smitfraud. I believe it was the Vundo that changed the auth package very sneaky. tmp.reg is sometimes legitimate and sometimetimes not, there is no definitive way to tell so as a matter of course I usually delete them and if they are legitimate the programme that uses it will rebuild it. The confusion about the 02’s with DSS is that sometimes it will take data from an old scan, if that appears to be happening then just delete the logs in the DSS folder and run again

oldman960 · 2007-11-06T19:49:03.000Z

@mauserme and essexboy

Do you think it worthwhile or posible to gain anything from the tmp.reg? Eitherway I’m okay, in light of the fact that the file will be rebuilt if needed.

essexboy · 2007-11-06T19:51:39.000Z

Might be worth zipping it and uploading it here, I can then download it open it up and see what it is

oldman960 · 2007-11-06T19:53:03.000Z

essexboy post:298:

Might be worth zipping it and uploading it here, I can then download it open it up and see what it is

As in attaching it to a post?

system · 2007-11-06T19:59:09.000Z

essexboy post:296:

Actual infections were Virtumondo a couple of Trojan droppers a bit of smitfraud. I

I think I saw a backdoor in there too …

EDIT:

@Essexboy

The file inofrmation for process…exe is

Process.exe → %System32%\Process.exe → http://www (dot) beyondlogic.org [Ver = 2, 0, 0, 0 | Size = 53248 bytes | Created Date = 11/4/2007 12:09:59 PM | Attr = ]

The beyondlogic.org reference seems related to smitfraud …

Announcements