[tampabelle]

Hi runner,


Sorry for the delayed response. I was doing a little (well a lot of research).

Lets do this.

• Download WinPFind
• Right Click the Zip Folder and Select "Extract All"
• Extract it somewhere you will remember like the Desktop
• Open the folder and double click on the file - patterns.txt
• Add a line in the end - Aprps.
• Save the patterns.txt file.

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe

• Click "Start Scan"
• It will scan the entire System, so please be patient!
• Once the Scan is Complete
• Go to the WinPFind folder
• Locate WinPFind.txt
• Place those results in the next post!

Reboot back to Normal Mode!

Post the results of Winpfind log here

[Advertisements]

Hi again! When you say Save patterns.txt, do you mean save it as a separate file onto the desktop? When I just tried to hit Save, it says I could not do it. So I saved it as a separate file on the desktop...dont know if that's right or not, but it was my only option.

I appreciate your hard work. I feel bad, given that we think it is probably just a registry entry and not harmful!

I will run WinP in safe mode and post back the log. Thanks again

[runner]

Hi again! When you say Save patterns.txt, do you mean save it as a separate file onto the desktop? When I just tried to hit Save, it says I could not do it. So I saved it as a separate file on the desktop...dont know if that's right or not, but it was my only option.

I appreciate your hard work. I feel bad, given that we think it is probably just a registry entry and not harmful!

I will run WinP in safe mode and post back the log. Thanks again

[runner]

Never mind about the patterns file. I am an idiot - I tried saving before extracting. Moron. I will post back with log

[runner]

Here is the log - thanks again!

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 8/18/2005 9:06:48 PM 767 C:\log.txt
PEC2 8/18/2005 9:06:48 PM 767 C:\log.txt
PEC2 8/18/2005 9:06:42 PM 228 C:\win.txt
UPX! 8/18/2005 9:06:10 PM 58 C:\windows.txt

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PEC2 10/31/2004 3:01:12 PM 193869 C:\WINDOWS\Dhnedemq.gty
aspack 10/31/2004 3:01:30 PM 1047967 C:\WINDOWS\Ibifkgvhv.gul
PTech 10/31/2004 3:01:30 PM 1047967 C:\WINDOWS\Ibifkgvhv.gul
PECompact2 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\LPT$VPN.761
qoologic 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\LPT$VPN.761
SAHAgent 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\LPT$VPN.761
PEC2 10/31/2004 3:01:00 PM 184535 C:\WINDOWS\Qlhcwllk.xjx
UPX! 8/7/2005 6:14:48 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\VPTNFILE.761
qoologic 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\VPTNFILE.761
SAHAgent 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\VPTNFILE.761
UPX! 8/7/2005 6:14:48 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 8/7/2005 6:14:48 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 8/29/2002 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
PTech 7/12/2005 6:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
UPX! 1/13/2005 9:41:48 PM 11254 C:\WINDOWS\SYSTEM32\locate.com
Umonitor 8/29/2002 6:00:00 AM 631808 C:\WINDOWS\SYSTEM32\RASDLG.DLL
winsync 8/29/2002 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/25/2005 8:45:22 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
9/25/2005 8:43:12 PM H 24 C:\WINDOWS\p5Jua
8/10/2005 9:21:48 PM H 0 C:\WINDOWS\INF\oem26.inf
9/25/2005 8:45:10 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
9/25/2005 8:45:42 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
9/25/2005 8:45:26 PM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
9/25/2005 8:46:52 PM H 81920 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
9/25/2005 8:45:48 PM H 987136 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
9/1/2005 11:43:04 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\00QT1G8M\desktop.ini
9/1/2005 11:43:04 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5FTGTRRA\desktop.ini
9/1/2005 11:43:04 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5FW85R9S\desktop.ini
9/1/2005 11:43:04 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OBVWNYOT\desktop.ini
9/25/2005 8:44:02 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\e77942e6-3bdc-433e-8b6b-e3169a86709b
9/25/2005 8:44:02 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
9/25/2005 8:44:00 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/29/2002 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\ACCESS.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 578560 C:\WINDOWS\SYSTEM32\APPWIZ.CPL
5/11/2001 1:00:00 AM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 129024 C:\WINDOWS\SYSTEM32\DESK.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\HDWWIZ.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 292352 C:\WINDOWS\SYSTEM32\INETCPL.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 121856 C:\WINDOWS\SYSTEM32\INTL.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 65536 C:\WINDOWS\SYSTEM32\JOY.CPL
Sun Microsystems 11/19/2003 6:48:12 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\MMSYS.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\NUSRMGR.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\ODBCCP32.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\POWERCFG.CPL
RealNetworks, Inc. 5/24/2004 7:49:14 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 9/23/2004 6:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 268288 C:\WINDOWS\SYSTEM32\SYSDM.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\TIMEDATE.CPL
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
4/6/2005 7:57:06 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
9/3/2002 10:00:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
5/24/2004 7:45:42 PM 1513 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/3/2002 9:50:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI

Checking files in %USERPROFILE%\Startup folder...
9/3/2002 10:00:00 AM HS 84 C:\Documents and Settings\Laura\Start Menu\Programs\Startup\DESKTOP.INI
3/5/2005 6:36:24 PM 1490 C:\Documents and Settings\Laura\Start Menu\Programs\Startup\HotSync Manager.lnk

Checking files in %USERPROFILE%\Application Data folder...
9/3/2002 9:50:46 AM HS 62 C:\Documents and Settings\Laura\Application Data\DESKTOP.INI

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
YPC 3.0.1 = Yahoo! Parental Controls
acc=ventura5 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi20040613.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
{C0E10002-0028-0004-C0E1-C0E1C0E1C0E1} = c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Apoint C:\Program Files\Apoint\Apoint.exe
AGRSMMSG AGRSMMSG.exe
SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
SiS Windows KeyHook C:\WINDOWS\System32\keyhook.exe
DVDSentry C:\WINDOWS\System32\DSentry.exe
PCMService "C:\Program Files\Dell\Media Experience\PCMService.exe"
RealTray C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mmtask c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
YBrowser C:\Program Files\Yahoo!\browser\ybrwicon.exe
ViewMgr C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe
HP Software Update "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
DeviceDiscovery C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
Share-to-Web Namespace Daemon C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
CamMonitor C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
UpdateManager "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
KernelFaultCheck %systemroot%\system32\dumprep 0 -k
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Sonic RecordNow!
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Yahoo! Pager "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/25/2005 8:56:40 PM

[tampabelle]

Hi Runner,


The winPfind log didnt show up anything.


I have gotten this tip from an expert. Lets try one last thing.

Reboot the PC in Safe Mode.

Run Hijack This. Click on config ---> Misc Tools.

On the left hand side, there are a few buttons, the first one being "Generate Startup List". Check the two boxes next to it and then click on Generate Startup List.

Save the Startup list.

Reboot the PC in Normal Mode and post back the startup list here.

Edited by tampabelle, 26 September 2005 - 03:53 PM.

[runner]

I ran into an issue. I did as you said with HiJack This, but I cannot open the startup.txt file. I keep getting: "Program Not Found. Windows cannot find NOTEPAD.EXE. This program is needed for opening files of type 'Text Document'. Type in the executable file to be used instead."

I dont get it. I have used Notepad on numerous occasions without any problem!

On the bright side, none of my scanning programs are picking up anything, except MSAS with that Apropos!!

[runner]

I guess I spoke too soon! I got another flurry of Norton alerts this morning. Similar to problem I had some time ago - file labeled Trojan Horse, but no specific name. Says cannot access or repair file. Can we deal with this here, or should I post a separate topic? I dont want to monopolize your time.

[tampabelle]

Post the log items / Norton alerts

Also post a fresh HJT log please

[runner]

Thank you so much, you are the best - I will do so later today.

[tampabelle]

sure, no problem

[runner]

OK, I tried without apparent success to help myself (and save you time) by running numerous scans both in Safe Mode and in Normal Mode. I have no clue how these new ones came about (I need to ensure this computer is not used while we are trying to fix stuff), but I am optimistic and press on with any suggested fix you come up with! I truly appreciate your help - all of this, from the Norton alerts to the stuff on the HiJack This log, seem related, but, again, what do I know!?!?

