Author Topic: Help to remove FOTOMOTO.A Trojan (Read 55781 times)

Maze · « **Reply #30 on:** July 10, 2007, 03:03:08 PM »

OTMoveIt results:
C:\WINDOWS\system32\rqtss.bak1 moved successfully.
Created on 07/10/2007 07:39:24

HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:42:56 AM, on 7/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Installed Utilities\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Anti Virus\Avast\aswUpdSv.exe
E:\Program Files\Anti Virus\Avast\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Anti Virus\Avast\ashMaiSv.exe
E:\Program Files\Anti Virus\Avast\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Internet\Logitech WebCam\LogiTray.exe
C:\Program Files\Common Files\AOL\1141834038\ee\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe
E:\PROGRA~1\ANTIVI~1\Avast\ashDisp.exe
E:\Program Files\Utilities\Quicktime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\Utilities\Java Runtime Environment\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
E:\Program Files\Anti Virus\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://officeupdate.microsoft.com/outlook
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Utilities\Java Runtime Environment\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LogitechVideoTray] E:\Program Files\Internet\Logitech WebCam\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] E:\Program Files\Internet\Logitech WebCam\ISStart.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141834038\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ANTIVI~1\Avast\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\Utilities\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Utilities\Java Runtime Environment\bin\jusched.exe
O4 - HKCU\..\Run: [FolderShare] "E:\Program Files\Utilities\FolderShare\FolderShare.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - E:\Program Files\Utilities\PDFill\\DownloadPDF.exe
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/14.21/uploader2.cab
O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01.cab
O16 - DPF: {611627F1-D9A5-4235-958E-618E483BF8E7} (AutoUploader Class) - http://www.splashbulb.com/uploader/lib/uploader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\Anti Virus\SuperAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Anti Virus\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Anti Virus\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Anti Virus\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Anti Virus\Avast\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe

--
End of file - 7402 bytes

VundoFix.exe Scan Result:
No infected files were found

Questions on the HijachThis file:
My default home page is www.bbc.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.bbc.co.uk. But once in a way IE used to jump to the url given in HijackThis log line R1. Is that normal or should these process be fixed?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
Could I stop these processes using HijackThis? I believe most of these run at startup, but I probably access these once a year probably even less.
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141834038\ee\AOLSoftware.exe (do not use AOL)
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\Utilities\Quicktime\qttask.exe" –atboottime
O4 - HKCU\..\Run: [FolderShare] "E:\Program Files\Utilities\FolderShare\FolderShare.exe" /background

Thanks mauserme. Two days without virus warnings now. Havent had that in months!!

mauserme · « **Reply #31 on:** July 11, 2007, 05:04:06 AM »

Quote from: Maze on July 10, 2007, 03:03:08 PM

My default home page is www.bbc.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.bbc.co.uk. But once in a way IE used to jump to the url given in HijackThis log line R1. Is that normal or should these process be fixed?

I usually think more in terms of safe/unsafe rather than normal/abnormal since the latter is up to the user to decide. The links in the R1's are both safe and common. No need for worries on these.

Quote from: Maze on July 10, 2007, 03:03:08 PM

Could I stop these processes using HijackThis? I believe most of these run at startup, but I probably access these once a year probably even less.
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141834038\ee\AOLSoftware.exe (do not use AOL)
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\Utilities\Quicktime\qttask.exe" –atboottime
O4 - HKCU\..\Run: [FolderShare] "E:\Program Files\Utilities\FolderShare\FolderShare.exe" /background

If you never use AOL I suggest you uninstall it in Add/Remove Programs, then delete any traces you find in Program Files and Application Data in the user accounts. I dislike anything from AOL and mistrust their applications (particularly AIM).

iTunes probably installed with QuickTime without notifying you. It can be uninstalled if you don't use it or you can fix the line in HJT and the effect will be to make it a manual process.

Disabling (fixing the line for) QuickTime may be a temporary measure as it wants to put itself back in the startups any time its used. If you find that as annoying as I do you could try QuickTime Alternative instead

http://fileforum.betanews.com/detail/QuickTime_Alternative_QT7_Lite/1049831315/3

I'm not familiar with Folder Share. I would be inclined to open the program and see if there's a setting in the configuration options to stop it loading at startup first. If not, it's probably safe to fix the line.

And for sure these two lines can be fixed

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

I'm revisiting your WinPFind log as I'm just not comfortable with some of the files I see there. I had hoped for more from VundoFix but we can handle it manually instead. I'll post again later about that.

Quote from: Maze on July 10, 2007, 03:03:08 PM

Two days without virus warnings now. Haven't had that in months!!

mauserme · « **Reply #32 on:** July 11, 2007, 06:15:55 AM »

Back again with the WinPFind fix.

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Quote

[Files/Folders - Created Within 30 days]
NY -> mfx_temp -> %SystemDrive%\mfx_temp
[Files/Folders - Modified Within 30 days]
NY -> mfx_temp -> %SystemDrive%\mfx_temp
NY -> imsins.BAK -> %SystemRoot%\imsins.BAK

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan, this time changing Files/Folders Created Within and Files/Folders Modified Within to 90 days.

Also let me know of any problems you encounter performing these steps or any continuing problems you are having with the computer.

Then, upload this file to Virus Total

C:\78875.SYM

Maze · « **Reply #33 on:** July 11, 2007, 08:13:16 PM »

Hi Mauserme,
AOL: Uninstalled completely

QuickTime:
I do not mind, quicktime being on the computer, I was trying to keep it from loading into the system tray during every boot. Since its not used much, it is probably a waste of memory and loading time. Could I disable it from automatic startup?

Foldershare:
It is a MS program that allows you to access your files anywhere. I need access to certain pertinent yet insensitive data on my home computer for work purposes. So I checked out foldershare (https://www.foldershare.com/info/howItWorks.php?). Thats around when googledocs came up and that was just easier, since the individual machines do not have to be synched, and this computer does not have to be on all the time. I thought I had unistalled the program if there was any. A search on the computer revealed just the following. Could this be loading during Startup as well?
C:\Documents and Settings\Family\Local Settings\Application Data\FolderShare
Contains two folders “Settings” & “Logs”
Folder share folder memory size is 826KB

WinPfind3u fix Result:
(Note: I ran it once, but accidentally closed the txt file, so this is the second run)
[Files/Folders - Created Within 30 days]
File C:\mfx_temp not found!
[Files/Folders - Modified Within 30 days]
File C:\mfx_temp not found!
File C:\WINDOWS\imsins.BAK not found!
< End of log >
Created on 07/11/2007 14:06:35

WinPfind3u log will follow in next few post and the last post will be the result of VirusTotal scan

