[atalagirl]

Hi, I tried downloading a Codex of somesort to watch a video, which now I know wasn't safe, but now I don't remember exactly what it was. Anyways, it started trying to change my registry settings, and Scotty (on WinPatrol) kept asking me to change entries. I kept saying no, but it was in an infinite loop of asking na dbeing persistent. I even tried rebooting to get it to stop, but no such luck. It just continued afterwards.

My dad told me to download stinger, to which it found a few things which I deleted (don't think I have the log anymore). Then I found the MBAM program, ran that, and got rid of a lot of stuff (again didn't think to save the log at the time). I remember seeing the word Vondo, but I don't know what else was there.

I did a virus scan with CA Internet Security Suite. It didn't find anything, but around 5ish it got rid of egao.exe (Pripecs/generic), which was an instantaneous catch.

I ran the VundoFix.exe and it found nothing else on the machine.

Other things that are occurring:
- I keep getting asked by Scotty (every 20-30 minutes) if I want to change my registry (.REG) settings -- from "regedit.exe %1" to "regedit.exe %1 %*" (have always said no)

- I keep getting asked by Scotty (immediately afterwards) if I want to change my .SCR settings from "Company Name." and the next line saying "%1 /S" to "%1 %*" (have always said no)

- I keep getting told (not as frequently as the other two)
"A change has been detected in background page displayed on your Desktop

Your new page is

If this is ok, then click Yes or press Enter,

Click No and we'll restore your page to the default about:Home."
(I always click no)


- I lost my CTRL+ALT+DEL function yesterday, but my father had me go into the registry and restore it (using Microsoft Windows Help)

- I lost my CTRL+PrtScn function to try and take screenshots of all this... I used my digital camera instead so I'd get the text.)

- I also cannot get to my webmail.rochester.rr.com page on any browser, nor can I get it to work from POP mail.

- I cannot use the microsoft windows help & support feature (which my dad wanted to use)

- Webpages have double underlined text on random words

- No volume control

- Ran MBAM again as a thorough check last night. It found 2 threats, which were deleted. One of them was Zlob. AFAIK I removed Zlob successfully with a virus removal tool.


----------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:15:21, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Advanced Registry Doctor\RegManServ.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\AOL\1167862777\ee\AOLSoftware.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
c:\program files\common files\aol\1167862777\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Insofta Document Backup\DocumentBackup.exe
c:\program files\common files\aol\1167862777\ee\aolsoftware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\caav.exe
C:\PROGRA~1\AVG\AVG8\avgscanx.exe
C:\Documents and Settings\Owner\Local Settings\Temp\RootkitRevealer\RootkitRevealer.exe
c:\windows\system32\grr.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\fq6oezk6.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1BEB853D-BDB2-48DC-86E8-D1F2E36E933B} - (no file)
O2 - BHO: (no name) - {27796771-8D05-4EE6-B478-43CE759F2106} - (no file)
O2 - BHO: CitiUSBrowserHelper Class - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CIEDownload Object - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Board Software\NotebookPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BE1F8747-5BEB-4185-A16B-891AA2058CA5} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: 2nd &Speech Center - {CFE40ED8-564E-4693-A9D9-80DB70C8E460} - C:\PROGRA~1\2NDSPE~1\tts4ie.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1167862777\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\RunOnce: [ccube_TrustList] "C:\Program Files\CA\CA Internet Security Suite\caunst.exe" /trustlist
O4 - HKLM\..\RunOnce: [ccube_Install_Lock] "C:\DOCUME~1\Owner\LOCALS~1\Temp\cazz_001.exe" /null
O4 - HKCU\..\Run: [EZ Smileys] "C:\Program Files\EZ Smileys\EZSmileys.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Insofta Document Backup] "C:\Program Files\Insofta Document Backup\DocumentBackup.exe" /logon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board Software\SMARTBoardTools.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\AllMusicConverter\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\AllMusicConverter\YouTubeRipper.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coupons.smart...oad/cscmv5X.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: Greyware Registry Rearguard - Greyware Automation Products, Inc. - c:\windows\system32\grr.exe
O23 - Service: HOZTERHZY - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Owner\LOCALS~1\Temp\HOZTERHZY.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Advanced Registry Doctor\RegManServ.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 18581 bytes



---

So please... HELP!

