Jump to content

Similar problem 'Error 6 overflow'


Recommended Posts

Hi, I'm having a difficult time trying to run AboutBuster 6.0 as it keeps returning an "error 6, overflow" message. This happens in Safe mode as well as normal.

I've downloaded from malwarebytes.org several times, ran it from different folders, and made sure it was extracted to it's own folder. Still, can't seem to get it running. Is something corrupted on my PC?

I've tried several forums but this is the official aboutBuster one, so I figured this would be a better place than any.

Here's my HJT log:

Logfile of HijackThis v1.99.1

Scan saved at 9:53:34 PM, on 1/23/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\PROGRA~1\CA\ETRUST~3\ETRUST~1\VetTray.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe

C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\CA\ETRUST~3\ETRUST~1\VetMsg.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

D:\My Documents\My Downloads\Spyware removal\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.castlecops.com

O15 - Trusted Zone: http://*.update.microsoft.com

O15 - Trusted Zone: http://*.windowsupdate.microsoft.com

O15 - Trusted Zone: http://*.windowsupdate.com

O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab

O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093307627328

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121571153937

O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/...ivex/hcImpl.cab

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37380.cab

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...677/mcfscan.cab

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe

O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~3\ETRUST~1\VetMsg.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Link to post
Share on other sites

Couple of questions...You are using Verison 6 NOT version 5 correct??

Does it generate ANY log in the Aboutbuster folder you extracted to?? Ab LogFile.txt will be the name..post here plz.

Brings up another question you are NOT running it from the zip file are you..you are fully extracting to a folder before running?

Last question (for now) WHY are you needing AboutBuster?? there is no indication in your log of ANY infection let alone a CWS HomeSearch.

You are running two(or more) Anti-Virus programs(AVG and ETrust) ..while one is a MUST have...running more than one is NEVER ACCEPTABLE.

They will 'battle' for control of your system and resources; causing slowdown, errors and shut down. Choose one and uninstall the other(s).

Link to post
Share on other sites

- I am running AboutBuster 6.0 (I believe so since the Window Titlebar says AboutBuster 6.0).

- I have extracted the Zipped files to a folder. I am using 'C:\aboutbuster'.

- I know at one point I did have CWS.Homesearch since Spybot kept finding it but couldn't remove it. That was about two months ago (before i got into seriously cleaning my system), and I ended up manually deleting (I know, this isn't good!) whatever spybot found since it couldn't get rid of it itself.

- The only reason I'm trying to run AboutBuster now is because I think there might be leftover files/reg settings on my system and I've been told to run it along with HJT. I think my HJT log is pretty clean but there definitely is still infected malware on my system.

- Specifically, (although there's no sign of this in HJT), I am getting many results of ADS in Adsspy with a file called C:\WINDOWS\_detmp.2:'xxxxx' where 'xxxxx' is a random series of letters. I've run bitdefender online scan and Kaspersky online scan and both of them tell me that there are infections there (Kaspersky found nearly a thousand instances of 'Trojan.Win32.Agent.bq' on this file).

Sorry if this post is beyond the scope of this Forum, I just refuse to throw in the towel yet!

Any help is greatly appreciated!

Link to post
Share on other sites

well while Ducky is looking into the errors lets see what IS on your system

You will need to update ewido to the latest definition files:

  • On the left hand side of the main screen click update.
  • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
  • Close Ewido

If you are having problems with the updater, you can use this link to manually update ewido.

Ewido manual updates

Next, please reboot your computer in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

http://www.pchell.com/support/safemode.shtml

Run Ewido:

  • Once in Safe Mode start Ewido Anti Malware
  • Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)
  • Click on Complete System Scan, the scan will now begin.
  • While the scan is in progress you will be promted to clean files, click OK.
  • When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
  • Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
  • Click Save Report.
  • Now save the report .txt file to your desktop.
  • Close Ewido

When Ewido is finished scanning; reboot back to normal mode and run this online virus scan: ActiveScan

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
    - Enter your Country
    - Enter your State/Province
    - Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)
    - Select either Home User or Company
  • Click the big Scan Now button
  • If/when you get a notice that Panda wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop.
    Open Hijackthis..click on Open Misc tools section>Open ADS Spy>Scan>Save log

Post

  • The Ewido log
  • A new HijackThis log
  • ADS Spy log
  • results of Panda scan

in your next reply here.