Maze · « **Reply #34 on:** July 11, 2007, 08:22:18 PM »

WinPFind3 logfile created on: 7/11/2007 2:14:18 PM
WinPFind3U by OldTimer - Version 1.0.39 Folder = E:\Program Files\Anti Virus\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)

1022.73 Mb Total Physical Memory | 646.05 Mb Available Physical Memory | 63.17% Memory free
2.40 Gb Paging File | 2.15 Gb Available in Paging File | 89.25% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.29 Gb Total Space | 15.17 Gb Free Space | 51.80% Space Free
Drive D: | 29.29 Gb Total Space | 4.20 Gb Free Space | 14.33% Space Free
Drive E: | 53.19 Gb Total Space | 13.99 Gb Free Space | 26.31% Space Free
F: Drive not present or media not loaded

Computer Name: HOMEUSER
Current User Name: Mr.C!
Logged in as Administrator.
Current Boot Mode: Normal

[Processes - Non-Microsoft Only]
ashdisp.exe -> E:\Program Files\Anti Virus\Avast\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 75392 bytes | Modified Date = 4/30/2007 11:42:48 AM | Attr = ]
ashmaisv.exe -> E:\Program Files\Anti Virus\Avast\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 243328 bytes | Modified Date = 4/30/2007 12:04:38 PM | Attr = ]
ashserv.exe -> E:\Program Files\Anti Virus\Avast\ashServ.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 132736 bytes | Modified Date = 4/30/2007 11:42:40 AM | Attr = ]
ashwebsv.exe -> E:\Program Files\Anti Virus\Avast\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 345728 bytes | Modified Date = 4/30/2007 11:41:28 AM | Attr = ]
aswupdsv.exe -> E:\Program Files\Anti Virus\Avast\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 16512 bytes | Modified Date = 4/30/2007 11:29:56 AM | Attr = ]
devdtct2.exe -> %ProgramFiles%\Olympus\DeviceDetector\DevDtct2.exe -> OLYMPUS Corporation. [Ver = 2, 4, 3, 1 | Size = 114688 bytes | Modified Date = 1/16/2004 3:45:08 PM | Attr = ]
guard.exe -> E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 8:31:10 AM | Attr = ]
hotsync.exe -> %ProgramFiles%\palmOne\Hotsync.exe -> PalmSource, Inc [Ver = 6.0.1 | Size = 471040 bytes | Modified Date = 6/9/2004 2:16:08 PM | Attr = ]
hpqgalry.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqgalry.exe -> Hewlett-Packard Co. [Ver = 043.001.005.000 | Size = 520192 bytes | Modified Date = 5/28/2004 11:08:52 PM | Attr = ]
hpwuschd2.exe -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Company [Ver = 2, 0, 39, 0 | Size = 49152 bytes | Modified Date = 2/12/2004 1:38:56 PM | Attr = ]
ipodservice.exe -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 323584 bytes | Modified Date = 6/14/2006 4:23:58 PM | Attr = ]
ituneshelper.exe -> E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 278528 bytes | Modified Date = 6/14/2006 4:24:14 PM | Attr = ]
jusched.exe -> E:\Program Files\Utilities\Java Runtime Environment\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 132760 bytes | Modified Date = 6/14/2007 6:32:40 PM | Attr = ]
logitray.exe -> E:\Program Files\Internet\Logitech WebCam\LogiTray.exe -> Logitech Inc. [Ver = 8.1.1.1100 | Size = 77824 bytes | Modified Date = 8/29/2003 3:20:02 PM | Attr = ]
lvcoms.exe -> %System32%\LVComS.exe -> Logitech Inc. [Ver = 8.1.1.1100 | Size = 135214 bytes | Modified Date = 8/29/2003 2:44:50 PM | Attr = ]
nvsvc32.exe -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.4469 | Size = 73728 bytes | Modified Date = 6/18/2003 1:31:00 AM | Attr = ]
qttask.exe -> E:\Program Files\Utilities\Quicktime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.5 | Size = 282624 bytes | Modified Date = 2/16/2007 10:54:04 AM | Attr = ]
realsched.exe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3510 | Size = 180269 bytes | Modified Date = 4/25/2006 8:53:20 PM | Attr = ]
saservice.exe -> %ProgramFiles%\SiteAdvisor\6066\SAService.exe -> McAfee, Inc. [Ver = 2.4.0 | Size = 321064 bytes | Modified Date = 6/3/2007 10:49:56 PM | Attr = ]
winpfind3u.exe -> E:\Program Files\Anti Virus\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.38.0 | Size = 322048 bytes | Modified Date = 6/23/2007 3:15:54 PM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> E:\Program Files\Anti Virus\Avast\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 16512 bytes | Modified Date = 4/30/2007 11:29:56 AM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> E:\Program Files\Anti Virus\Avast\ashServ.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 132736 bytes | Modified Date = 4/30/2007 11:42:40 AM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> E:\Program Files\Anti Virus\Avast\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 243328 bytes | Modified Date = 4/30/2007 12:04:38 PM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> E:\Program Files\Anti Virus\Avast\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 345728 bytes | Modified Date = 4/30/2007 11:41:28 AM | Attr = ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 8:31:10 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 3:56:48 AM | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/4/2005 12:41:10 AM | Attr = ]
(iPodService) iPodService [Win32_Own | On_Demand | Running] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 323584 bytes | Modified Date = 6/14/2006 4:23:58 PM | Attr = ]
(NVSvc) NVIDIA Driver Helper Service [Win32_Own | Auto | Running] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.4469 | Size = 73728 bytes | Modified Date = 6/18/2003 1:31:00 AM | Attr = ]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | On_Demand | Stopped] -> %System32%\HPZipm12.exe -> HP [Ver = 8, 0, 0, 0 | Size = 65536 bytes | Modified Date = 3/18/2004 4:55:48 PM | Attr = ]
(SiteAdvisor Service) SiteAdvisor Service [Win32_Own | Auto | Running] -> %ProgramFiles%\SiteAdvisor\6066\SAService.exe -> McAfee, Inc. [Ver = 2.4.0 | Size = 321064 bytes | Modified Date = 6/3/2007 10:49:56 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
avast! -> E:\Program Files\Anti Virus\Avast\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 75392 bytes | Modified Date = 4/30/2007 11:42:48 AM | Attr = ]
HP Software Update -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Company [Ver = 2, 0, 39, 0 | Size = 49152 bytes | Modified Date = 2/12/2004 1:38:56 PM | Attr = ]
iTunesHelper -> E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 278528 bytes | Modified Date = 6/14/2006 4:24:14 PM | Attr = ]
LogitechVideoRepair -> E:\Program Files\Internet\Logitech WebCam\ISStart.exe -> Logitech Inc. [Ver = 8.1.1.1100 | Size = 188416 bytes | Modified Date = 8/29/2003 3:17:26 PM | Attr = ]
LogitechVideoTray -> E:\Program Files\Internet\Logitech WebCam\LogiTray.exe -> Logitech Inc. [Ver = 8.1.1.1100 | Size = 77824 bytes | Modified Date = 8/29/2003 3:20:02 PM | Attr = ]
nwiz -> %System32%\nwiz.exe -> NVIDIA Corporation [Ver = 6.14.10.4469 | Size = 323584 bytes | Modified Date = 6/18/2003 1:31:00 AM | Attr = ]

WinPFind3 logfile continues in the next post

Maze · « **Reply #35 on:** July 11, 2007, 08:24:09 PM »

WinPFind3 logfile continued...

