[angelpuddin]

My computer has been acting up for about a week, with slow response times and just noting something is not right. I am in the midst of applying for online work, and I have to get this machine in shape! I appreciate any help you can offer.

(I had Spector installed but have uninstalled it for these scans.)

-AVG antivirus finds nothing.
-PCPitstop found nothing.
-Ran ATF cleaner.

-Cool Web Shredder finds CWS.msconfig and fixes it, but it will reappear after a reboot.

-Ran Adaware after turning on all startups in msconfig, updating definitions, and making tweaks.
It showed 0 objects.
-Ewido/AVG is all clear in safe mode.

-Spybot has had minibug showing for months and can't delete it: HKEY_USERS\DEFAULTS\Software\AWS\MiniBug.
And also MicrosoftWindowsSecurityCenter_disabled:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2

-Panda Activescan:
Incident Status Location

Adware:adware/swimsuitnetwork Not disinfected c:\windows\system32\MYDLL.DLL
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\SYSTEM32\r?gsvr32.exe
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Program Files\hijack this NEW\backups\backup-20051012-181100-202-PowerReg Scheduler.exe

Making sure all startup items were turned on and after rebooting, here's the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:16:06 PM, on 10/23/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\nthClock\nthClock.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijack this NEW\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wgal.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: nthClock.lnk = C:\Program Files\nthClock\nthClock.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: WebmedxaudioPlugin - https://www.webmedx-...ommon/audio.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123562832238
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128713893600
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservic...ool/MailCfg.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.26.98...ges/PopupSh.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon....es/vzWebIns.CAB
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe


Here is the HijackThis Uninstall List:

Adobe Reader 6.0.1
Adobe Shockwave Player
AVG Anti-Spyware 7.5
AVG Free Edition
Barbie® Pet Rescue
Casey Jones Demo
CCScore
Dorland's Electronic Medical Speller
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
ESSTUTOR
ESSvpaht
ESSvpot
FileZilla (remove only)
Harry Potter
HijackThis 1.99.1
HLPIndex
HLPPDOCK
HLPRFO
Hotfix for MDAC 2.80 (KB911562)
Intel® PRO Network Connections Drivers
Ipswitch WS_FTP Pro
Kodak EasyShare software
Macromedia Flash Player 8
MediLexicon DesktopBox v 2.0
Microsoft Web Publishing Wizard 1.52
mIRC
MSN Messenger 7.0
MSXML 4.0 SP2 (KB925672)
Notifier
nthClock
OpenMG Limited Patch 4.2-05-07-27-01
OpenMG Secure Module 4.2.00
OTtBP
OTtBPSDK
Panda ActiveScan
PCPitstop Panda AntiVirus Scan (remove only)
Petz 5
Puppy Luv (remove only)
Secret Agent™ Barbie™
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Serif DrawPlus 3.0
SFR
SHASTA
SKIN0001
SKINXSDK
Stedman's Abbreviations, Acronyms & Symbols 1.0
Stedman's Cardiovascular & Pulmonary Words 1.0
Stedman's Equipment Words 1.0
Stedman's GI & GU Words 1.0
Stedman's Organism's & Infectious Disease Words 1.0
Stedman's Pathology & Lab Medicine Words 1.0
Stedman's Smartype
The SUM Program Advanced Units - Cardiology Version 2.1
Tin Lizzie Screen Saver
V.M.C. 2.20.40
Verizon Online DSL
VPRINTOL
Webmedx Audio and Report Plugin
Winamp (remove only)
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB896688
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB902400
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB905915
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908523
Windows 2000 Hotfix - KB908531
Windows 2000 Hotfix - KB911280
Windows 2000 Hotfix - KB911567
Windows 2000 Hotfix - KB912812
Windows 2000 Hotfix - KB912919
Windows 2000 Hotfix - KB913580
Windows 2000 Hotfix - KB914388
Windows 2000 Hotfix - KB914389
Windows 2000 Hotfix - KB916281
Windows 2000 Hotfix - KB917008
Windows 2000 Hotfix - KB917159
Windows 2000 Hotfix - KB917422
Windows 2000 Hotfix - KB917537
Windows 2000 Hotfix - KB917736
Windows 2000 Hotfix - KB917953
Windows 2000 Hotfix - KB918899
Windows 2000 Hotfix - KB920670
Windows 2000 Hotfix - KB920683
Windows 2000 Hotfix - KB920685
Windows 2000 Hotfix - KB920958
Windows 2000 Hotfix - KB921398
Windows 2000 Hotfix - KB921883
Windows 2000 Hotfix - KB922582
Windows 2000 Hotfix - KB922616
Windows 2000 Hotfix - KB923191
Windows 2000 Hotfix - KB923414
Windows 2000 Hotfix - KB924191
Windows 2000 Hotfix - KB925486
Windows Media Player system update (9 Series)
WIRELESS


Okay, that looks like all I'm supposed to post. Thanks again in advance for your help.