The following alerts come up after my desktop icons appear upon booting up. I put them in the order in which they appear:

--These first six Norton says were automatically deleted:
C:\DOCUME~1\Laura\LOCALS~1\Temp\1.qtdfmp
Click for more information about this threat : Download.Trojan
C:\Documents and Settings\Laura\Local Settings\Temporary Internet Files\Content.IE5\ZSK34EFG\search[1].exe
Click for more information about this threat : Download.Trojan
C:\DOCUME~1\Laura\LOCALS~1\Temp\2.qtdfmp
Click for more information about this threat : Trojan.Desktophijack
C:\Documents and Settings\Laura\Local Settings\Temporary Internet Files\Content.IE5\ZSK34EFG\winlogon[1].exe
Click for more information about this threat : Trojan.Desktophijack
C:\DOCUME~1\Laura\LOCALS~1\Temp\vx1.game
Click for more information about this threat : Download.Trojan
C:\Documents and Settings\Laura\Local Settings\Temporary Internet Files\Content.IE5\ZSK34EFG\zgame1[1].exe
Click for more information about this threat : Download.Trojan

--For these next four, two Norton alerts come up – one saying the file could not be repaired, the other saying it could not be accessed:
C:\Documents and Settings\Laura\Local Settings\Temporary Internet Files\Content.IE5\ZSK34EFG\zgame3[1].exe
Click for more information about this threat : Trojan Horse
C:\DOCUME~1\Laura\LOCALS~1\Temp\vx3.game
Click for more information about this threat : Trojan Horse
C:\Documents and Settings\Laura\Local Settings\Temporary Internet Files\Content.IE5\ZSK34EFG\zgame2[1].exe
Click for more information about this threat : Trojan Horse
C:\DOCUME~1\Laura\LOCALS~1\Temp\vx2.game
Click for more information about this threat : Trojan Horse

--Norton said these next two were automatically deleted:
C:\DOCUME~1\Laura\LOCALS~1\Temp\vx1.game
Click for more information about this threat : Download.Trojan
C:\Documents and Settings\Laura\Local Settings\Temporary Internet Files\Content.IE5\ZSK34EFG\zgame1[1].exe
Click for more information about this threat : Download.Trojan

--For these final eight, two alerts came up – one saying access denied, the other saying repair failed:
C:\Documents and Settings\Laura\Local Settings\Temporary Internet Files\Content.IE5\ZSK34EFG\zgame5[1].exe
Click for more information about this threat : Trojan Horse
C:\DOCUME~1\Laura\LOCALS~1\Temp\vx6.game
Click for more information about this threat : Trojan Horse
C:\Documents and Settings\Laura\Local Settings\Temporary Internet Files\Content.IE5\ZSK34EFG\zgame5[1].exe
Click for more information about this threat : Trojan Horse
C:\DOCUME~1\Laura\LOCALS~1\Temp\vx6.game
Click for more information about this threat : Trojan Horse
C:\Documents and Settings\Laura\Local Settings\Temporary Internet Files\Content.IE5\ZSK34EFG\zgame3[1].exe
Click for more information about this threat : Trojan Horse
C:\DOCUME~1\Laura\LOCALS~1\Temp\vx3.game
Click for more information about this threat : Trojan Horse
C:\Documents and Settings\Laura\Local Settings\Temporary Internet Files\Content.IE5\ZSK34EFG\zgame2[1].exe
Click for more information about this threat : Trojan Horse
C:\DOCUME~1\Laura\LOCALS~1\Temp\vx2.game
Click for more information about this threat : Trojan Horse

And here is a fresh HiJack This log. Several entries I do not recognize :

Logfile of HijackThis v1.99.1
Scan saved at 9:27:19 PM, on 9/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\kernels32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\System32\maxd1.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgamet1.exe
C:\WINDOWS\System32\vxgamet1.exe
C:\WINDOWS\System32\vxgamet2.exe
C:\WINDOWS\System32\vxgamet2.exe
C:\WINDOWS\System32\vxgamet3.exe
C:\WINDOWS\System32\vxgamet3.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O15 - Trusted Zone: *.asdbiz.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.asdbiz.biz (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123635234166
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - https://music.msn.co...snmusax3209.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

Edited by runner, 13 October 2005 - 09:18 AM.

