Trojan-Spy.html.smitfraud.c

On startup of my computer (Gateway windows98SE) the following message appears across the center of the control panel: " fatal error in IE at 0028:C011E36 in VXD VMM <01> + 00010E36. Error caused by Trojan - spy.html.smitfraud.c System cannot function in normal mode. Check security settings. Scan and fix the problem." Also, the names of the icons in the display are now black background. What scanner would be the best to run? Will it tell me how to fix the problem?

 

This is a fairly new infection to hit the net and unfortunately none of the usual removal apps are able to rid you of it. Please post a HijackThis log and I'll take a look, dig up the necessary information and try to get a fix posted for you later tonight. You may have seen me post a fix for this in another thread.......don't bother trying to use it. I wrote it just for XP-2000-2003 machines, and it won't run on 95-98-ME.

http://windowsbbs.com/showpost.php?p=197787&postcount=4

 

HJT log file

Here is the logfile you suggested that I create. You know, I searched Symantec for a removal tool and didn't see anything. Thanks for any help you can offer. I also ran Spybot and it came up with some problems. Do you want to see that log as well? Sometimes my computer will "hang" and Task Manager says "spoolsrv32 not responding ". Is that normal? bbne

Logfile of HijackThis v1.99.1
Scan saved at 8:11:17 AM, on 5/7/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\ANTISPYWARE\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://top-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://top-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://top-find4u.com/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://top-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://top-find4u.com/sp.htm
O2 - BHO: SearchHookObject Class - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\IEFEATSL\MSIESH.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [GRA] C:\Cabs\grainstall\GRA.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Security iGuard] C:\PROGRAM FILES\SECURITY IGUARD\SECURITY IGUARD.EXE
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {94303080-BD5B-11D9-ABBE-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {94303080-BD5B-11D9-ABBE-444553540000} - (no file) (HKCU)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O13 - WWW. Prefix: http://
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_1_0.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.solid-edge.com/CFIDE/classes/CFJava.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O18 - Protocol: pcncdf - (no CLSID) - (no file)

 

Download this removal tool from Symantec and run as directed for one of the infections present.

Please download the smitfraud.zip file attached to this post. Save it to your desktop. If it saves as attachment.php, right click and rename to smitfraud.zip, then right click and extract.

Open the control panel>Add/Remove programs and uninstall Security IGuard, Virtual Maid and Search Maid if present.

Either reboot and repeatedly tap F8 to enable the start menu and select safe mode, or go to start>run and type msconfig, hit enter. On the General tab click the advanced button. Check the box to 'enable start menu' and OK out. Restart and choose safe mode. Logon to your user account.


Open the smitfraud folder and double click the RunThis.bat file to start the tool. Follow the prompts. This will delete some of the known smitfraud associated files and repair the registry changes it makes. When the tool completes, scan again with HijackThis and place a check next the following entries if present.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://top-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://top-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://top-find4u.com/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://top-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://top-find4u.com/sp.htm
O2 - BHO: SearchHookObject Class - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\IEFEATSL\MSIESH.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL (file missing)
O4 - HKLM\..\Run: [Security iGuard] C:\PROGRAM FILES\SECURITY IGUARD\SECURITY IGUARD.EXE
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {94303080-BD5B-11D9-ABBE-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {94303080-BD5B-11D9-ABBE-444553540000} - (no file) (HKCU)
O13 - WWW. Prefix: http://
O18 - Protocol: pcncdf - (no CLSID) - (no file)

Delete the Security IGuard, Virtual Maid and Search Maid folders in C:\Program Files if present.
Empty the recycle bin.

If you used msconfig, uncheck the box to 'enable start menu' and click ok to reboot. Upon reboot you will be greeted with a message window from the System Configuration Utility. Check the box not to use and don't show, then click OK. If you used F8, just reboot back into Windows. Your desktop should be reset to the MS default blue background by the smitfraud tool, and can be changed to whatever you like.

Scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

Run another HijackThis scan and post the log. Report any problems and/or successes.

EDIT
Updated regularly! smitRem is now a self extracting exe. Save it to the desktop and double click it to extract. Open and run the RunThis.bat file in safe mode.

Targets Trojan-Spy.html.smitfraud.c, AVGold, SpySheriff and PSGuard infections.

smitRem.exe

 

Thanks for the reply to help my problem. It did get rid of the 'smitfraud' message on the display. My background is now black, not blue, and I don't see anything in the display settings area about background colors or wallpaper. There is the settings for screensavers and energy though. I have copy pasted the RAV report and the Hijack this log for review. Thanks again, bbne

RAV Report:

Statistics

Scanned files: 19872
Scanned directories: 1120
Scanned archives: 462
Size of the scanned files: 2610857708
Packed files: 233
Known viruses found: 10
Virus bodies: 5
Suspicious files: 0

Disinfected files: 0
Deleted files: 0
Renamed files: 0
Copied files: 0
I/O errors: 0
Warnings: 0
Corrupted files: 0
New files: 70097
Mail files: 8418




Found viruses
File: c:\WINDOWS\Q824145.exe
Virus: TrojanDownloader:Win32/IeFear Status: Infected

File: c:\WINDOWS\image.dll
Virus: TrojanDownloader:Win32/WinShow.F Status: Infected

File: c:\Program Files\Outlook Express\KENNETH D. SHELBOURN\Mail\Inbox.mbx->[From: "Bill Iveson" ] [ "Subject: Fw: Lessons in Management"] [ "Date: Wed, 21 Jun 2000 07:32:50 -0400"]->(part0002->(SCRIPT0000)
Virus: JS/Kak.gen* Status: Infected

File: c:\Program Files\Outlook Express\KENNETH D. SHELBOURN\Mail\Inbox.mbx->[From: "Horst" ] [ "Subject: Fw: Fw: Why men shouldn't"] [ "Date: Thu, 8 Feb 2001 06:13:11 -0500"]->(part0002->(part0001->(SCRIPT0000)
Virus: JS/Kak.gen* Status: Infected

File: c:\Program Files\Outlook Express\KENNETH D. SHELBOURN\Mail\Inbox.mbx->[From: "Horst" ] [ "Subject: Fw: Fw: "] [ "Date: Wed, 14 Feb 2001 06:31:02 -0500"]->(part0002->(part0002->(SCRIPT0000)
Virus: JS/Kak.gen* Status: Infected

File: c:\Program Files\Outlook Express\KENNETH D. SHELBOURN\Mail\Inbox.mbx->[no sender] [ "no subject"] [ "Date: Fri, 22 Jun 2001 07:48:38 -0400"]->(part0001:CFGWIZ32.EXE)
Virus: Win32/Magistr.A@mm Status: Infected

File: c:\Program Files\Outlook Express\KENNETH D. SHELBOURN\Mail\Inbox.mbx->[From: bwatson ] [ "Subject: W32.Elkern removal tools"] [ "Date: Tue, 16 Jul 2002 16:45:47 -0400 (EDT)"]->(part0001:install.exe)
Virus: Win32/Klez.H@mm Status: Infected

File: c:\Program Files\Outlook Express\KENNETH D. SHELBOURN\Mail\Inbox.mbx->[From: postmaster ] [ "Subject: Undeliverable mail-- "so cool a flash,enjoy it""] [ "Date: 22 Aug 2002 17:27:57 -0500"]->(part0001:2002 .pif)
Virus: Win32/Klez.H@mm Status: Infected

File: c:\Program Files\Outlook Express\KENNETH D. SHELBOURN\Mail\Sent Items.mbx->[From: "Ken Shelbourn" ] [ "Subject: Fw: Lessons in Management"] [ "Date: Thu, 22 Jun 2000 06:55:35 -0400"]->(part0002->(SCRIPT0000)
Virus: JS/Kak.gen* Status: Infected