[Advertisements]

Hi angelpuddin, welcome to geekstogo.
My name is Colin & I will be helping you to resolve this problem.
Sorry for the delay & thanks for being patient, everyone is really busy at the moment, but we've finally got round to you.
Give me a little time to anlalyse your log & I'll get back to you ASAP

[rem]

Hi angelpuddin, welcome to geekstogo.
My name is Colin & I will be helping you to resolve this problem.
Sorry for the delay & thanks for being patient, everyone is really busy at the moment, but we've finally got round to you.
Give me a little time to anlalyse your log & I'll get back to you ASAP

[rem]

Hi again angelpuddin,

I don't see any evidence from your log that you have a firewall operating on your system. It is ABSOLUTLEY ESSENTIAL that you do so.
You can download a free Firewall called ZoneAlarm.
Please download & install if you don't have a firewall operating.

Step 1
Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINDOWS\SYSTEM32\r?gsvr32.exe /a h > files.txt
notepad files.txt

Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here in your next post.

Step 2
Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file path below to the clipboard by highlighting it and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  c:\windows\system32\MYDLL.DLL
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Step 3
Please re-open HiJackThis and scan. Check the boxes next to all the entry listed below.

O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.26.98...ges/PopupSh.ocx

Now close all windows other than HiJackThis, then click Fix Checked.
Close HijackThis.

Step 4
In your next reply please post:
1) The text file you created in Step 1.
2) A fresh HijackThis log.

Your uninstall list is fine.
I've been researching your CWS.msconfig query & I'm sure this is CWShredder throwing up a false positive. CWShredder is designed to be run only if you have a CoolWebSearch infection. As there is no evidence in your log of CWS I'm certain you don't have this infection.
See Here for a thread with the same query. This situation occurs after turning on / off startups in msconfig & running CWShredder.

[angelpuddin]

I'm gonna get working on what you've written. I just wanted to say quickly, though, that I can't install ZoneAlarm. I had some virus about a year ago that really screwed some things up, and even with help here they couldn't get it so that I could run ZoneAlarm again. : ( Is there some other free firewall I could install?
Okay, off to do the work, and I'll post back when done.

Thanks

[angelpuddin]

Here goes:


Volume in drive C has no label.
Volume Serial Number is 3843-EC05

Directory of C:\WINDOWS\SYSTEM32

05/02/2005 12:20p 421,888 r?gsvr32.exe
06/19/2003 03:05p 11,024 REGSVR32.EXE
2 File(s) 432,912 bytes

Directory of C:\Documents and Settings\administrator\Desktop


With Killbox, I did NOT receive any PendingFileRenameOperations prompt or any invalid file warning.

I had no idea that running CWShredder was a no-no. Thanks for the information and link. My bad. ; )

Logfile of HijackThis v1.99.1
Scan saved at 8:38:36 PM, on 10/27/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\hijack this NEW\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wgal.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: WebmedxaudioPlugin - https://www.webmedx-...ommon/audio.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123562832238
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128713893600
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservic...ool/MailCfg.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zon...mjolauncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon....es/vzWebIns.CAB
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

[rem]

Hi again angelpuddin, great job on the logs.

There are several free Firewalls available out there. I must confess as to not knowing too much about them apart from ZoneAlarm.
Take a look Here & choose one. Just make sure it's compatible with windows 2000.
I can't stress too highly how important this is for even the casual home user, & is critical if you have sensitive information on your computer which you may have if applying as you say for online work.

Your HijackThis log is now clean, there's just a couple of more steps to perform.

Step 1
Please FULLY read this post before doing anything.

Please open windows explorer & delete this file:

C:\WINDOWS\SYSTEM32\r?gsvr32.exe

Note the ? may be shown as a ? or as a normal letter. The file to delete was created on 05/02/05 & is 421,888 bytes in size.

DO NOT delete the file REGSVR32.EXE created on 06/19/2003 which is 11,024 bytes in size.

