185 replies to this topic

[beynac]

What is the url of your homepage?

[rsre15]

http://www.msn.com/

[beynac]

Hi.

The error message on your homepage appears to be server-related which means it is a problem at msn. I tried the link you gave me and had no problems. Is it OK now? If not, please copy the full url from the browser and paste it in your next reply.

Your computer appears to be clean again. I want to tidy up a few things and install a couple of programs that will help secure it against attack. Please steer clear of the poker and gaming sites until we have got things sorted out.

------------------------------------------------------------

First, I would like to check whether some files are still on your computer. Click on Start then My Computer and find the following files and folders, shown highlighted in red. Delete any found but don't worry if they're missing.

• C:\Documents and Settings\Rick\Local Settings\Temp\stdrun4.exe <-- File only
• C:\explorer1.exe <-- File only
• C:\WINDOWS\SYSTEM32\intr32.dll <-- File only
• C:\WINDOWS\SYSTEM32\msmapi32.exe <-- File only
• C:\WINDOWS\SYSTEM32\qykcscn.dll <-- File only
• c:\windows\system32\vx.tll <-- File only
• c:\windows\uniq <-- File only

If you find a file and are unable to delete it, please try again in Safe Mode. Please let me know which files (if any) you find and delete.

-----------------------------------------------------------

Next, we need to get some more information about an item in your registry. Select the contents of the Quote Box below, right-click and copy it, then paste into Notepad.

@echo off
reg export "HKLM\SOFTWARE\Classes\CLSID\{8CBB57C9-9D9A-4BDF-99F2-91DE0D6A1048}" %systemdrive%\regkey.txt
start %systemdrive%\regkey.txt
del regkey.bat

Still in Notepad, go to Format (upper menu bar) and untick Word Wrap
Go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: regkey.bat
Save as Type: Any file
Click: Save
Exit out of Notepad.

On the Desktop, double-click on regkey.bat. This will create a text file (C:\regkey.txt). Please post the contents of this in your next reply.

-----------------------------------------------------------

Spybot - Search and Destroy:

• Download Spybot - Search And Destroy from here.
• Install it and accept the default settings
• Click Search for Updates
• Tick the box by any updates shown and then click Download Updates
• Click OK to the immunization reminder
• Click on Immunize button (shield icon on the left)
• Click on Immunize on the top menu (green cross icon)
• Close all windows except Spybot S&D
• Click on the Search and Destroy button on the left
• Click the Check for Problems button
• Make certain there is a check mark beside all of the RED entries ONLY.
• Click Fix Selected Problems and allow Spybot to fix the RED items
• Reboot your computer to finish removing what Spybot S&D found and to clear memory

Update Spybot regularly. Don't forget to 'immunize' each time you update.

---------------------------------------------------------
SpywareBlaster

• Download SpywareBlaster from here.
• Click on updates on the left-hand menu
• Let SpywareBlaster update
• Check on Enable all protection
• Close SpywareBlaster

Check for updates regularly

-------------------------------------------------

I need to see a list of the programs installed on your computer.

Please open HijackThis

• Click on the Open the Misc Tools section button
• Click on Open Uninstall Manager...
• Click on Save List... (towards the bottom right)
• Save the text file to a convenient location

--------------------------------------------------

Please post:

• Whether you are still having trouble with your homepage
• Which files you found and deleted
• The registry export file (C:\regkey.txt)
• The HijackThis Uninstall List
• A new HijackThis log

[rsre15]

Homepage seems fine!

C:\Documents and Settings\Rick\Local Settings\Temp\stdrun4.exe Not Found

C:\explorer1.exe Found and deleted

C:\WINDOWS\SYSTEM32\intr32.dll Found and deleted

C:\WINDOWS\SYSTEM32\msmapi32.exe Not Found

C:\WINDOWS\SYSTEM32\qykcscn.dll Found and deleted

c:\windows\system32\vx.tll Found and deleted

c:\windows\uniq Found and deleted

[rsre15]