QuickTime Task -> E:\Program Files\Utilities\Quicktime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.5 | Size = 282624 bytes | Modified Date = 2/16/2007 10:54:04 AM | Attr = ]
SunJavaUpdateSched -> E:\Program Files\Utilities\Java Runtime Environment\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 132760 bytes | Modified Date = 6/14/2007 6:32:40 PM | Attr = ]
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3510 | Size = 180269 bytes | Modified Date = 4/25/2006 8:53:20 PM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
FolderShare -> E:\Program Files\Utilities\FolderShare\FolderShare.exe -> File not found
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersStartup%\Adobe Gamma Loader.exe.lnk -> %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe -> Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Modified Date = 11/4/1999 4:06:48 PM | Attr = ]
%AllUsersStartup%\Device Detector 2.lnk -> %ProgramFiles%\Olympus\DeviceDetector\DevDtct2.exe -> OLYMPUS Corporation. [Ver = 2, 4, 3, 1 | Size = 114688 bytes | Modified Date = 1/16/2004 3:45:08 PM | Attr = ]
%AllUsersStartup%\HotSync Manager.lnk -> %ProgramFiles%\palmOne\Hotsync.exe -> PalmSource, Inc [Ver = 6.0.1 | Size = 471040 bytes | Modified Date = 6/9/2004 2:16:08 PM | Attr = ]
%AllUsersStartup%\HP Image Zone Fast Start.lnk -> %ProgramFiles%\HP\Digital Imaging\bin\hpqthb08.exe -> Hewlett-Packard Co. [Ver = 043.001.005.000 | Size = 53248 bytes | Modified Date = 5/28/2004 11:06:36 PM | Attr = ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 5/30/2007 8:29:58 AM | Attr = ]
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] -> E:\Program Files\Anti Virus\SuperAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 12/20/2006 1:55:48 PM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
*SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
zwebauth.dll -> %System32%\ZWebAuth.dll -> [Ver = | Size = 16973 bytes | Modified Date = 9/18/2001 7:37:34 PM | Attr = ]
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
!SASWinLogon -> E:\Program Files\Anti Virus\SuperAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 4/19/2007 1:41:36 PM | Attr = ]
NavLogon -> Reg Data - Value does not exist -> File not found
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\\ScanWithAntiVirus -> 2 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\AllowLegacyWebView -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\AllowUnhashedWebView -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\LinkResolveIgnoreLinkInfo -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoResolveSearch -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\\{17492023-C23A-453E-A040-C7C580BBF700} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\\NoResolveTrack -> 1 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 36 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\LinkResolveIgnoreLinkInfo -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> ÿÿÿÿ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->

WinPFind3 logfile continues in next post

Maze · « **Reply #36 on:** July 11, 2007, 08:25:36 PM »

WinPFind3 logfile continued...

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\Shell\ -> ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Bar -> http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html ->
HKLM: Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Start Page -> about:blank ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKCU: Start Page -> www.bbc.co.uk ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 10/22/2006 11:08:42 PM | Attr = ]
{089FD14D-132B-48FC-8861-0048AE113215} [HKLM] -> %ProgramFiles%\SiteAdvisor\6066\SiteAdv.dll [Reg Data - Value does not exist] -> McAfee, Inc. [Ver = 2.4.0 | Size = 1099304 bytes | Modified Date = 3/30/2007 11:41:24 AM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> E:\Program Files\Utilities\Java Runtime Environment\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 509592 bytes | Modified Date = 6/14/2007 6:32:36 PM | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{0BF43445-2F28-4351-9252-17FE6E806AA0} [HKLM] -> %ProgramFiles%\SiteAdvisor\6066\SiteAdv.dll [McAfee SiteAdvisor] -> McAfee, Inc. [Ver = 2.4.0 | Size = 1099304 bytes | Modified Date = 3/30/2007 11:41:24 AM | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> Reg Data - Value does not exist [&Google] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{4528BBE0-4E08-11D5-AD55-00010333D0AD} -> Reg Data - Value does not exist [ButtonText: Messenger] -> File not found
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -> Reg Data - Value does not exist [ButtonText: Real.com] -> File not found
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
{FB858B22-55E2-413f-87F5-30ADC5552151} -> E:\Program Files\Utilities\PDFill\DownloadPDF.exe [ButtonText: PDFill PDF Editor] -> PlotSoft LLC [Ver = 1.1 | Size = 172032 bytes | Modified Date = 2/23/2006 9:26:38 PM | Attr = ]
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{26BD2C10-1C5D-4554-ACE7-5448D9FEC5F2} -> (3Com Gigabit LOM (3C940)) ->
{3757A94B-D174-4396-B478-AF4C6442B82E} -> (1394 Net Adapter) ->
{FBEE8126-A5B5-43FA-9CA2-6548B4BE79E4} -> () ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
cetihpz -> %ProgramFiles%\HP\hpcoretech\comp\hpuiprot.dll -> Hewlett-Packard Company [Ver = 2.1.5 | Size = 81920 bytes | Modified Date = 5/12/2004 3:18:56 PM | Attr = ]
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
siteadvisor -> %ProgramFiles%\SiteAdvisor\6066\SiteAdv.dll -> McAfee, Inc. [Ver = 2.4.0 | Size = 1099304 bytes | Modified Date = 3/30/2007 11:41:24 AM | Attr = ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -> YInstStarter Class - CodeBase = http://download.yahoo.com/dl/installs/yinst0401.cab ->
{474F00F5-3853-492C-AC3A-476512BBC336} -> UploadListView Class - CodeBase = http://picasaweb.google.com/s/v/14.21/uploader2.cab ->
{4CCA4E6B-9259-11D9-AC6E-444553544200} -> - CodeBase = http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01.cab ->
{611627F1-D9A5-4235-958E-618E483BF8E7} -> AutoUploader Class - CodeBase = http://www.splashbulb.com/uploader/lib/uploader.cab ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab ->
{9F1C11AA-197B-4942-BA54-47A8489BB47F} -> - CodeBase = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37988.6395486111 ->
{BAC01377-73DD-4796-854D-2A8997E3D68A} -> - CodeBase = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab ->
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ->

