[TraeSher]

If I went too far to clean up the computer, I apologize. I've only ever uninstalled (add/remove) unfamiliar programs that show up, used GTG's recommended programs to clean up (AdAware and SpyBot I use every few days, and have for years), and followed the instructions laid out for me in this forum.

I'm sure I don't have enough protection on this PC - the PCcillin 2002 is out of date, and I never use it anyway. (It was my Mom's idea, she swore it was the best!) Are there any special tips I need to know in order to fully uninstall it? I've read in other posts that Grisoft AVG is good; I downloaded the installer, but was waiting for my system to be clean before installing it. (Didn't want conflicts during this ordeal.) I know there is a firewall that comes standard with XP - is it any good? A friend of mine uses it, and I noticed that once she activated the firewall, her daughter could no longer play the flash games that load in popups from Neopets. Besides that, a couple weeks ago, something went completely wonky on her system, her firewall was disabled, her spyware and scanning programs shut down, and then she lost her internet connection. After an hour on the phone with Charter Internet tech support, they told her there was nothing they could do. She's not very good with computers anyway, but wouldn't listen to me when I told her it was probably a virus or trojan on her system and that there are ways to clean it up. Instead, she just completely reformatted her HD. Well, probably she didn't - I think she may just be calling it that. She probably used (likely infected) restore points or something. She may end up in the same trouble again. Perhaps I should go on her PC and run a HijackThis log for her, to make sure she's really clean. The point of all that is - if something THAT bad got onto her system WITH the protection she was running, is the Win XP firewall any good? I hear a lot about ZoneAlarm, but it looks complicated to me, and I don't know if it will disable the things we like to do on this PC (like the Neopets games, downloading mp3's and games and movies). Is a firewall absolutely necessary? Any advice in that department?

Onward and upward: Trust cleanup - yes, I was infected with that a couple months ago. SpyBot & AdAware I thought removed it all, because there were no more signs of it (the popups, the desktop icons, the Favorites URLs, all gone)... though maybe the popups weren't entirely gone, I'm thinking. I've had popups since forever. I got this PC (used) 7 months ago, and immediately DL'ed and scanned with AdAware and SpyBot, and thought I cleared up the issues (there were over 800 problems between the two - SpyBot found over 500, fixed all but the Cmd Service - and AdAware found and cleaned another 300) And I think that may be why someone got rid of this otherwise fantastic and very-nearly-top-of-the-line PC at a dirt-cheap price! I didn't know then how nefarious these advertisers are with their malware and the way they sneak in lil bits of almost invisible baddies that keep generating this crap - but I'm learning.



Avenger log

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qmawpurb

*******************

Script file located at: \??\C:\Documents and Settings\nxbwjlkm.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\local.html deleted successfully.

File C:\WINDOWS\SYSTEM32\tisa.dll not found!
Deletion of file C:\WINDOWS\SYSTEM32\tisa.dll failed!

Could not process line:
C:\WINDOWS\SYSTEM32\tisa.dll
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\lut.dat deleted successfully.

File C:\WINDOWS\SYSTEM32\tisa.cnf not found!
Deletion of file C:\WINDOWS\SYSTEM32\tisa.cnf failed!

Could not process line:
C:\WINDOWS\SYSTEM32\tisa.cnf
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\ticads.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\ticads.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\ticads.exe
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\tctool.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\tctool.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\tctool.exe
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\ticont.dll not found!
Deletion of file C:\WINDOWS\SYSTEM32\ticont.dll failed!

Could not process line:
C:\WINDOWS\SYSTEM32\ticont.dll
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\tpopup.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\tpopup.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\tpopup.exe
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\tconini.dat deleted successfully.
File C:\WINDOWS\SYSTEM32\lcch.dat deleted successfully.

File C:\WINDOWS\onlineshopping.ico not found!
Deletion of file C:\WINDOWS\onlineshopping.ico failed!

Could not process line:
C:\WINDOWS\onlineshopping.ico
Status: 0xc0000034

File C:\WINDOWS\removeadware.ico not found!
Deletion of file C:\WINDOWS\removeadware.ico failed!

Could not process line:
C:\WINDOWS\removeadware.ico
Status: 0xc0000034

File C:\WINDOWS\sexpersonals.ico not found!
Deletion of file C:\WINDOWS\sexpersonals.ico failed!

Could not process line:
C:\WINDOWS\sexpersonals.ico
Status: 0xc0000034

File C:\WINDOWS\local.html not found!
Deletion of file C:\WINDOWS\local.html failed!