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBB57C9-9D9A-4BDF-99F2-91DE0D6A1048}] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBB57C9-9D9A-4BDF-99F2-91DE0D6A1048}\_b] "1"=hex:73,58,00,00,4e,7a,42,4e,18,1f,67,64,79,7c,4d,4e,54,59,a9,ae,b4,b9,83,\ 89,97,8f,a2,af,e5,9d,bd,86,9e,e4,5c,68,77,7d,15,71,54,2d,00,00,00 "2"=hex:40,7f,e3,6f,a1,0f,c7,01 "3"=hex:00,00,00,00 "4"=hex:e1,55,00,00,77,7c,44,4c,58,5c,24,2c,2a,3c,04,0c,13,1c,e4,ec,2e,fc,c4,\ cc,d4,dc,a4,ac,b7,bc,84,8c,3c,28,d0,dc,8e,8d,b5,ba,af,b2,d3,dc,da,cf,ff,fc,\ fa,ef,11,1f,05,3d,70,7d,2b,11,03,01,01,5a,22,3e,25,33,9b,cf,d8,d0,44,4c,54,\ 5c,24,2c,34,3c,04,0c,14,1c,e4,ec,f4,fc,c4,cf,d4,dc,a4,18,1f,13,23,36,7b,28,\ d5,83,d0,db,e7,e8,ba,f2,83,98,34,3c,04,0c,14,1c,e4,ec,f4,fc,c4,cc,d4,dc,7e,\ 00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBB57C9-9D9A-4BDF-99F2-91DE0D6A1048}\_h] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBB57C9-9D9A-4BDF-99F2-91DE0D6A1048}\_h\1] "0"=hex:34,48,00,00,02,3a,3d,03,13,df,5c,61,4c,11,00,00,00 "1"=hex:34,48,00,00,02,3a,01,0d,2b,df,5c,61,4c,11,00,00,00 "2"=hex:34,48,00,00,30,36,30,0a,1b,11,a7,54,79,44,12,00,00,00 "3"=hex:34,48,00,00,3a,fa,d3,d5,cf,d8,a9,bb,b1,bc,80,87,83,99,64,65,78,74,4f,\ 4c,43,56,23,28,34,38,09,17,12,0a,e1,f4,f9,f0,ce,d7,d1,0c,a7,54,79,44,32,00,\ 00,00 "4"=hex:34,48,00,00,3a,f6,d3,cb,d8,da,af,b8,bc,bc,9c,8b,8c,9b,64,65,72,71,5c,\ 4c,59,45,3c,25,34,35,1d,1b,1d,19,e8,e9,f9,e7,c2,da,dd,0c,2e,00,00,00 "5"=hex:34,48,00,00,0d,3c,05,04,14,df,5c,61,4c,11,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBB57C9-9D9A-4BDF-99F2-91DE0D6A1048}\_h\2] "0"=hex:34,48,00,00,02,3a,01,0d,2b,df,5c,61,4c,11,00,00,00 "1"=hex:34,48,00,00,30,36,30,0a,1b,11,a7,54,79,44,12,00,00,00 "2"=hex:34,48,00,00,3a,fa,d3,d5,cf,d8,a9,bb,b1,bc,80,87,83,99,64,65,78,74,4f,\ 4c,43,56,23,28,34,38,09,17,12,0a,e1,f4,f9,f0,ce,d7,d1,0c,a7,54,79,44,32,00,\ 00,00 "3"=hex:34,48,00,00,0d,3c,05,04,14,df,5c,61,4c,11,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBB57C9-9D9A-4BDF-99F2-91DE0D6A1048}\_h\3] "0"=hex:34,48,00,00,02,3a,01,0d,2b,df,5c,61,4c,11,00,00,00 "1"=hex:34,48,00,00,0b,3d,01,0a,22,0d,00,00,00 "2"=hex:34,48,00,00,30,36,30,0a,1b,11,a7,54,79,44,12,00,00,00 "3"=hex:34,48,00,00,3a,fa,d3,d5,cf,d8,a9,bb,b1,bc,80,87,83,99,64,65,78,74,4f,\ 4c,43,56,23,28,34,38,09,17,12,0a,e1,f4,f9,f0,ce,d7,d1,0c,a7,54,79,44,32,00,\ 00,00 "4"=hex:34,48,00,00,0d,3c,05,04,14,df,5c,61,4c,11,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBB57C9-9D9A-4BDF-99F2-91DE0D6A1048}\_h\4] "0"=hex:34,48,00,00,3a,f1,d2,db,c3,d4,ae,ba,b8,bc,88,95,98,88,64,65,63,65,5f,\ 4c,58,50,3f,2b,34,30,00,15,0c,19,fd,e7,e0,f8,c1,c5,d9,0c,2e,00,00,00 "1"=hex:34,48,00,00,30,36,30,0a,1b,11,5a,54,78,11,00,00,00 "2"=hex:34,48,00,00,33,34,38,0f,12,0d,00,00,00