[Files/Folders - Created Within 90 days]
78875.sym -> %SystemDrive%\78875.sym -> [Ver = | Size = 2711 bytes | Created Date = 7/8/2007 6:08:40 PM | Attr = ]
ord.htm -> %SystemDrive%\ord.htm -> [Ver = | Size = 418 bytes | Created Date = 7/9/2007 9:54:36 AM | Attr = ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Created Date = 7/8/2007 1:47:16 PM | Attr = ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Created Date = 7/10/2007 6:49:01 AM | Attr = ]
$NtUninstallKB927891$ -> %SystemRoot%\$NtUninstallKB927891$ -> [Folder | Created Date = 5/23/2007 11:36:18 PM | Attr = H ]
$NtUninstallKB929123$ -> %SystemRoot%\$NtUninstallKB929123$ -> [Folder | Created Date = 6/15/2007 8:11:25 AM | Attr = H ]
$NtUninstallKB929969$ -> %SystemRoot%\$NtUninstallKB929969$ -> [Folder | Created Date = 6/8/2007 9:07:59 AM | Attr = H ]
$NtUninstallKB930178$ -> %SystemRoot%\$NtUninstallKB930178$ -> [Folder | Created Date = 4/16/2007 6:33:27 PM | Attr = H ]
$NtUninstallKB930916$ -> %SystemRoot%\$NtUninstallKB930916$ -> [Folder | Created Date = 5/8/2007 5:42:23 PM | Attr = H ]
$NtUninstallKB931261$ -> %SystemRoot%\$NtUninstallKB931261$ -> [Folder | Created Date = 4/16/2007 6:33:33 PM | Attr = H ]
$NtUninstallKB931784$ -> %SystemRoot%\$NtUninstallKB931784$ -> [Folder | Created Date = 4/16/2007 6:34:00 PM | Attr = H ]
$NtUninstallKB932168$ -> %SystemRoot%\$NtUninstallKB932168$ -> [Folder | Created Date = 4/16/2007 6:33:16 PM | Attr = H ]
$NtUninstallKB935839$ -> %SystemRoot%\$NtUninstallKB935839$ -> [Folder | Created Date = 6/15/2007 8:09:53 AM | Attr = H ]
$NtUninstallKB935840$ -> %SystemRoot%\$NtUninstallKB935840$ -> [Folder | Created Date = 6/15/2007 8:11:13 AM | Attr = H ]
$NtUninstallKB936357$ -> %SystemRoot%\$NtUninstallKB936357$ -> [Folder | Created Date = 7/11/2007 8:45:32 AM | Attr = H ]

WinPFind3 logfile continues in next post

Maze · « **Reply #37 on:** July 11, 2007, 08:26:43 PM »

Maze · « **Reply #38 on:** July 11, 2007, 08:27:54 PM »

WinPFind3 logfile continued...

VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Modified Date = 7/10/2007 7:49:02 AM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 7/11/2007 2:00:08 PM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 7/11/2007 9:40:20 AM | Attr = H ]
$NtUninstallKB927891$ -> %SystemRoot%\$NtUninstallKB927891$ -> [Folder | Modified Date = 5/24/2007 12:36:20 AM | Attr = H ]
$NtUninstallKB929123$ -> %SystemRoot%\$NtUninstallKB929123$ -> [Folder | Modified Date = 6/15/2007 9:11:28 AM | Attr = H ]
$NtUninstallKB929969$ -> %SystemRoot%\$NtUninstallKB929969$ -> [Folder | Modified Date = 6/8/2007 10:08:02 AM | Attr = H ]
$NtUninstallKB930178$ -> %SystemRoot%\$NtUninstallKB930178$ -> [Folder | Modified Date = 4/16/2007 7:33:28 PM | Attr = H ]
$NtUninstallKB930916$ -> %SystemRoot%\$NtUninstallKB930916$ -> [Folder | Modified Date = 5/8/2007 6:42:26 PM | Attr = H ]
$NtUninstallKB931261$ -> %SystemRoot%\$NtUninstallKB931261$ -> [Folder | Modified Date = 4/16/2007 7:33:34 PM | Attr = H ]
$NtUninstallKB931784$ -> %SystemRoot%\$NtUninstallKB931784$ -> [Folder | Modified Date = 4/16/2007 7:34:02 PM | Attr = H ]
$NtUninstallKB932168$ -> %SystemRoot%\$NtUninstallKB932168$ -> [Folder | Modified Date = 4/16/2007 7:33:18 PM | Attr = H ]
$NtUninstallKB935839$ -> %SystemRoot%\$NtUninstallKB935839$ -> [Folder | Modified Date = 6/15/2007 9:09:56 AM | Attr = H ]
$NtUninstallKB935840$ -> %SystemRoot%\$NtUninstallKB935840$ -> [Folder | Modified Date = 6/15/2007 9:11:16 AM | Attr = H ]
$NtUninstallKB936357$ -> %SystemRoot%\$NtUninstallKB936357$ -> [Folder | Modified Date = 7/11/2007 9:45:34 AM | Attr = H ]
addins -> %SystemRoot%\addins -> [Folder | Modified Date = 6/11/2007 9:49:14 AM | Attr = ]
assembly -> %SystemRoot%\assembly -> [Folder | Modified Date = 7/11/2007 10:13:02 AM | Attr = R S]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 7/11/2007 12:54:10 PM | Attr = S]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 104960 bytes | Modified Date = 7/4/2007 7:21:06 PM | Attr = ]
Cursors -> %SystemRoot%\Cursors -> [Folder | Modified Date = 6/11/2007 9:49:28 AM | Attr = ]
Debug -> %SystemRoot%\Debug -> [Folder | Modified Date = 5/8/2007 6:41:12 PM | Attr = ]
Downloaded Installations -> %SystemRoot%\Downloaded Installations -> [Folder | Modified Date = 4/18/2007 6:25:50 PM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 7/8/2007 2:47:32 PM | Attr = ]
Fonts -> %SystemRoot%\Fonts -> [Folder | Modified Date = 6/2/2007 4:05:48 PM | Attr = R S]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 7/8/2007 6:53:52 PM | Attr = ]
hpoins04.dat -> %SystemRoot%\hpoins04.dat -> [Ver = | Size = 104549 bytes | Modified Date = 6/8/2007 6:28:20 PM | Attr = ]
hpoins04.dat.temp -> %SystemRoot%\hpoins04.dat.temp -> [Ver = | Size = 104100 bytes | Modified Date = 6/8/2007 2:46:30 PM | Attr = ]
ie7 -> %SystemRoot%\ie7 -> [Folder | Modified Date = 6/8/2007 10:22:38 AM | Attr = H ]
ie7updates -> %SystemRoot%\ie7updates -> [Folder | Modified Date = 6/15/2007 9:08:40 AM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 7/11/2007 9:45:50 AM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 7/11/2007 9:44:58 AM | Attr = HS]
Media -> %SystemRoot%\Media -> [Folder | Modified Date = 6/8/2007 10:22:58 AM | Attr = ]
Microsoft.NET -> %SystemRoot%\Microsoft.NET -> [Folder | Modified Date = 7/11/2007 10:13:04 AM | Attr = ]
mozver.dat -> %SystemRoot%\mozver.dat -> [Ver = | Size = 11029 bytes | Modified Date = 4/25/2007 12:53:50 PM | Attr = ]
msagent -> %SystemRoot%\msagent -> [Folder | Modified Date = 4/16/2007 9:21:06 PM | Attr = ]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [Ver = | Size = 116 bytes | Modified Date = 6/4/2007 4:57:36 PM | Attr = ]
nircmd.exe -> %SystemRoot%\nircmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Modified Date = 6/17/2007 12:11:58 AM | Attr = ]
pfirewall.log.old -> %SystemRoot%\pfirewall.log.old -> [Ver = | Size = 4026387 bytes | Modified Date = 6/22/2007 11:02:46 AM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 7/11/2007 1:59:52 PM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Modified Date = 6/20/2007 1:10:58 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 6/23/2007 6:21:22 PM | Attr = H ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 6/8/2007 2:36:30 PM | Attr = ]
security -> %SystemRoot%\security -> [Folder | Modified Date = 6/11/2007 11:09:58 AM | Attr = ]
SoftwareDistribution -> %SystemRoot%\SoftwareDistribution -> [Folder | Modified Date = 5/23/2007 8:05:06 PM | Attr = ]
SxsCaPendDel -> %SystemRoot%\SxsCaPendDel -> [Folder | Modified Date = 6/8/2007 4:13:28 PM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 7/11/2007 9:44:26 AM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 7/11/2007 12:57:22 PM | Attr = S]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 7/11/2007 2:03:06 PM | Attr = ]
twain_32 -> %SystemRoot%\twain_32 -> [Folder | Modified Date = 6/8/2007 6:18:10 PM | Attr = ]
WBEM -> %SystemRoot%\WBEM -> [Folder | Modified Date = 6/8/2007 10:23:06 AM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 1088 bytes | Modified Date = 7/6/2007 12:36:54 PM | Attr = ]
WinSxS -> %SystemRoot%\WinSxS -> [Folder | Modified Date = 7/11/2007 9:43:18 AM | Attr = ]
MP Scheduled Scan.job -> %SystemRoot%\tasks\MP Scheduled Scan.job -> [Ver = | Size = 370 bytes | Modified Date = 7/11/2007 12:57:22 PM | Attr = H ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 7/11/2007 12:54:18 PM | Attr = H ]
apnbopbd.ini -> %System32%\apnbopbd.ini -> [Ver = | Size = 896958 bytes | Modified Date = 6/11/2007 9:31:14 PM | Attr = HS]
aswBoot.exe -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 745600 bytes | Modified Date = 4/30/2007 11:46:10 AM | Attr = ]
AVASTSS.scr -> %System32%\AVASTSS.scr -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 95872 bytes | Modified Date = 4/30/2007 11:35:28 AM | Attr = ]
awgvioka.ini -> %System32%\awgvioka.ini -> [Ver = | Size = 903273 bytes | Modified Date = 6/19/2007 10:46:10 PM | Attr = HS]
awwqhkbm.ini -> %System32%\awwqhkbm.ini -> [Ver = | Size = 2608880 bytes | Modified Date = 6/26/2007 11:07:18 AM | Attr = HS]
btuceges.ini -> %System32%\btuceges.ini -> [Ver = | Size = 4004 bytes | Modified Date = 7/6/2007 10:24:10 AM | Attr = HS]
byctvjad.ini -> %System32%\byctvjad.ini -> [Ver = | Size = 1832150 bytes | Modified Date = 6/15/2007 10:10:24 AM | Attr = HS]
CatRoot -> %System32%\CatRoot -> [Folder | Modified Date = 6/15/2007 9:13:38 AM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 7/11/2007 9:40:20 AM | Attr = ]
cokqgjee.ini -> %System32%\cokqgjee.ini -> [Ver = | Size = 3967346 bytes | Modified Date = 7/3/2007 9:29:26 AM | Attr = HS]
config -> %System32%\config -> [Folder | Modified Date = 7/8/2007 2:47:42 PM | Attr = ]
CONFIG.NT -> %System32%\CONFIG.NT -> [Ver = | Size = 2625 bytes | Modified Date = 5/4/2007 12:00:56 PM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 7/11/2007 9:45:36 AM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 7/11/2007 9:45:36 AM | Attr = ]
eclblhoy.ini -> %System32%\eclblhoy.ini -> [Ver = | Size = 2610513 bytes | Modified Date = 6/25/2007 11:04:24 AM | Attr = HS]
en-US -> %System32%\en-US -> [Folder | Modified Date = 6/8/2007 2:19:46 PM | Attr = ]

WinPFind3 logfile continues in next page

Maze · « **Reply #39 on:** July 11, 2007, 08:29:21 PM »