Edited by jwbirdsong
Link to post
Share on other sites

Ok, so here's the logs you asked for. Sorry it took some time to run (Ewido took nearly 2 hrs...) I had to let it go overnight.

---------------------------------------------------------

ewido anti-malware - Scan report

---------------------------------------------------------

+ Created on: 1:25:37 AM, 1/25/2006

+ Report-Checksum: 5EF66C76

+ Scan result:

No infected objects found.

::Report End

---------------------------------------------------------------------------------------------------------

ActiveScan

Incident Status Location

Adware:adware/searchaid Not disinfected C:\WINDOWS\sdkog32.exe

Adware:adware/adwhere Not disinfected Windows Registry

---------------------------------------------------------------------------------------------------------

ADSspy log -

C:\WINDOWS\systen32 : xadrb (0 bytes)

C:\WINDOWS\systen32 : [4 (29 bytes)

C:\WINDOWS\_detmp.2 : aaaeg (88487 bytes)

C:\WINDOWS\_detmp.2 : aband (88487 bytes)

C:\WINDOWS\_detmp.2 : abqdc (88487 bytes)

C:\WINDOWS\_detmp.2 : abvga (88487 bytes)

C:\WINDOWS\_detmp.2 : adceu (88487 bytes)

C:\WINDOWS\_detmp.2 : adjji (88487 bytes)

C:\WINDOWS\_detmp.2 : adlfj (88487 bytes)

C:\WINDOWS\_detmp.2 : agvai (88487 bytes)

C:\WINDOWS\_detmp.2 : ahaeh (88487 bytes)

C:\WINDOWS\_detmp.2 : ahpai (88487 bytes)

C:\WINDOWS\_detmp.2 : aillsz (197751 bytes)

C:\WINDOWS\_detmp.2 : ajegh (88487 bytes)

C:\WINDOWS\_detmp.2 : ajkgi (88487 bytes)

C:\WINDOWS\_detmp.2 : ajkis (88487 bytes)

C:\WINDOWS\_detmp.2 : akakp (88487 bytes)

C:\WINDOWS\_detmp.2 : akyxw (88487 bytes)

C:\WINDOWS\_detmp.2 : alcks (88487 bytes)

C:\WINDOWS\_detmp.2 : alniu (88487 bytes)

C:\WINDOWS\_detmp.2 : alupj (88487 bytes)

C:\WINDOWS\_detmp.2 : anthh (88487 bytes)

C:\WINDOWS\_detmp.2 : aoblt (88487 bytes)

C:\WINDOWS\_detmp.2 : aoibh (88487 bytes)

C:\WINDOWS\_detmp.2 : aoskn (88487 bytes)

C:\WINDOWS\_detmp.2 : aosmx (88487 bytes)

C:\WINDOWS\_detmp.2 : apixi (88487 bytes)

C:\WINDOWS\_detmp.2 : apvna (88487 bytes)

C:\WINDOWS\_detmp.2 : aqxal (88487 bytes)

C:\WINDOWS\_detmp.2 : arkdn (88487 bytes)

C:\WINDOWS\_detmp.2 : arncx (88487 bytes)

C:\WINDOWS\_detmp.2 : ashzy (88487 bytes)

C:\WINDOWS\_detmp.2 : asxcr (88487 bytes)

C:\WINDOWS\_detmp.2 : atabt (88487 bytes)

C:\WINDOWS\_detmp.2 : athua (88487 bytes)

C:\WINDOWS\_detmp.2 : atlgq (88487 bytes)

C:\WINDOWS\_detmp.2 : atohe (88487 bytes)

C:\WINDOWS\_detmp.2 : auwut (88487 bytes)

C:\WINDOWS\_detmp.2 : awtgx (88487 bytes)

C:\WINDOWS\_detmp.2 : awvso (88487 bytes)

C:\WINDOWS\_detmp.2 : axddv (88487 bytes)

C:\WINDOWS\_detmp.2 : axpxv (88487 bytes)

C:\WINDOWS\_detmp.2 : ayucl (88487 bytes)

C:\WINDOWS\_detmp.2 : azban (88487 bytes)

C:\WINDOWS\_detmp.2 : bbabd (88487 bytes)

C:\WINDOWS\_detmp.2 : bboep (88487 bytes)

C:\WINDOWS\_detmp.2 : bbwis (88487 bytes)

C:\WINDOWS\_detmp.2 : bcigm (88487 bytes)