[rsre15]

3D Groove Playback Engine Adobe Acrobat - Reader 6.0.2 Update Adobe Reader 6.0.1 AVG Anti-Spyware 7.5 Dell Digital Jukebox Driver Dell Driver Reset Tool Dell Support 5.0.0 (630) EarthLink setup files ERUNT 1.1j HijackThis 1.99.1 Intel® 537EP V9x DF PCI Modem Intel® Extreme Graphics 2 Driver Intel® PRO Network Adapters and Drivers Intel® PROSet for Wired Connections Internet Explorer Default Page J2SE Runtime Environment 5.0 Update 9 Jasc Paint Shop Photo Album Jasc Paint Shop Pro 8 Dell Edition Kaspersky Online Scanner Learn2 Player (Uninstall Only) Lesson Planner v2 Macromedia Shockwave Player McAfee Personal Firewall Plus McAfee Privacy Service McAfee SecurityCenter McAfee SpamKiller McAfee VirusScan Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB886903) Microsoft Encarta Encyclopedia Standard 2004 Microsoft Money 2004 Microsoft Money 2004 System Pack Microsoft Office XP Professional with FrontPage Microsoft Picture It! Library 9 Microsoft Picture It! Photo Premium 9 Microsoft Plus! Digital Media Edition Installer Microsoft Plus! Photo Story 2 LE Microsoft Streets and Trips 2004 Microsoft Word 2002 Microsoft Works Microsoft Works 2004 Setup Launcher Microsoft Works Suite Add-in for Microsoft Word Modem Event Monitor Modem Helper Modem On Hold MSN MSN Encarta Plus Support Files Musicmatch for Windows Media Player Musicmatch® Jukebox Netscape Browser (remove only) Panda ActiveScan PhotoParade Player PlayLinc QuickTime QuickTime 3.0 Security Update for Step By Step Interactive Training (KB898458) Shockwave Smart Steps 1st Grade Sonic DLA Sonic RecordNow! Sonic Update Manager Spybot - Search & Destroy 1.4 SpywareBlaster v3.5.1 Verizon Online Verizon Online Help & Support Windows Media Format Runtime Windows Media Player 10 Windows Media Player 10

[rsre15]

Logfile of HijackThis v1.99.1
Scan saved at 10:50:04 AM, on 11/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Rick\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...881/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

[beynac]

Hi. Good work!

The HijackThis log is clean. Did the Spybot scan find anything?

I need to find out some more information about that registry entry.

Download Bobbi Flekman's RegSearch from here.

• Create a new folder on your desktop and rename it RegSearch
• Extract the contents of the zip file to this folder.
• Double-click RegSearch.exe to launch the program.
• Copy/paste the following into the top text box of RegSearch {8CBB57C9-9D9A-4BDF-99F2-91DE0D6A1048}
• Click OK
• Wait until a Notepad document opens (this may take a few minutes)
• Close RegSearch by clicking the top-right red Close button

Please post the contents of that file as a reply to this thread. (This file will be saved in the RegSearch folder).

Edited by beynac, 26 November 2006 - 11:43 AM.