WinPFind3 logfile continued...
epimlscn.ini -> %System32%\epimlscn.ini -> [Ver = | Size = 922340 bytes | Modified Date = 6/14/2007 1:09:44 PM | Attr = HS]
esagrbsj.ini -> %System32%\esagrbsj.ini -> [Ver = | Size = 2825021 bytes | Modified Date = 7/1/2007 1:02:16 AM | Attr = HS]
FNTCACHE.DAT -> %System32%\FNTCACHE.DAT -> [Ver = | Size = 361728 bytes | Modified Date = 6/2/2007 7:18:44 PM | Attr = ]
FxsTmp -> %System32%\FxsTmp -> [Folder | Modified Date = 7/6/2007 12:36:38 PM | Attr = ]
ggfccaun.ini -> %System32%\ggfccaun.ini -> [Ver = | Size = 899002 bytes | Modified Date = 6/18/2007 10:27:00 PM | Attr = HS]
ghpllnnu.ini -> %System32%\ghpllnnu.ini -> [Ver = | Size = 1063903 bytes | Modified Date = 6/4/2007 9:25:32 PM | Attr = HS]
hanujeoc.ini -> %System32%\hanujeoc.ini -> [Ver = | Size = 902645 bytes | Modified Date = 6/20/2007 10:30:04 PM | Attr = HS]
hfeblegh.ini -> %System32%\hfeblegh.ini -> [Ver = | Size = 1836902 bytes | Modified Date = 6/13/2007 12:51:22 PM | Attr = HS]
honmjkuk.ini -> %System32%\honmjkuk.ini -> [Ver = | Size = 2607208 bytes | Modified Date = 6/27/2007 11:12:28 AM | Attr = HS]
inetsrv -> %System32%\inetsrv -> [Folder | Modified Date = 6/8/2007 10:09:28 AM | Attr = ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 135168 bytes | Modified Date = 6/14/2007 3:51:50 PM | Attr = ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 69632 bytes | Modified Date = 6/14/2007 4:53:22 PM | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 135168 bytes | Modified Date = 6/14/2007 3:51:54 PM | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 139264 bytes | Modified Date = 6/14/2007 4:53:24 PM | Attr = ]
jyuukovc.ini -> %System32%\jyuukovc.ini -> [Ver = | Size = 2605510 bytes | Modified Date = 6/28/2007 1:21:10 PM | Attr = HS]
kadhngey.ini -> %System32%\kadhngey.ini -> [Ver = | Size = 1861349 bytes | Modified Date = 6/16/2007 1:11:22 PM | Attr = HS]
knircdfl.ini -> %System32%\knircdfl.ini -> [Ver = | Size = 2831368 bytes | Modified Date = 6/28/2007 1:58:54 PM | Attr = HS]
kycvaurl.ini -> %System32%\kycvaurl.ini -> [Ver = | Size = 838518 bytes | Modified Date = 6/22/2007 10:59:44 PM | Attr = HS]
mapisvc.inf -> %System32%\mapisvc.inf -> [Ver = | Size = 535 bytes | Modified Date = 6/11/2007 9:49:34 AM | Attr = ]
mcrh.tmp -> %System32%\mcrh.tmp -> [Ver = | Size = 143 bytes | Modified Date = 6/11/2007 2:57:20 PM | Attr = ]
meskflyf.ini -> %System32%\meskflyf.ini -> [Ver = | Size = 3584 bytes | Modified Date = 7/4/2007 9:47:18 AM | Attr = HS]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 65130 bytes | Modified Date = 7/11/2007 9:44:26 AM | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 407820 bytes | Modified Date = 7/11/2007 9:44:26 AM | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 463634 bytes | Modified Date = 7/11/2007 9:44:26 AM | Attr = ]
qoorjrbi.ini -> %System32%\qoorjrbi.ini -> [Ver = | Size = 3765 bytes | Modified Date = 7/5/2007 10:18:18 AM | Attr = HS]
Restore -> %System32%\Restore -> [Folder | Modified Date = 7/7/2007 6:32:08 PM | Attr = ]
rosksxkd.ini -> %System32%\rosksxkd.ini -> [Ver = | Size = 4064 bytes | Modified Date = 7/6/2007 10:37:52 AM | Attr = HS]
rqtss.bak2 -> %System32%\rqtss.bak2 -> [Ver = | Size = 1844926 bytes | Modified Date = 7/7/2007 3:00:12 PM | Attr = HS]
rqtss.ini -> %System32%\rqtss.ini -> [Ver = | Size = 1866703 bytes | Modified Date = 7/8/2007 10:51:14 AM | Attr = HS]
seglavgs.ini -> %System32%\seglavgs.ini -> [Ver = | Size = 3812146 bytes | Modified Date = 7/2/2007 8:45:42 AM | Attr = HS]
sttss.ini -> %System32%\sttss.ini -> [Ver = | Size = 353 bytes | Modified Date = 6/2/2007 2:07:32 PM | Attr = HS]
tuikrbvg.ini -> %System32%\tuikrbvg.ini -> [Ver = | Size = 1861408 bytes | Modified Date = 6/16/2007 1:11:52 PM | Attr = HS]
URTTemp -> %System32%\URTTemp -> [Folder | Modified Date = 6/8/2007 2:35:16 PM | Attr = ]
veiixtnf.ini -> %System32%\veiixtnf.ini -> [Ver = | Size = 1699502 bytes | Modified Date = 6/24/2007 8:11:12 AM | Attr = HS]
vwhpwrca.ini -> %System32%\vwhpwrca.ini -> [Ver = | Size = 1858630 bytes | Modified Date = 6/17/2007 2:15:20 PM | Attr = HS]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 13002 bytes | Modified Date = 7/11/2007 1:59:38 PM | Attr = ]
wvejtjfw.ini -> %System32%\wvejtjfw.ini -> [Ver = | Size = 891854 bytes | Modified Date = 6/21/2007 10:54:20 PM | Attr = HS]
aavmker4.sys -> %System32%\drivers\aavmker4.sys -> ALWIL Software [Ver = 4.7.997.0 | Size = 26888 bytes | Modified Date = 4/30/2007 11:37:24 AM | Attr = ]
aswmon.sys -> %System32%\drivers\aswmon.sys -> ALWIL Software [Ver = 4.7.997.0 | Size = 85952 bytes | Modified Date = 4/30/2007 11:41:56 AM | Attr = ]
aswmon2.sys -> %System32%\drivers\aswmon2.sys -> ALWIL Software [Ver = 4.7.997.0 | Size = 94552 bytes | Modified Date = 4/30/2007 11:41:42 AM | Attr = ]
aswRdr.sys -> %System32%\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.7.997.0 | Size = 23416 bytes | Modified Date = 4/30/2007 11:39:42 AM | Attr = ]
aswTdi.sys -> %System32%\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.7.997.0 | Size = 43176 bytes | Modified Date = 4/30/2007 11:38:52 AM | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Modified Date = 5/30/2007 8:10:42 AM | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 7/8/2007 2:49:30 PM | Attr = ]
njyoxcnhlwus.sys -> %System32%\drivers\njyoxcnhlwus.sys -> [Ver = | Size = 8704 bytes | Modified Date = 7/8/2007 2:30:18 PM | Attr = ]

[File String Scan - Non-Microsoft Only]
UPX! , UPX0 , -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 745600 bytes | Modified Date = 4/30/2007 11:46:10 AM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr = ]
UPX! , UPX0 , -> %System32%\pncrt.dll -> Real Networks, Inc [Ver = 6.0.0.0 | Size = 123392 bytes | Modified Date = 11/25/2003 7:32:02 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/4/2004 1:41:38 AM | Attr = ]

< End of report >

Next post: Virus Total Result

Maze · « **Reply #40 on:** July 11, 2007, 08:58:36 PM »

VirusTotal Scan of C:\78875.SYM

File 78875.sym received on 07.11.2007 20:29:52 (CET)
Current status: queued waiting scanning finished NOT FOUND STOPPED
Your file is queued in position: 2.
Estimated start time is between 46 and 66 seconds.
Do not close the window untill scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.