C:\WINDOWS\_detmp.2 : bcygx (88487 bytes)

C:\WINDOWS\_detmp.2 : bcyil (88487 bytes)

C:\WINDOWS\_detmp.2 : bdinc (88487 bytes)

C:\WINDOWS\_detmp.2 : bdloh (88487 bytes)

C:\WINDOWS\_detmp.2 : bdmtg (88487 bytes)

C:\WINDOWS\_detmp.2 : betqol (197751 bytes)

C:\WINDOWS\_detmp.2 : bfzhm (88487 bytes)

C:\WINDOWS\_detmp.2 : bggdm (88487 bytes)

C:\WINDOWS\_detmp.2 : bhngr (88487 bytes)

C:\WINDOWS\_detmp.2 : bjrpw (88487 bytes)

C:\WINDOWS\_detmp.2 : blhbp (88487 bytes)

C:\WINDOWS\_detmp.2 : bmdwa (88487 bytes)

C:\WINDOWS\_detmp.2 : bmpmc (88487 bytes)

C:\WINDOWS\_detmp.2 : bnqnl (88487 bytes)

C:\WINDOWS\_detmp.2 : bnynz (88487 bytes)

C:\WINDOWS\_detmp.2 : bogsn (88487 bytes)

C:\WINDOWS\_detmp.2 : bonxo (88487 bytes)

C:\WINDOWS\_detmp.2 : bpifem (197751 bytes)

C:\WINDOWS\_detmp.2 : bpkzt (88487 bytes)

C:\WINDOWS\_detmp.2 : bplyd (88487 bytes)

C:\WINDOWS\_detmp.2 : bqebm (88487 bytes)

C:\WINDOWS\_detmp.2 : brneh (88487 bytes)

C:\WINDOWS\_detmp.2 : brtwv (88487 bytes)

C:\WINDOWS\_detmp.2 : btitq (88487 bytes)

C:\WINDOWS\_detmp.2 : btjas (0 bytes)

C:\WINDOWS\_detmp.2 : bvdev (88487 bytes)

C:\WINDOWS\_detmp.2 : bvsijj (0 bytes)

C:\WINDOWS\_detmp.2 : bwbgn (88487 bytes)

C:\WINDOWS\_detmp.2 : bxscw (88487 bytes)

C:\WINDOWS\_detmp.2 : bygtz (88487 bytes)

C:\WINDOWS\_detmp.2 : bzoby (0 bytes)

C:\WINDOWS\_detmp.2 : bzozp (88487 bytes)

C:\WINDOWS\_detmp.2 : bzscp (88487 bytes)

C:\WINDOWS\_detmp.2 : calme (88487 bytes)

C:\WINDOWS\_detmp.2 : cayro (88487 bytes)

C:\WINDOWS\_detmp.2 : cbigv (88487 bytes)

C:\WINDOWS\_detmp.2 : cbtfl (88487 bytes)

-----------------------------------------------------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 7:25:21 AM, on 1/25/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\PROGRA~1\CA\ETRUST~3\ETRUST~1\VetTray.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe

C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\PROGRA~1\CA\ETRUST~3\ETRUST~1\VetMsg.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\WINDOWS\System32\alg.exe

D:\My Documents\My Downloads\Spyware removal\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.castlecops.com

O15 - Trusted Zone: http://*.update.microsoft.com

O15 - Trusted Zone: http://*.windowsupdate.microsoft.com

O15 - Trusted Zone: http://*.windowsupdate.com

O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab

O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093307627328

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121571153937

O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/...ivex/hcImpl.cab

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37380.cab

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...677/mcfscan.cab

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe

O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~3\ETRUST~1\VetMsg.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Link to post
Share on other sites

Not sure if this helps at all...but I just ran RootKitRevealer from Sysinternals and it gave me the following scan:

C:\WINDOWS\_detmp.2:thxci 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:thyxi 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:titul 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:tjpqa 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:tkklv 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:tlgjn 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:tljrh 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:tlnht 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:tluir 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:tmuyn 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:tmymu 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:tncyj 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:tnmzg 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:tnpmr 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:tntlv 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:toeav 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:tpbtw 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:tpvrl 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:tpxgw 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:tqfkq 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:tqrxa 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:trihx 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:trisn 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:tsqog 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:tsuyh 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:ttgho 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:ttpxj 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:tuets 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:twcja 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:twcvl 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:twsfp 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:twyps 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:txfsl 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:txicx 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:txksw 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:tzugt 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:uabwx 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:ubcuj 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:ubpau 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:ucedx 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:ucffmx 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:uckze 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:ucwff 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:udcco 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:udook 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:ufecy 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:ufkkk 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:ufqho 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:ufqoy 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:ufzjh 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:uggbf 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:ugmdp 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:ugnec 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:ugtco 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:uhihf 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:ukkww 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:ukpqj 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:ukzyt 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:ulvgg 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:umvaw 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:unbkr 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:unmwo 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:unrgr 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:unscj 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:uosul 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:upuzi 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:upzny 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:uqlte 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:uquux 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:urhof 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:utfpb 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:utlbt 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:uurrx 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:uvmdd 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:uwdvdt 6/28/2005 10:38 AM 193.12 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:uxulz 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:uzohv 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:uzrvo 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vafjyz 6/28/2005 10:38 AM 193.12 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vbdbw 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vbdqy 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vbsqq 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vckte 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vcosn 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vcpvd 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vdgxm 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vdqcb 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:veihk 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:velem 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:venzm 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:veted 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vftxe 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vfvrw 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vgald 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vgnjxd 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vhbkl 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vizsj 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vjiih 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vkafi 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vkegr 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vkkvb 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vkoxa 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vmfep 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vmhci 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vmhnc 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vnrot 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vptju 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vqjfu 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vswfs 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vtbjp 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vtrfq 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vudxxu 6/28/2005 10:38 AM 193.12 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vujfk 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vvexw 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vvglp 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vvhbe 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vvozw 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vwsgn 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vxpko 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:vyejt 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:waskg 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wbarsp 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wbplv 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wbqtoo 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wbzli 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wczwh 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:weezp 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wfcmo 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wfqfc 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wfttf 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wfued 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wgloo 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:whera 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:whezd 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:whker 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:whlin 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:whlos 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wiqqb 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wjkpb 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wjlpo 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wjmdi 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wkuei 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wmamh 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wmbel 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wmvaw 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wnbxi 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wnfvd 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wohxa 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:woneo 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wrndl 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wshrw 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wsjtc 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wsjva 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wsrjm 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wszny 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wtldd 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wttqv 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wuhhl 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wukuk 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wvkrp 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wxeog 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wxirg 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:wxnvw 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:xbgzy 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:xfbgk 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:xfweq 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:xmecce 6/28/2005 10:38 AM 193.12 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:xsbnl 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:yagni 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:ycgoeu 6/28/2005 10:38 AM 193.12 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:yuwav 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:zijhna 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\_detmp.2:zqvpq 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index.

Link to post
Share on other sites

Download KillBox http://www.downloads.subratam.org/KillBox.zip.

Place it in a folder on your Desktop.

Help with unzipping files is HERE

In the main screen of Pocket KillBox, go to Tools in the top menu bar, and select: Delete Temp Files.Use the drop down box and clear ALL profiles this way.

Back at the main Killbox screen check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Right click and copy the below lines by select all. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\WINDOWS\systen32

C:\WINDOWS\_detmp.2

If you get a PendingOperations message, ignore/close it and restart your computer manually.

Please Download the following tool to assist us in removing this infection!

  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!

Reboot into Safe Mode

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe

  • click Configure Scan Options
    • Check all 5 boxes in the Right column
    • Clkick Apply

    [*]Click "Start Scan"

    [*]It will scan the entire System, so please be patient!

    [*]Once the Scan is Complete

    1. Go to the WinPFind folder
    2. Locate WinPFind.txt
    3. Place those results in the next post!

Reboot back to Normal Mode!

Post a new ADSSpy and the WinPfind log

This (Enhanced WinPFind) can produce quite a large log..if it is soo big to fit, use the ATTACH option;it's below your reply box(NOTE you can NOT use FASTREPLY and attach..you must use the ADDREPLY Option)

Edited by jwbirdsong
Link to post
Share on other sites

Ok, thanks jwbirdsong! I followed your instructions; here's the WinPFind log I ran from safe mode (attached - it was too long). Also, I've posted my latest ADSspy log. I ran ADSspy with the "Ignore safe system info streams" option checked, but the "Quick scan (Windows base folder only)" UNCHECKED. Thanks in advance for all your help!