[rsre15]

Spybot did find some things and deleted them. REGEDIT4 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.1.0 ; Results at 11/26/2006 1:01:03 PM for strings: ; '{8cbb57c9-9d9a-4bdf-99f2-91de0d6a1048}' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBB57C9-9D9A-4BDF-99F2-91DE0D6A1048}] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBB57C9-9D9A-4BDF-99F2-91DE0D6A1048}\_b] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBB57C9-9D9A-4BDF-99F2-91DE0D6A1048}\_h] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBB57C9-9D9A-4BDF-99F2-91DE0D6A1048}\_h\1] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBB57C9-9D9A-4BDF-99F2-91DE0D6A1048}\_h\2] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBB57C9-9D9A-4BDF-99F2-91DE0D6A1048}\_h\3] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBB57C9-9D9A-4BDF-99F2-91DE0D6A1048}\_h\4] ; End Of The Log...

[beynac]

Thanks for the info' - I'm still looking into that registry item. In the meantime , I would like you to check some files for me.

Please reboot and then click on Start then Run
Copy/paste C:\WINDOWS\SYSTEM32\ into the text box
Click OK
See if you have any files in that folder named:

C:\WINDOWS\SYSTEM32\qykcscn
or
C:\WINDOWS\SYSTEM32\ncsckyq

These could have any, or no, extension.

If you find C:\WINDOWS\SYSTEM32\qykcscn.dll please go to http://www.uploadmalware.com/.

• Enter your username (rsre15)
• Right-click on this link, select Copy Shortcut
• Click on the Topic where file was requested box and then right-click and select Paste
• Browse to C:\WINDOWS\SYSTEM32\qykcscn.dll and the click OK
• In comments please enter "Possible Vundo"
• Click Send File

Please make a note of all files found and then delete them.

Please post a list of the files found (and deleted) and, just to be safe, a new HijackThis log.

[rsre15]

I could not find either one of the files.

[rsre15]

Logfile of HijackThis v1.99.1
Scan saved at 4:55:59 PM, on 11/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rick\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/news?ned=us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...881/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

[beynac]

Hi.

I could not find either one of the files.

Good! That's a relief. The HijackThis log is still clean. At the moment I'm just trying to make sure that we've got everything. Please bear with me - I want to do everything I can to make sure that this infection doesn't come back. I'll look back through everything we've done and post again tomorrow.

[rsre15]

Thank you! I do have a few questions-nothing bad! I will post tom. also I am in a bit of a rush. Thanks again!

[beynac]

Hi.

That registry item appears to be bad. Let's get rid of it.

• Select the contents of the Quote Box below, right-click and copy it, then paste into Notepad
• Make sure that Word Wrap is turned off in Notepad - (click the Format menu and uncheck Word Wrap)
• Click Save As on the File menu and name the file fix.reg
• Change the Save as Type to All Files
• Save the file on your desktop
• Close Notepad and make sure that all other windows are closed

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBB57C9-9D9A-4BDF-99F2-91DE0D6A1048}]

Important:

• Make sure there are NO blank lines before REGEDIT4
• Make sure there is one blank line at the end of the file
• Make sure that you have copied all of the text (e.g. don't miss the first 'R')

Then double-click on the fix.reg file, and when it prompts to merge say Yes

Reboot your computer

-----------------------------------------------------------

You previously installed Erunt, a registry backup tool. This is running every time you start your computer, which is unnecessary. If you need to backup the registry, you can run the program manually.

Run HijackThis and click Scan and then check (tick) the following:

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

Close down all programs, browsers and other open windows. Make sure that only the above items are checked and then click on Fix checked.

Reboot the computer.

----------------------------------------------------------

Kaspersky Online Scanner

Using Internet Explorer, click on Kaspersky Online Scanner

• You will be prompted to install an ActiveX component from Kaspersky, Click 'Yes'.
• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click 'Next'.
• Now click on 'Scan Settings'
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database: 'Extended' (If available, otherwise 'Standard')
  • Scan Options: 'Scan Archives' and 'Scan Mail Bases'
• Click 'OK'
• Now under 'Select a target to scan' select 'My Computer'
• The scan will take a while, so be patient and let it run. Once the scan is complete, it will display whether your system has been infected.
• Now click on the 'Save as Text' button:
• Save the file to your desktop.

-------------------------------------------------------

Please post the Kaspersky report and a new HijackThis log. How is the computer running at the moment? I'm still a bit nervous about getting too optimistic. Let's see these latest logs and take it from there.