Print results Print
Your file has expired or do not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus    Versión    Last Update    Result
AhnLab-V3   2007.7.11.1   20070711   no virus found
AntiVir   7.4.0.39   20070711   no virus found
Authentium   4.93.8   20070710   no virus found
Avast   4.7.997.0   20070711   no virus found
AVG   7.5.0.476   20070711   no virus found
BitDefender   7.2   20070711   no virus found
CAT-QuickHeal   9.00   20070711   no virus found
ClamAV   devel-20070416   20070711   no virus found
DrWeb   4.33   20070711   no virus found
eSafe   7.0.15.0   20070710   no virus found
eTrust-Vet   30.8.3779   20070711   no virus found
Ewido   4.0   20070711   no virus found
FileAdvisor   1   20070711   no virus found
Fortinet   2.91.0.0   20070711   no virus found
F-Prot   4.3.2.48   20070710   no virus found
Ikarus   T3.1.1.8   20070711   no virus found
Kaspersky   4.0.2.24   20070711   no virus found
McAfee   5072   20070711   no virus found
Microsoft   1.2704   20070711   no virus found
NOD32v2   2393   20070711   no virus found
Norman   5.80.02   20070711   no virus found
Panda   9.0.0.4   20070711   no virus found
Sophos   4.19.0   20070706   no virus found
Sunbelt   2.2.907.0   20070711   no virus found
Symantec   10   20070711   no virus found
TheHacker   6.1.6.144   20070709   no virus found
VBA32   3.12.0.2   20070710   no virus found
VirusBuster   4.3.23:9   20070711   no virus found
Webwasher-Gateway   6.0.1   20070711   no virus found
Aditional information
File size: 2711 bytes
MD5: 7fc32bc9e4b8fe10b86d4ff1788f3e34
SHA1: ea2224b6e2e7a8d7b83ffeedaf1a604c157a6dc3

mauserme · « **Reply #41 on:** July 12, 2007, 07:21:47 AM »

Quote from: Maze on July 11, 2007, 08:13:16 PM

QuickTime:
I do not mind, quicktime being on the computer, I was trying to keep it from loading into the system tray during every boot. Since its not used much, it is probably a waste of memory and loading time. Could I disable it from automatic startup?

Its probably better to use the free version of WinPatrol for this

http://www.winpatrol.com/download.html

I use this program on all my installations to control start ups, monitor changes, etc. Use it carefully - if you disable critical system components your computer could be unbootable.

Quote from: Maze on July 11, 2007, 08:13:16 PM

Foldershare:
It is a MS program that allows you to access your files anywhere. I need access to certain pertinent yet insensitive data on my home computer for work purposes. So I checked out foldershare (https://www.foldershare.com/info/howItWorks.php?). Thats around when googledocs came up and that was just easier, since the individual machines do not have to be synched, and this computer does not have to be on all the time. I thought I had unistalled the program if there was any. A search on the computer revealed just the following. Could this be loading during Startup as well?
C:\Documents and Settings\Family\Local Settings\Application Data\FolderShare
Contains two folders Settings & Logs
Folder share folder memory size is 826KB

It appears to still be loading at startup. Lets try this:

Open HJT again and click Open the Misc Tools Section>Open Uninstall Manager. Click the button to save the contents then post it in your next response.

Quote from: Maze on July 11, 2007, 08:13:16 PM

WinPfind3u fix Result:
(Note: I ran it once, but accidentally closed the txt file, so this is the second run)
[Files/Folders - Created Within 30 days]
File C:\mfx_temp not found!
[Files/Folders - Modified Within 30 days]
File C:\mfx_temp not found!
File C:\WINDOWS\imsins.BAK not found!
< End of log >
Created on 07/11/2007 14:06:35

No problem. We wanted those files to be gone and they are.

I am working with your new WinPFind log and have solicited a second opinion on some of the items. More later on this.

Maze · « **Reply #42 on:** July 12, 2007, 04:31:30 PM »

Hi Mauserme, Below the the saved list from HJT.

HJT Uninstall List:
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 9 ActiveX
Adobe Photoshop 6.0
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 8.1.0
Adobe SVG Viewer
Advanced WindowsCare 2.51 Personal
AFPL Ghostscript 8.14
AFPL Ghostscript Fonts
Age Of Empire-II The Conquerors
APA PERRLA
avast! Antivirus
AVG Anti-Rootkit Free
AVG Anti-Spyware 7.5
AVI TO DVD VCD SVCD CONVERTER version 2.01
Camtasia Studio 3
Comprehensive Review for NCLEX-PN, 2e
Create and Print Greeting Cards 1.0
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
DVD Shrink 3.2
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
HP Unload DLL Patch
Intel(R) 537 Modem
iTunes
Java(TM) 6 Update 2
Kaplan NCLEX Question Trainer
Logitech QuickCam
Logitech® Camera Driver
Macromedia Shockwave Player
McAfee SiteAdvisor
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Office Publisher 2003
Microsoft Office Standard Edition 2003
Microsoft Office Visio Standard 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.4)
MSN Messenger 6.2
MSXML 4.0 SP2 (KB927978)
Nero OEM
NVIDIA Windows 2000/XP Display Drivers
overland
palmOne
PDFill PDF Editor 4.1 with Writer and Tools (Unicode)
PDFill PDF Writer
PDFtypewriter with PDF Printer Driver
PFS Report Viewers
PPStream
QuickTime
RealPlayer
Samsung USB Driver (MCCI 4.16)
Saunders Q and A Review
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Shockwave
Spybot - Search & Destroy 1.2
SUPERAntiSpyware Free Edition
TVUPlayer 2.3.2.34
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
VIA VT6410 RAID Driver(Remove)
Voice Editing
Windows Blaster Worm Removal Tool (KB833330)
Windows Defender
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
XP Codec Pack
Yahoo! Messenger

Thank you!

essexboy · « **Reply #43 on:** July 12, 2007, 11:43:15 PM »

A quick but in

Quote

do not mind, quicktime being on the computer, I was trying to keep it from loading into the system tray during every boot. Since its not used much, it is probably a waste of memory and loading time. Could I disable it from automatic startup?