C:\!KillBox\_detmp.2 : aaaeg (88487 bytes)

C:\!KillBox\_detmp.2 : aband (88487 bytes)

C:\!KillBox\_detmp.2 : abqdc (88487 bytes)

C:\!KillBox\_detmp.2 : abvga (88487 bytes)

C:\!KillBox\_detmp.2 : adceu (88487 bytes)

C:\!KillBox\_detmp.2 : adjji (88487 bytes)

C:\!KillBox\_detmp.2 : adlfj (88487 bytes)

C:\!KillBox\_detmp.2 : agvai (88487 bytes)

C:\!KillBox\_detmp.2 : ahaeh (88487 bytes)

C:\!KillBox\_detmp.2 : ahpai (88487 bytes)

C:\!KillBox\_detmp.2 : aillsz (197751 bytes)

C:\!KillBox\_detmp.2 : ajegh (88487 bytes)

C:\!KillBox\_detmp.2 : ajkgi (88487 bytes)

C:\!KillBox\_detmp.2 : ajkis (88487 bytes)

C:\!KillBox\_detmp.2 : akakp (88487 bytes)

C:\!KillBox\_detmp.2 : akyxw (88487 bytes)

C:\!KillBox\_detmp.2 : alcks (88487 bytes)

C:\!KillBox\_detmp.2 : alniu (88487 bytes)

C:\!KillBox\_detmp.2 : alupj (88487 bytes)

C:\!KillBox\_detmp.2 : anthh (88487 bytes)

C:\!KillBox\_detmp.2 : aoblt (88487 bytes)

C:\!KillBox\_detmp.2 : aoibh (88487 bytes)

C:\!KillBox\_detmp.2 : aoskn (88487 bytes)

C:\!KillBox\_detmp.2 : aosmx (88487 bytes)

C:\!KillBox\_detmp.2 : apixi (88487 bytes)

C:\!KillBox\_detmp.2 : apvna (88487 bytes)

C:\!KillBox\_detmp.2 : aqxal (88487 bytes)

C:\!KillBox\_detmp.2 : arkdn (88487 bytes)

C:\!KillBox\_detmp.2 : arncx (88487 bytes)

C:\!KillBox\_detmp.2 : ashzy (88487 bytes)

C:\!KillBox\_detmp.2 : asxcr (88487 bytes)

C:\!KillBox\_detmp.2 : atabt (88487 bytes)

C:\!KillBox\_detmp.2 : athua (88487 bytes)

C:\!KillBox\_detmp.2 : atlgq (88487 bytes)

C:\!KillBox\_detmp.2 : atohe (88487 bytes)

C:\!KillBox\_detmp.2 : auwut (88487 bytes)

C:\!KillBox\_detmp.2 : awtgx (88487 bytes)

C:\!KillBox\_detmp.2 : awvso (88487 bytes)

C:\!KillBox\_detmp.2 : axddv (88487 bytes)

C:\!KillBox\_detmp.2 : axpxv (88487 bytes)

C:\!KillBox\_detmp.2 : ayucl (88487 bytes)

C:\!KillBox\_detmp.2 : azban (88487 bytes)

C:\!KillBox\_detmp.2 : bbabd (88487 bytes)

C:\!KillBox\_detmp.2 : bboep (88487 bytes)

C:\!KillBox\_detmp.2 : bbwis (88487 bytes)

C:\!KillBox\_detmp.2 : bcigm (88487 bytes)

C:\!KillBox\_detmp.2 : bcygx (88487 bytes)

C:\!KillBox\_detmp.2 : bcyil (88487 bytes)

C:\!KillBox\_detmp.2 : bdinc (88487 bytes)

C:\!KillBox\_detmp.2 : bdloh (88487 bytes)

C:\!KillBox\_detmp.2 : bdmtg (88487 bytes)

C:\!KillBox\_detmp.2 : betqol (197751 bytes)

C:\!KillBox\_detmp.2 : bfzhm (88487 bytes)

C:\!KillBox\_detmp.2 : bggdm (88487 bytes)

C:\!KillBox\_detmp.2 : bhngr (88487 bytes)

C:\!KillBox\_detmp.2 : bjrpw (88487 bytes)

C:\!KillBox\_detmp.2 : blhbp (88487 bytes)

C:\!KillBox\_detmp.2 : bmdwa (88487 bytes)

C:\!KillBox\_detmp.2 : bmpmc (88487 bytes)

C:\!KillBox\_detmp.2 : bnqnl (88487 bytes)

C:\!KillBox\_detmp.2 : bnynz (88487 bytes)