- atala

[Advertisements]

Hello atalagirl and welcome to G2G. Let's see what we can find. Please follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Click Select All found at the bottom of the list.
• Click the Empty Selected button.

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
• Close ALL Internet browsers (very important).
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
• Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
• In the Drivers section click on Non-Microsoft.
• Under Additional Scans click the checkboxes in front of the following items to select them:
  
  • Reg - BotCheck
    File - Additional Folder Scans
    
• Do not change any other settings.
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
• Save the file to your desktop or other location where you can find it back.

Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT

[OldTimer]

Hello atalagirl and welcome to G2G. Let's see what we can find. Please follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Click Select All found at the bottom of the list.
• Click the Empty Selected button.

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
• Close ALL Internet browsers (very important).
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
• Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
• In the Drivers section click on Non-Microsoft.
• Under Additional Scans click the checkboxes in front of the following items to select them:
  
  • Reg - BotCheck
    File - Additional Folder Scans
    
• Do not change any other settings.
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
• Save the file to your desktop or other location where you can find it back.

Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT

[atalagirl]

Did the 2 operations.
(Had to do the OTScan twice, since it hung the first time from clicking no on those registry change messages, as cited above.)

(i don't know if the uploader is working, as it never says the upload is completed. the file is only 624 kb, yet it has taken over 10 minutes already to try & upload it... is there another way to send attachments?)

[OldTimer]

Hi atalagirl. Try uploading it to me here instead.

Cheers.

OT

[atalagirl]

sent.

Thanks ever so much!

- atala

[OldTimer]

Hi atalagirl. I don't see any signs of viruses or malware. The log looks good. Just a bit of general housekeeping we should do.

One thing I do see is that both AVG and CAInternet Security Suite are installed. I would highly recommend removing one of them. Running more than one antivirus product at the same time will present many issues and they can even cancel each other out if a malicious file needs to be dealt with. Keep whichever one you want and get rid of the other one.

Now let's do a little cleanup. Please follow the instructions below.

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> ~EmptyValue -> []
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {1BEB853D-BDB2-48DC-86E8-D1F2E36E933B} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {27796771-8D05-4EE6-B478-43CE759F2106} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL [VMN Toolbar]
YN -> {BE1F8747-5BEB-4185-A16B-891AA2058CA5} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL [VMN Toolbar]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{40D41A8B-D79B-43D7-99A7-9EE0F344C385} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{47D66F71-DAC2-439C-836D-18C055AF389C} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL [VMN Toolbar]
YN -> WebBrowser\\{5BED3930-2E9E-76D8-BACC-80DF2188D455} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Yahoo!\Messenger\YPager.exe -> %ProgramFiles%\Yahoo!\Messenger\YPager.exe [C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\SightSpeed\SightSpeed.exe -> %ProgramFiles%\SightSpeed\SightSpeed.exe [C:\Program Files\SightSpeed\SightSpeed.exe:*:Enabled:SightSpeed]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Coding Workshop Polyphonic Wizard\cwpolywz.exe -> %ProgramFiles%\Coding Workshop Polyphonic Wizard\cwpolywz.exe [C:\Program Files\Coding Workshop Polyphonic Wizard\cwpolywz.exe:*:Enabled:Coding Workshop Polyphonic Wizard]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\1121992248\ee\aolsoftware.exe -> %CommonProgramFiles%\AOL\1121992248\ee\aolsoftware.exe [C:\Program Files\Common Files\AOL\1121992248\ee\aolsoftware.exe:*:Enabled:AOL Services]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Owner\Local Settings\Temp\~os39D.tmp\ossproxy.exe -> %UserProfile%\Local Settings\Temp\~os39D.tmp\ossproxy.exe [C:\Documents and Settings\Owner\Local Settings\Temp\~os39D.tmp\ossproxy.exe:*:Enabled:ossproxy.exe]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\c:\Documents and Settings\Owner\Local Settings\Temp\~os5.tmp\ossproxy.exe -> %UserProfile%\Local Settings\Temp\~os5.tmp\ossproxy.exe [c:\Documents and Settings\Owner\Local Settings\Temp\~os5.tmp\ossproxy.exe:*:Enabled:ossproxy.exe]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Gizmo Project for LJ Talk\mDNSResponder.exe -> %ProgramFiles%\Gizmo Project for LJ Talk\mDNSResponder.exe [C:\Program Files\Gizmo Project for LJ Talk\mDNSResponder.exe:*:Enabled:Bonjour]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Gizmo Project for LJ Talk\Gizmo-LJ.exe -> %ProgramFiles%\Gizmo Project for LJ Talk\Gizmo-LJ.exe [C:\Program Files\Gizmo Project for LJ Talk\Gizmo-LJ.exe:*:Enabled:Gizmo Project for LJ Talk]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Grisoft\AVG7\avginet.exe -> %ProgramFiles%\Grisoft\AVG7\avginet.exe [C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Grisoft\AVG7\avgamsvr.exe -> %ProgramFiles%\Grisoft\AVG7\avgamsvr.exe [C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Grisoft\AVG7\avgcc.exe -> %ProgramFiles%\Grisoft\AVG7\avgcc.exe [C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe]
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> 3 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that information back here.
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT

[atalagirl]

ok, in the middle of running OTscanit, it popped up a window that said

List index outofbounds (1)

I clicked the OK box, but it seems that OTScanIt hung in there...

Also, before doing any of that I tried to remove AVG 8, to leave CA, but it hung twice trying to remove.

Additionally, the pop ups to change my registry, as noted in the first post is still occurring.

What should I do, since my explorer is gone, and it's hung on cleaning temp files in OTScan?

[atalagirl]

OK i figured out how to get OT SCan to finish (reclicked the run fix button)

but, the popups keep happening, and i am about to reboot.

[OldTimer]

Hi atalagirl. Two options:

• Either allow the changes, or
• Get rid of Scotty

The changes being requested are for setting those values to the default settings. Whatever is trying to make the changes is being blocked by Scotty. Personally I would either disable or uninstall WinPatrol and be done with it.

Cheers.

TO

[atalagirl]

ok, i approved the registry changes after rebooting, will see what happens.

Here are the things that have happened since I rebooted:

On shutdown it said it had issues with a program called jucheck.exe -- not sure what it is.

on start up:

had an OK box --
C:\DOCUME~1\Owner\LOCALS~1\Temp\cazz_001.exe

Windows cannot find C:\DOCUME~1\Owner\LOCALS~1\Temp\cazz_001.exe. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.


The machine is runing VERY VERY slow now.

Additionally, when Yahoo IM first came up, I tried replying to someone and the whole program spontaneously disappeared.

I am going to try to figure out what jucheck and cazz_001.exe are, and I am also going to try and uninstall AVG,

However, spybot just popped up as I am writing stating that my ccube_TrustList is being deleted from the registry. Isn't that the list I want on my machine to know if things are good/bad? I won't click anything until I get confirmation from you on that one.

- atala

[OldTimer]

Hi atalagirl. jucheck.exe is an version checker for Java. It is legit. Also, cazz_001.exe is part of CA. CA was probably doing an update. CA and Spybot S&D don't play well together and will conflict with each other. Just shut off any realtime protection for Spybot ande use it as an occasional ondemand scanner. Running multiple security applications that all try to do the same thing will cause one to block the other and then neither one will work properly. That could be the cause of the performance issue also. Spybot is preventing CA from perfoming its updates.

Cheers.

OT

[atalagirl]

ok, uninstalled avg.
no more popups, but jucheck did just try to get thhrough the firewall....

so, how do i get rid of these things? (that & cazz_001.exe)

[atalagirl]

ah ok.
i wont delete stuffs just yet. i'll keep checking.
thanksa fr your help so far.

i'll keep an eye on things to keep checking out my machine to be sure its ok.

[atalagirl]

atm the most major issue i can see is that i cannot get to sites that absolutely need cookies to log in.
i checked mozilla, and it has cookies enabled, yet the site's cookie checker said that i cannot accept them....

so what else could prevent me from using cookies?

[OldTimer]

Hi atalagirl. It could be any number of things. Check that CA is not blocking cookies, any other security programs or toolbars like Google that have the ability to block cookies. Anything that monitors the system from a security standpoint could be doing it. That's why it is best to only have one applicaiton taking care of security business.

Cheers.

OT