Locate the file realsched.exe and rename to realsched.old then fix the line in Hijackthis and it will not load

mauserme · « **Reply #44 on:** July 13, 2007, 05:41:39 AM »

Thanks for that essexboy, and for the second opinion.

@Maze

Just a few more files to remove.

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Quote

[Files/Folders - Created Within 90 days]
NY -> apnbopbd.ini -> %System32%\apnbopbd.ini
NY -> awgvioka.ini -> %System32%\awgvioka.ini
NY -> awwqhkbm.ini -> %System32%\awwqhkbm.ini
NY -> btuceges.ini -> %System32%\btuceges.ini
NY -> byctvjad.ini -> %System32%\byctvjad.ini
NY -> cokqgjee.ini -> %System32%\cokqgjee.ini
NY -> eclblhoy.ini -> %System32%\eclblhoy.ini
NY -> epimlscn.ini -> %System32%\epimlscn.ini
NY -> esagrbsj.ini -> %System32%\esagrbsj.ini
NY -> ggfccaun.ini -> %System32%\ggfccaun.ini
NY -> ghpllnnu.ini -> %System32%\ghpllnnu.ini
NY -> hanujeoc.ini -> %System32%\hanujeoc.ini
NY -> hfeblegh.ini -> %System32%\hfeblegh.ini
NY -> honmjkuk.ini -> %System32%\honmjkuk.ini
NY -> jyuukovc.ini -> %System32%\jyuukovc.ini
NY -> kadhngey.ini -> %System32%\kadhngey.ini
NY -> knircdfl.ini -> %System32%\knircdfl.ini
NY -> kycvaurl.ini -> %System32%\kycvaurl.ini
NY -> mcrh.tmp -> %System32%\mcrh.tmp
NY -> meskflyf.ini -> %System32%\meskflyf.ini
NY -> qoorjrbi.ini -> %System32%\qoorjrbi.ini
NY -> rosksxkd.ini -> %System32%\rosksxkd.ini
NY -> rqtss.bak2 -> %System32%\rqtss.bak2
NY -> rqtss.ini -> %System32%\rqtss.ini
NY -> seglavgs.ini -> %System32%\seglavgs.ini
NY -> sttss.ini -> %System32%\sttss.ini
NY -> tuikrbvg.ini -> %System32%\tuikrbvg.ini
NY -> veiixtnf.ini -> %System32%\veiixtnf.ini
NY -> vwhpwrca.ini -> %System32%\vwhpwrca.ini
NY -> wvejtjfw.ini -> %System32%\wvejtjfw.ini
NY -> njyoxcnhlwus.sys -> %System32%\drivers\njyoxcnhlwus.sys
NY -> hosts.20070602-143317.backup -> %System32%\drivers\etc\hosts.20070602-143317.backup
[Files/Folders - Modified Within 90 days]
NY -> apnbopbd.ini -> %System32%\apnbopbd.ini
NY -> awgvioka.ini -> %System32%\awgvioka.ini
NY -> awwqhkbm.ini -> %System32%\awwqhkbm.ini
NY -> btuceges.ini -> %System32%\btuceges.ini
NY -> byctvjad.ini -> %System32%\byctvjad.ini
NY -> cokqgjee.ini -> %System32%\cokqgjee.ini
NY -> eclblhoy.ini -> %System32%\eclblhoy.ini
NY -> epimlscn.ini -> %System32%\epimlscn.ini
NY -> esagrbsj.ini -> %System32%\esagrbsj.ini
NY -> ggfccaun.ini -> %System32%\ggfccaun.ini
NY -> ghpllnnu.ini -> %System32%\ghpllnnu.ini
NY -> hanujeoc.ini -> %System32%\hanujeoc.ini
NY -> hfeblegh.ini -> %System32%\hfeblegh.ini
NY -> honmjkuk.ini -> %System32%\honmjkuk.ini
NY -> jyuukovc.ini -> %System32%\jyuukovc.ini
NY -> kadhngey.ini -> %System32%\kadhngey.ini
NY -> knircdfl.ini -> %System32%\knircdfl.ini
NY -> kycvaurl.ini -> %System32%\kycvaurl.ini
NY -> mcrh.tmp -> %System32%\mcrh.tmp
NY -> meskflyf.ini -> %System32%\meskflyf.ini
NY -> qoorjrbi.ini -> %System32%\qoorjrbi.ini
NY -> rosksxkd.ini -> %System32%\rosksxkd.ini
NY -> rqtss.bak2 -> %System32%\rqtss.bak2
NY -> rqtss.ini -> %System32%\rqtss.ini
NY -> seglavgs.ini -> %System32%\seglavgs.ini
NY -> sttss.ini -> %System32%\sttss.ini
NY -> tuikrbvg.ini -> %System32%\tuikrbvg.ini
NY -> veiixtnf.ini -> %System32%\veiixtnf.ini
NY -> vwhpwrca.ini -> %System32%\vwhpwrca.ini
NY -> wvejtjfw.ini -> %System32%\wvejtjfw.ini
NY -> njyoxcnhlwus.sys -> %System32%\drivers\njyoxcnhlwus.sys

As before the fix should only take a very short time and a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with any problems you encounter. Some of these files ay not be found - that's OK.

Then you can fix this line in HJT if you want

O4 - HKCU\..\Run: [FolderShare] "E:\Program Files\Utilities\FolderShare\FolderShare.exe" /background

Author Topic: Help to remove FOTOMOTO.A Trojan (Read 55781 times)

Maze

Re: Help to remove FOTOMOTO.A Trojan

mauserme

Re: Help to remove FOTOMOTO.A Trojan

mauserme

Re: Help to remove FOTOMOTO.A Trojan

Maze

Re: Help to remove FOTOMOTO.A Trojan

Maze

Re: Help to remove FOTOMOTO.A Trojan

Maze

Re: Help to remove FOTOMOTO.A Trojan

Maze

Re: Help to remove FOTOMOTO.A Trojan

Maze

Re: Help to remove FOTOMOTO.A Trojan

Maze

Re: Help to remove FOTOMOTO.A Trojan

Maze

Re: Help to remove FOTOMOTO.A Trojan

Maze

Re: Help to remove FOTOMOTO.A Trojan

mauserme

Re: Help to remove FOTOMOTO.A Trojan

Maze

Re: Help to remove FOTOMOTO.A Trojan

essexboy

Re: Help to remove FOTOMOTO.A Trojan

mauserme

Re: Help to remove FOTOMOTO.A Trojan