C:\!KillBox\_detmp.2 : bogsn (88487 bytes)

C:\!KillBox\_detmp.2 : bonxo (88487 bytes)

C:\!KillBox\_detmp.2 : bpifem (197751 bytes)

C:\!KillBox\_detmp.2 : bpkzt (88487 bytes)

C:\!KillBox\_detmp.2 : bplyd (88487 bytes)

C:\!KillBox\_detmp.2 : bqebm (88487 bytes)

C:\!KillBox\_detmp.2 : brneh (88487 bytes)

C:\!KillBox\_detmp.2 : brtwv (88487 bytes)

C:\!KillBox\_detmp.2 : btitq (88487 bytes)

C:\!KillBox\_detmp.2 : btjas (0 bytes)

C:\!KillBox\_detmp.2 : bvdev (88487 bytes)

C:\!KillBox\_detmp.2 : bvsijj (0 bytes)

C:\!KillBox\_detmp.2 : bwbgn (88487 bytes)

C:\!KillBox\_detmp.2 : bxscw (88487 bytes)

C:\!KillBox\_detmp.2 : bygtz (88487 bytes)

C:\!KillBox\_detmp.2 : bzoby (0 bytes)

C:\!KillBox\_detmp.2 : bzozp (88487 bytes)

C:\!KillBox\_detmp.2 : bzscp (88487 bytes)

C:\!KillBox\_detmp.2 : calme (88487 bytes)

C:\!KillBox\_detmp.2 : cayro (88487 bytes)

C:\!KillBox\_detmp.2 : cbigv (88487 bytes)

C:\!KillBox\_detmp.2 : cbtfl (88487 bytes)

C:\WINDOWS\system32 : efrh.dll (9 bytes)

C:\WINDOWS\system32 : riwj.dll (9 bytes)

C:\WINDOWS\system32 : rojk.dll (9 bytes)

C:\WINDOWS\system32 : efrh.dll (9 bytes)

C:\WINDOWS\system32 : riwj.dll (9 bytes)

C:\WINDOWS\system32 : rojk.dll (9 bytes)

WinPFind.Txt

WinPFind.Txt

Link to post
Share on other sites

What do I do with the infected files in the killbox folder? Do I just delete them?

I've posted the log from the WinPfind, but haven't heard any response back on it yet, are there any red flags in it I should be concerned about?

Also, how can I be sure my system is now clean or not? I'm not sure how to proceed...

Thanks :D

Link to post
Share on other sites

Sorry for the delay, had a few issue on this end..trying to get caught up this weekend.

Make one more pass with Killbox using the following...also wouldn't hurt to clean the temps again....

C:\WINDOWS\sdkog32.exe

C:\WINDOWS\system32\efrh.dll

C:\WINDOWS\system32\riwj.dll

C:\WINDOWS\system32\rojk.dll

C:\WINDOWS\systen32\

Once you've rebooted from Killbox you can delete the WHOLE C:\!Killbox folder.

Glanced through the Winpfind log....nothing jumped out at me...I'll go through it more thoroughly in a while and post more if needed

To see if you are clean..basically re-run post #5 (Ewido in SM, Panda and ADSSpy) Post any relevant logs here....along with any comments on how it is running

Link to post
Share on other sites

Ok, back at this again, I think I'm just about done now, here are my scans from this afternoon!

Thanks to everyone for there help so far!

Nomad2224

---------------------------------------------------------

ewido anti-malware - Scan report

---------------------------------------------------------

+ Created on: 7:28:04 AM, 2/3/2006

+ Report-Checksum: 638D600E

+ Scan result:

No infected objects found.

::Report End

--------------------------------------------------------------------

Activescan Online

Incident Status Location

Adware:adware/searchaid Not disinfected C:\WINDOWS\sdkpp32.exe

----------------------------------------------------------

ADSspy - I ran this with the quick scan and without the Quick scan.

