[Jim Thomas]

This PS Guard and Intel32 adware stuff is driving me crazy

I've done everything you said to do....ran CleanUp!., Ad-Aware, CWShredder, Spybot, TrojanHunter

Thanks in advance.

Here's my registry info:

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "c:\windows\scanregw.exe /autorun" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"CountrySelection" = "pctptt.exe" ["PCtel, Inc."]
"TotalRecorderScheduler" = ""C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"" ["High Criteria inc."]
"AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"PTSNOOP" = "ptsnoop.exe" ["PCtel, Inc."]
"CreateCD50" = "C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r" ["Roxio"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL" [file not found]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL" ["Adobe Systems Incorporated"]
{E2792A4C-9A8F-E92D-89DE-E2ABA97053C1}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\JWWDMCQG.DLL" [null data]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{0A082D00-EC93-11D0-B1E6-80580BC10627}" = "Corel Media Folder Root Menu Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\COREL\GRAPHICS8\PROGRAMS\CMFFLD80.DLL" ["Corel Corporation"]
"{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}" = "Folder To Corel Media Folder Menu Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\COREL\GRAPHICS8\PROGRAMS\CMFFLD80.DLL" ["Corel Corporation"]
"{854AF161-1AE1-11D1-AB9B-00C0F00683EB}" = "Corel Media Folder"
-> {CLSID}\InProcServer32\(Default) = "C:\COREL\GRAPHICS8\PROGRAMS\CMFFLD80.DLL" ["Corel Corporation"]
"{E856F161-1AE5-11d1-AB9B-00C0F00683EB}" = "Corel Media Folder"
-> {CLSID}\InProcServer32\(Default) = "C:\COREL\GRAPHICS8\PROGRAMS\CMFFLD80.DLL" ["Corel Corporation"]
"{CDB89701-262F-11D1-AB9C-00C0F00683EB}" = "Corel Media Find Folder"
-> {CLSID}\InProcServer32\(Default) = "C:\COREL\GRAPHICS8\PROGRAMS\CMFFLD80.DLL" ["Corel Corporation"]
"{F8152501-455F-11D1-B1E6-444553540000}" = "Corel Media Folder Copy Hook Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\COREL\GRAPHICS8\PROGRAMS\CMFFLD80.DLL" ["Corel Corporation"]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ADAPTEC\EASYCD~1\DIRECTCD\SHELLEX.DLL" ["Roxio"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
FolderToCorelMediaFolder\(Default) = "{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}"
-> {CLSID}\InProcServer32\(Default) = "C:\COREL\GRAPHICS8\PROGRAMS\CMFFLD80.DLL" ["Corel Corporation"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Enabled Scheduled Tasks:
------------------------

"McAfee.com Update Check 06272005195210" -> launches: "C:\PROGRA~1\MCAFEE.COM\AGENT\mcupdate.exe /Schedule" ["McAfee, Inc"]
"RUTASK" -> launches: "C:\WINDOWS\ru.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "c:\windows\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
c:\windows\SYSTEM\msafd.dll [MS], 1 - 3
c:\windows\SYSTEM\rsvpsp.dll [MS], 4 - 5


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{F5735C15-1FB2-41FE-BA12-242757E69DDE}" = "ZeroBar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL" [file not found]

"{F0F8ECBE-D460-4B34-B007-56A92E8F84A7}" = "ZeroBar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL" [file not found]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

"{BA52B914-B692-46C4-B683-905236F6F655}" = "McAfee VirusScan"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL" ["McAfee, Inc."]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL" [file not found]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{BF69DF00-2734-477F-8257-27CD04F88779}\
"ButtonText" = "Start spyware remover"
"MenuText" = "Start spyware remover"
"Exec" = "C:\Program Files\WareOut\WareOut.exe" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{06FE5D05-8F11-11D2-804F-00105A133818}\
"ButtonText" = "Translate"
"MenuText" = "AV &Translate"
"Script" = "http://search.presar...c=1c00&lc=0409" [file not found]

{06FE5D02-8F11-11D2-804F-00105A133818}\
"MenuText" = "&Find Pages Linking to this URL"
"Script" = "http://search.presar...c=1c00&lc=0409" [file not found]

{06FE5D03-8F11-11D2-804F-00105A133818}\
"MenuText" = "Find Other Pages on this &Host"
"Script" = "http://search.presar...c=1c00&lc=0409" [file not found]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

Missing lines (compared with English-language version):
"{02EE5B04-F144-47BB-83FB-A60BD91B74A9}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\SURFSIDEKICK 3\SSKBHO.DLL" [file not found]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 45 seconds, including 4 seconds for message boxes)

[Advertisements]

How often do I have to post to get a reply???? I posted my Registry information a week ago and still no one has replied to me. I have been patient in waiting (my turn), but I really need to get this adware crap out of my computer.

Someone please respond.

Thank you.
Jim Thomas

[Jim Thomas]

How often do I have to post to get a reply???? I posted my Registry information a week ago and still no one has replied to me. I have been patient in waiting (my turn), but I really need to get this adware crap out of my computer.

Someone please respond.

Thank you.
Jim Thomas

[don77]

Hi Jim sorry for the delay in response, Board can get busy sometimes and you were not overlooked intentionally, We have had some new infections pop up over the last few days and it sends us scrambling a bit,

Please go Here and unzip the newest version of HJT into a new dedicated folder,
Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it hjt. Unzip HijackThis into this folder. Launch Hijack This, then press Scan, and press Save Log
This will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.
Most things are harmless and needed so don't make any changes.
post a log here please.

[Jim Thomas]

Here is the requested information.......looking forward to getting rid of the garbage in my computer. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 9:58:58 PM, on 8/8/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\HIGHCRITERIA\TOTALRECORDER\TOTRECSCHED.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTH.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=1c00&lc=0409 (file missing)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://atwnt333.exte...er/SysQuery.cab
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://vztxcisccpro....ets/msie40x.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 195.95.218.1,85.255.112.7

[don77]

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.


If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Next,
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.



Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log by using Add Reply.
Let us know if any problems persist.