File: c:\Program Files\Outlook Express\KENNETH D. SHELBOURN\Mail\Deleted Items.mbx->[From: postmaster ] [ "Subject: Undeliverable mail-- "so cool a flash,enjoy it""] [ "Date: 22 Aug 2002 17:27:57 -0500"]->(part0001:2002 .pif)
Virus: Win32/Klez.H@mm Status: Infected

Hijack log 051505
Logfile of HijackThis v1.99.1
Scan saved at 10:06:13 AM, on 5/15/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RunDLL.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\ANTISPYWARE\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [GRA] C:\Cabs\grainstall\GRA.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.solid-edge.com/CFIDE/classes/CFJava.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O18 - Protocol: pcncdf - (no CLSID) - (no file)

 

The smitfraud tool has been updated several times recently. Please delete the copy you have and redownload from the above link, then run again.

Delete the following files.

c:\WINDOWS\Q824145.exe
c:\WINDOWS\image.dll

Scan again with HijackThis and fix the following entry.

O18 - Protocol: pcncdf - (no CLSID) - (no file)

Delete the infected files in your email inbox and sent items folder.

Empty the recycle bin.

Post back with a new HJT log and let us know what tabs are available in your display properties; if you can change your background.

 

Hi, I had same problem and found this solution, tried got rid of the message on the desktop but the background is black now and I just have screen saver and settings tab in display. I am running windows XP. Any help is appreciated.

Thanks,

 

Welcome to WindowsBBS ssarwar12

May I ask when you downloaded and used the fix?

Please download the reg fix from the link below. Double click and allow it to merge with the registry, reboot and let us know if your tabs are back.

http://www.kellys-korner-xp.com/regs_edits/desktoptab.reg

Reg fix for XP only!

 

Hi, Success with the Smitfraud removal tool and my display is back to normal (blue) again and the extra tabs on the display settings that I had reported missing are back as well. Thanks, Noah! Didn't use the referenced post, it was for XP anyway.

The entry 018 - Prorocol: pcncdf - (no CLSID) - (no file) just keeps coming back every time after I check it and tell Hijack to fix. See log.

Logfile of HijackThis v1.99.1
Scan saved at 10:03:20 AM, on 5/19/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\SYSTEM.EXE
C:\WINDOWS\RunDLL.exe
C:\ANTISPYWARE\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [GRA] C:\Cabs\grainstall\GRA.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Windows DLL Services] C:\SYSTEM.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [HijackThis startup scan] C:\ANTISPYWARE\HijackThis.exe /startupscan
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.solid-edge.com/CFIDE/classes/CFJava.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O18 - Protocol: pcncdf - (no CLSID) - (no file)

RAVONLINE
Scan started at 5/19/2005 11:06:52 AM

Scanning memory...
c:\NULL - TrojanDownloader:Win32/QDown.M -> Infected
c:\WINDOWS\TEMP\installer.exe - TrojanDownloader:Win32/PurityScan.U -> Infected

Scanned
============================
Objects: 20086
Directories: 1123
Archives: 473
Size(Kb): -1638812
Infected files: 2

Found
============================
Viruses found: 2
Suspicious files: 0
Disinfected files: 0
Mail files: 1109

What do I do to fix these 2??

One problem that remains is with my task bar IE6 and Outlook icons. They will not bring up the dial-up/connect to the internet. I have to go to the Control Panel/dial-up networking and click on my connection to get connected. Then, when I do get connected, an alternate start page is loaded instead of Yahoo which is what I have listed as home page in internet options. The "Home" icon will take me to Yahoo, but the internet explorer icon takes me to this "foreign" www/ page.
I'm thinking there is a simple fix for this, just can't remember how. Also believe that this is unrelated to my first post on Smitfraud because it happened over the weekend. Could I foreward the email .exe file that made it happen to you to investigate? bbne

 

That's good news!

Yes, please forward me a copy of the file........zip it up first. Attach it to an email here and put WindowsBBS-bbne in the subject line.