1. Quickscan (Windows folder only): Nothing found.

2. Quickscan Unchecked:

C:\WINDOWS\system32 : efrh.dll (9 bytes)

C:\WINDOWS\system32 : riwj.dll (9 bytes)

C:\WINDOWS\system32 : rojk.dll (9 bytes)

C:\WINDOWS\system32 : efrh.dll (9 bytes)

C:\WINDOWS\system32 : riwj.dll (9 bytes)

C:\WINDOWS\system32 : rojk.dll (9 bytes)

------------------------------------------------------------

HijackThis log

Logfile of HijackThis v1.99.1

Scan saved at 6:38:01 PM, on 2/4/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe

C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\PROGRA~1\CA\ETRUST~3\ETRUST~1\VetTray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

D:\My Documents\My Downloads\Spyware removal\hijackthis\HijackThis.exe

C:\WINDOWS\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.castlecops.com

O15 - Trusted Zone: http://*.update.microsoft.com

O15 - Trusted Zone: http://*.windowsupdate.microsoft.com

O15 - Trusted Zone: http://*.windowsupdate.com

O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab

O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093307627328

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121571153937

O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/...ivex/hcImpl.cab

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37380.cab

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...677/mcfscan.cab

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe

O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~3\ETRUST~1\VetMsg.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Link to post
Share on other sites

Still got those 3 files in AdsSpy..I don't like that at all

Before we make this pass please delete the c:!Killbox folder..it will be re-created with only the files we kill this time.

This time run Kill box from SAFEMODE

For additional help in booting into Safe Mode, see the following site:

http://www.pchell.com/support/safemode.shtml

C:\WINDOWS\system32\efrh.dll

C:\WINDOWS\system32\riwj.dll

C:\WINDOWS\system32\rojk.dll

C:\WINDOWS\sdkpp32.exe

Use same settings on killbox and paste that into it

Download and run F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml

Run the program, accept statement>next>click> scan>next.

If any items are detected have blacklite rename them except for "wbemtest.exe".

Do not rename "wbemtest.exe" its a windows file. If there are any other files you THINK may be valid don't rename them. Help is available HERE

The tool may ask if you want to reboot (restart) choose yes.

Please download the Suspicious File Packer from here:

http://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop and run it.

Paste the following list of bad files into the Suspicious File Packer window:

C:\!Killbox

Allow SFP to pack the files. This will generate a CAB archive on your desktop. Please email the files to me at:

jwbsubmit AT aim DOT com

Please include a link to this log, Thank you

Everything working good?? Everything looks Excellent except for those 3 files.

Link to post
Share on other sites

Hi jwbirdsong!

Ok, I ran Killbox in safemode, but maybe I'm not doing something right...it seems I can't get rid of the 3 files C:\WINDOWS\system32\efrh.dll

C:\WINDOWS\system32\riwj.dll

C:\WINDOWS\system32\rojk.dll

As soon as I reboot and re-run ADSspy, those files are back again...in fact they don't even show up in the killbox folder.

I ran the blacklight program from F-Secure...it didn't find anything.

I will send the SFP .CAB file asap to the email you requsted.

Thanks for your help!

I Also ran ADSspy again and got this log:

C:\WINDOWS\system32 : efrh.dll (9 bytes)

C:\WINDOWS\system32 : riwj.dll (9 bytes)

C:\WINDOWS\system32 : rojk.dll (9 bytes)

C:\WINDOWS\system32 : efrh.dll (9 bytes)

C:\WINDOWS\system32 : riwj.dll (9 bytes)

C:\WINDOWS\system32 : rojk.dll (9 bytes)

Link to post
Share on other sites

Well, guess what? ABOUTBUSTER Worked now! I can put my finger on it, perhaps when it was originally trying to go through that C:\WINDOWS\_detmp.2 file, it got "overloaded" since there were like >1000 infected items found in that file? Anyways, it worked now.

But my Killbox folder still has a 'sdkpp32.exe' file in it and those other 3 .dll files still show up when I run ADSspy with the Quickscan unchecked.

Here's the log:

AboutBuster 6.0

Scan started on [2/5/2006] at [2:21:49 AM]

-------------------------------------------------------------

Internet Explorer Instances Terminated!

HomeSearch Service stopped if present

-------------------------------------------------------------

No Ads Found!

-------------------------------------------------------------

No Files Found!

-------------------------------------------------------------

Scan was COMPLETED SUCCESSFULLY at 2:24:39 AM

Link to post
Share on other sites

Great...the good new is that if those 3 files are not showing up in AB..they are harmless..Windows DOES use ADS for things other than Malware...

I've asked some other to look into this tho..

But untill we hear from them it a safe bet you are clean.

Go ahead and delete the c:!killbox folder now..it's just used for temporary backup.

Good job and thanks for being so patient..I'll let you know what "THOSE IN THE KNOW" have to say about your 3 files......

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.