Could not process line:
C:\WINDOWS\local.html
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\tu.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\tu.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\tu.exe
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\ttu.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\ttu.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\ttu.exe
Status: 0xc0000034

File C:\WINDOWS\se_spoof.dll not found!
Deletion of file C:\WINDOWS\se_spoof.dll failed!

Could not process line:
C:\WINDOWS\se_spoof.dll
Status: 0xc0000034

File C:\WINDOWS\inetloader.dll not found!
Deletion of file C:\WINDOWS\inetloader.dll failed!

Could not process line:
C:\WINDOWS\inetloader.dll
Status: 0xc0000034

File C:\Windows\mxd.exe not found!
Deletion of file C:\Windows\mxd.exe failed!

Could not process line:
C:\Windows\mxd.exe
Status: 0xc0000034

File C:\Windows\tse.exe not found!
Deletion of file C:\Windows\tse.exe failed!

Could not process line:
C:\Windows\tse.exe
Status: 0xc0000034

File C:\Windows\trustinbar.exe not found!
Deletion of file C:\Windows\trustinbar.exe failed!

Could not process line:
C:\Windows\trustinbar.exe
Status: 0xc0000034

File C:\Windows\ads.js not found!
Deletion of file C:\Windows\ads.js failed!

Could not process line:
C:\Windows\ads.js
Status: 0xc0000034

File C:\WINDOWS\videoslots.ico deleted successfully.

Folder C:\Program Files\TrustIn Popups not found!
Deletion of folder C:\Program Files\TrustIn Popups failed!

Could not process line:
C:\Program Files\TrustIn Popups
Status: 0xc0000034

Folder C:\Program Files\TrustIn Bar not found!
Deletion of folder C:\Program Files\TrustIn Bar failed!

Could not process line:
C:\Program Files\TrustIn Bar
Status: 0xc0000034

Folder C:\Program Files\TrustIn Contextual not found!
Deletion of folder C:\Program Files\TrustIn Contextual failed!

Could not process line:
C:\Program Files\TrustIn Contextual
Status: 0xc0000034

Folder C:\Program Files\TrustIn Popups not found!
Deletion of folder C:\Program Files\TrustIn Popups failed!

Could not process line:
C:\Program Files\TrustIn Popups
Status: 0xc0000034

Folder C:\Program Files\TrustIn Search not found!
Deletion of folder C:\Program Files\TrustIn Search failed!

Could not process line:
C:\Program Files\TrustIn Search
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.



Kaspersky Online Scan
A slightly shorter scan... but now the file is 2.01 MB - just a shade bigger. I tried uploading the txt file to my Charter webspace for you. It uploads and retrieves just fine - except that it's all jammed up, without the proper spacing or returns. So that would make it extremely hard for you to read. So I got a lil creative and saved the reults as an .html file and uploaded it to my Charter webspace for you to retrieve <a href= "http://webpages.char...html">here.</a>

In case you wanted it but forgot to mention it, and because it's fairly simple, I did another HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 5:58:09 PM, on 8/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ScreenshotCaptor\ScreenshotCaptor.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\HP_Owner\My Documents\ForComputerWork\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Smart Evrox] C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\~AceTemp\crack\evrox.exe e
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1146371638484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1146604840093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec.../ols3/fscax.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe



Awaiting my next orders, Sir

Edited by TraeSher, 01 August 2006 - 04:06 PM.

[Advertisements]

Hi, TraeSher

I reviewed the Kaspersky log, and although extensive is not saying that much. All malware detected are either part of the Quarantine and Recovery of Spybot and Spysweeper, as well as Temprary Internet Files.. There are certain folders that do not follow Windows XP organization, like C:\USERDATA and C:\Program Installers.

Clean the computer.

Open Spybot. Click on Recovery and Purge all data therein. Perform the same action with Spysweeper and remove the Quarantine files.

Go to Start->Control Panel->Internet Options. Delete Temporary Internet Files and History.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Empty your Recycle Bin

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Please perform a Online Scan at Bitdefender. Make sure you save the report. Post its contents in a reply.

[JSntgRvr]

Hi, TraeSher

I reviewed the Kaspersky log, and although extensive is not saying that much. All malware detected are either part of the Quarantine and Recovery of Spybot and Spysweeper, as well as Temprary Internet Files.. There are certain folders that do not follow Windows XP organization, like C:\USERDATA and C:\Program Installers.

Clean the computer.

Open Spybot. Click on Recovery and Purge all data therein. Perform the same action with Spysweeper and remove the Quarantine files.