Open C:\Windows\temp, select all and delete.
Delete the C:\Null folder
Empty the recycle bin.

Download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/
start it and paste in pcncdf, wait for it to complete the search, click ok at the prompt. Then when wordpad opens, copy that back here please.

Open the control panel, then Internet Options. Click the connections tab. Check the box to 'Always dial my default connection' and click apply. Click the programs tab, then 'Reset Web Settings'. No need to reset homepage, click OK, then OK again. Close IE options. Open OE, click tools>options>connections tab>change. Make sure settings match IE's. OK your way out. Close OE and IE Windows if open, disconnect your dial-up, then re-open either and see if it responds properly.

 

Email recieved. File infected with Win32.Mytob.CU worm.

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=43006

 

Results per instructions in last post:
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "pcncdf" 5/23/2005 9:44:58 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BFBEC6BD-E7FD-11D0-AAA8-00C04FC9E8FE}]
@= "IPCNCDFMoniker "

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\pcncdf]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\pcncdf]
@= "pcncdf: Asynchronous Pluggable Protocol Handler "

Also, seems you fixed my connection problem; the always dial default connection was unchecked (I didn't do it, but I fixed it). IE & OE behave now.
I also used "find file" for May 15 when the mess-up occured and found a Dutch or German sounding file that I think was the source of the redirect to a european webpage when I opening IE. Since I deleted it, everything seems to work fine. I'm sure there's a bit if trash left behind.
Also at one time you suggested 'NOadware'. It found a lot of things 34 I think, but it won't let you fix them. It takes you to a page to buy some software for 20 or 30 bucks. Advise. Thanks, bbne

 

Noadware is a rogue/fake antispyware program. Uninstall and delete all associated files/folder, then empty the recycle bin. I haven't looked back through this thread, but if I recommended a program similarly named, it was Ad-aware SE Personal, which I have a link to in my signature.

That 018 Protocol entry appears to be associated with a program named Pointcast. Does it sound familiar? If you have or did have it installed, you may need to re-install/uninstall to remove the association.

Happy to hear the IE/OE problem is resolved also. Anything else we need to do?

 

Hello, Removed 'noadware' this morning. Pointcast sounds vaguely familiar, I think it goes way back to the late 90's and it was associated either with something that came with my Gateway or something thru MSN. Seems like it was to do with shortcuts to media or news. Every thing seems to function OK. How do I know if I got rid of the worm and if all registry records are correct? Again, thanks for all your help. bbne

 

Another RAV scan should show if you're system is infected or not. If you'd like to clean out the registry of orphaned entries, I recommend RegSeeker. In using it, I have always run a 'clean registry' scan, make sure the backup box is checked then select all and delete. Check to be sure all is still working properly, then do another clean, and again select all and delete. Repeat the process until it comes up clean.

 

Thanks for replying again. I ran RAV again and this is the only thing it came up with. I thought we got rid of it awhile back as I had seen it previously on an earlier scan report. Do I just find and delete this file or are there other (hidden) files associated with it? Hey, windows explorer finds c:\recycled but it shows nothing in it....now what?
File: c:\RECYCLED\DC1
Virus: TrojanDownloader:Win32/QDown.M Status: Infected
I ran spybot too, and it had lots of entrys referring to missing shared .dll files, incorrect paths, and missing help files. I tried to make a log file to paste here but didn't see how to do that.
New question - is there a thread about what to do when on a website only the little colored icon in upper left and/or sometimes a red X shows up when there should be an item displayed or a picture? Does it have something to do with Active-X or Java or scripts? I'm guessing now, so I really need to go to a thread...bbne

 

That is in the recycle bin and shouldn't present any problems, however, Cleanup may remove it.

I'm assuming that you meant RegSeeker. After scanning, make sure the backup box in the lower left corner is selected, click select all, then select all again, right click within the results and select delete.

The Red X problem has been discussed many times, and a search of the Internet Explorer section of the board for Red X will yield many results.