Note that the ? in the file to delete may be shown as an 'e' so there will be two files called REGSVR32.EXE. If this is the case be sure to delete the correct one based on the date created & file size I noted above.

If you can't locate the file you may have to show hidden files & folders.
To do this:
Go to start>control panel>folder options>view (tab)
Choose to "show hidden files and folders,"
Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
Click Apply then OK to Close the window.
(After you have finished remember to go back & check the "do not show hidden files and folders" radio button again)


Step 2
Next, please run Panda Activescan again & post any findings, also let me know if you are still experiencing any problems.

[angelpuddin]

Hi rem,

Took a bit to find that sucker, but regsvr32.exe, the big one created 5/05, is in the recycle bin.

Forgot to delete cookies before running Panda Activescan:

Incident Status Location

Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Program Files\hijack this NEW\backups\backup-20051012-181100-202-PowerReg Scheduler.exe
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\administrator\Cookies\[email protected][1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\administrator\Cookies\administrator@trafficmp[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\administrator\Cookies\administrator@atwola[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\administrator\Cookies\administrator@2o7[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\administrator\Cookies\[email protected][2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\administrator\Cookies\administrator@overture[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\administrator\Cookies\administrator@casalemedia[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\administrator\Cookies\administrator@zedo[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\administrator\Cookies\administrator@tribalfusion[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\administrator\Cookies\[email protected][1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\administrator\Cookies\[email protected][1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\administrator\Cookies\administrator@com[1].txt
Adware:Adware/PurityScan Not disinfected C:\Recycled\Dc4.exe

Things seem to be running faster. Does that mean I'm clean?
I'll be looking into that firewall link you posted. I appreciate all your help from the other side of the pond. ; )

[rem]

Hi again angelpuddin,

I appreciate all your help from the other side of the pond.

My pleasure & hello from the UK.

Great job on tracking that file down. Go ahead & blow it away out of the recycle bin so there's no danger of it being restored by accident.

Almost done, just a couple of things to sort out.

Step 1
Click on Start > Run & type services.msc in the 'Open:' field. & click OK
In the window that opens scroll down to Security Center & double click on it.
In the "Startup type:" box use the arrow to scroll down to choose "Automatic" click Apply and then reboot.

Windows Security Center should now automatically be enabled whenever you turn your computer on.

Step 2
Next please do a search on your computer for a folder called AWS.

If you don't know how to do this;
Using Windows Explorer (to get there right-click your Start button and go to "My Computer"), please click on Search in the toolbar at the top then All files and folders then type AWS in the "All or part of the file name:" field & then press enter.

If an AWS folder is found please post back the full path to it on your computer ie C:\ProgramFiles\AWS.
Also please post the names of any files with an extension .exe found inside the AWS folder ie MiniBug.exe

Don't forget that Firewall please.

[angelpuddin]

Hey rem,

Sorry for the delay. I didn't have much luck this time around. When I looked for Security Center in services.msc, I found nothing with that name. I did, however, find Automatic Updates, which was already set to automatic. I also found Windows Update, which is set to disabled, though when I go update.microsoft.com I see that I received updates on 10/12, 10/15, and 10/21, so that seems to be working okay. I didn't change the setting in services.msc for that Windows Update, but I will if you instruct me to do so.

I found no folder named AWS. The only things coming up in that search were related to java, various "javaws" results.

Thanks!

[rem]

Hi again angelpuddin,
First of all I must apologise for sending you on a wild goose chase, asking you to find Security Center in services.msc.
I forgot that windows 2000 doesn't have Security Center, so no wonder you couldn't find it.
If Automatic Updates is set to automatic & working as you say, then you're fine.

I've had a word with one of our experts & it seems that at sometime some malware tried to add the Windows Security Center keys to your registry and edit them, but as it's windows 2000 they won't do anything.

The HKEY_USERS\DEFAULTS\Software\AWS\MiniBug is just a left over from the registry for something that has probably been uninstalled previously. Again there's no harm being done here.

So angelpuddin, I'm delighted to say that you are clean of malware.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

• Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  
• AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  
• SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  
• SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  
• IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  
• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

Happy computing & be careful out there !!

[angelpuddin]

Hi rem,

No prob with searching the services.msc. Anything new I do on the computer is another learning experience.

Thanks for all your help, and as for your "be careful out there," roger that! ; )

[rem]

Hi angelpuddin

Thanks for all your help

You're most welcome, glad to be of assistance

[therock247uk]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.