[tampabelle]

Download DelDomains.inf.

Right click on it and then click on Install.

Please download RKFiles from here:
http://skads.org/special/rkfiles.zip
Unzip it to the desktop but please do NOT run it yet.


Run Hijack This and click on scan. The following items need to be fixed -

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe


Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

Run Ewido full scan. Let it fix any items it finds.

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\maxd1.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgamet1.exe
C:\WINDOWS\System32\vxgamet1.exe
C:\WINDOWS\System32\vxgamet2.exe
C:\WINDOWS\System32\vxgamet2.exe
C:\WINDOWS\System32\vxgamet3.exe
C:\WINDOWS\System32\vxgamet3.exe


Run CleanUp and delete all temp files including temporary internet files.

please run RKFiles.bat. It may take a while. When it is finished a windows should appear with a log. Make sure that log is saved!

Reboot the PC in Normal Mode.

Post the logs from Ewido and rkfiles and a fresh HJT log

[runner]

I sent you a message - did you get it? I am not showing any "sent messages," so I wanted to make sure it went through.

[tampabelle]

Hi runner,


Kernels32.exe is a trojan file.


Download http://www.funkytoad...load/hoster.zip. Unzip the contents and save the extracted files on your desktop.

Run Hoster.exe. Click on Restore Original Hosts.

Download DelDomains.inf.

Right click on it and then click on Install.


Reboot the PC in Safe Mode.

Run Ewido and do a full system scan. Let it fix any items that it finds. Save the scan report.


Reboot the PC in Normal Mode.

Make sure that your firewall is up. Block all activities and put them on "ask" mode. So everytime your PC accesses internet or any server tries to contact your PC, it will seek your permission.

Post back the Ewido scan report as well as a fresh HJT log please.

[runner]

You know that I will follow everything and anything you say so long as I can get to your instructions and the downloads you link in the instructions from the infected PC (I am on different one right now)!! Here is what happens when I try to get there from the infected PC:

1. When I boot up, after the appearance of my desktop icons, I get an error message saying kernels32.exe encountered a problem and needs to close [send/dont send report]. Maybe this appears in lieu of the several Norton alerts I was getting after the icons appeared, as I am not getting those alerts any longer.

2. Next, I try to get onto the internet. The first three or four times I try this, I get another error message saying YBrowser (yahoo DSL) has encountered an error and needs to close [send/dont send]. On about the fourth and fifth try to log in and connect, it works and I am on the internet. Once there, however, my access to sites such as symantec and geekstogo is eliminated. For symantec, it redirects me to microsoft.com (same for Kaspersky, when I tried to go there and download that scanner).

For geeks to go, I can get to the home page, but not beyond - cannot get to forums, and therefore cannot get to your instructions to download necessary programs and take necessary steps (they are on to you!!!)

In short, before I can take all the steps you are suggesting, I need to get to the forum from the infected PC. I spent hours trying everything I could think of to get there last night - no dice!

3. I tried to go to Housecall to down load and run that program (as my other scanners have helped virtually none on this issue), but I get the YBrowser error every time while trying to download!

4. Two other things of note: (1) when I tried Ctl Alt Del once, I got a message saying that Administrator had disabled Task Mgr (what the ??); and (2) when running an Ad-Aware scan, I got a Norton Worm Alert saying some address (67. something or another) was attempting to remotely access the computer (I blocked it).

I dont know if all of this is tied to kernels32.exe or that darn vxgame junk or both, but I need to be able to get to the forum from the infected PC in order to take the required steps...unless there are other places from which I can download the program(s) in your instructions??

Sorry about all of this - I know you are busy, and I thank you for all you've done!