Go to Start->Control Panel->Internet Options. Delete Temporary Internet Files and History.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Empty your Recycle Bin

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Please perform a Online Scan at Bitdefender. Make sure you save the report. Post its contents in a reply.

[TraeSher]

Hello, JStngRvr - glad you're still with me.
I'm glad the Kaspersky scan was big, but not filled with dire warnings of imminent HD failure! LOL
I have no idea what C:\USERDATA is, but I know I cannot access it - access is always emphatically denied when I try! As for C:\Program Installers - that's where I download all my installers to/extract them from (except for the past 4 days - I've been filling my Desktop with stuff!) and I eventually go through my Program Installers and purge the ones that are not still needed because the program is running fine and doesn't need to be reinstalled, has already been burned onto CD, has been made obsolete by a newer version which is actually better AND working fine, etc.

Followed all instructions to the letter, scan logs to follow:

Temp files cleared.
Restore Points reset. (Was that premature, as I still have an infection?)
Recycle Bin emptied.
Uninstall Log created:

4Diskclean Gold
Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Reader 6.0.1
Agere Systems PCI Soft Modem
Alcohol Toolbar
Amazing Windows XP Screen Saver 1.2
Anark Client 1.0
a-squared Personal 1.6.5
AstroPop Deluxe 1.0
BitLord 1.1
Blasterball 2 Deluxe (remove only)
Blox World
BugOff 1.10
CCleaner (remove only)
CleanUp
CompuPic Pro
Cubis Deluxe
DVD Decrypter (Remove Only)
DVD Shrink 3.2
Dynomite Deluxe 2.71
ERUNT 1.1j
Eusing Free Registry Cleaner
ewido anti-spyware 4.0
Eyeball Chat 2.2
FaxTools
ffdshow
FileSpecs plug-in for Ad-Aware SE
GdiplusUpgrade
Google Toolbar for Internet Explorer
Handy Recovery 3.0
Help and Support Additions
Hexic Deluxe
High Definition Audio Driver Package - KB835221
HijackThis 1.99.1
Holiday Snowflakes Screen Saver 1.2
HP Image Zone 4.5.3
HP Image Zone Plus 4.5.3
HP Photosmart Cameras 4.0
HP PSC & OfficeJet 4.0
HP Software Update
HPIZplus450
Image Grabber II
ImgBurn (Remove Only)
Intel® Graphics Media Accelerator Driver
IntelliMover Data Transfer Demo
InterVideo DiscLabel
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
iTunes
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Kaspersky Online Scanner
Lavasoft VX2 Cleaner
Lexmark X1100 Series
Macromedia Flash Player 8
Macromedia Flash Player 8
Macromedia Shockwave Player
MakeUp Pilot 1.35 Trial
Microsoft .NET Framework 1.1
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Reader
Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348)
Microsoft Works
mIRC
MMH Cleaner 2.1
MSN
Musicmatch® Jukebox
muvee autoProducer 3.5 magicMoments - HPD
Nero 6 Ultra Edition
Netscape Browser (remove only)
OpenOffice.org 2.0
Panda ActiveScan
PC-cillin 2002
penguin downhill racing
PhotoFiltre
Photosmart 320,370,7400,8100,8400 Series
PowerISO
Project64 1.6
QuickTime
RealPlayer
Retouch Pilot 1.10 Trial
Rhapsody Player Engine
RollerCoaster Tycoon® 3
Sandlot Games Client Services
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Sonic Express Labeler
Sonic RecordNow!
Sony USB Driver
Spy Sweeper
SuperCleaner
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Updates from HP
Webshots Desktop
Windows Installer 3.1 (KB893803)
Windows Live Safety Scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Winter Fun Pack Screensavers
XviD 1.1 final uninstall
Y!TunnelPro 2.0
Yahoo! Anti-Spy
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Photos Easy Upload Tool 1v7
Yahoo! Toolbar for Internet Explorer
Zulu Gems

BitDefender Scan completed (another 2+ hr scan, but seemingly worth it!)
When I saved it as a txt file, it was html coded. When I cut & pasted the results into this post, it LOOKED great, but once I posted the reply, all the attractive boxes and formatting were removed and it became an eyesore. So once again, I have given you a report as another URL.


*Since BitDefender failed to delete C:\WINDOWS\tpopup.exe I manually deleted it.*

Will reboot system once more and edit this post to let you know how it goes.

I rebooted and had only ONE popup that easily closed - as opposed to 8 or 9 that triggered more popups and opened browsers when closed! I left my system sitting for the past 20 mins or so - usually I come back to find a pile of popups waiting for me, despite not having any browsers or other windows open. This time, there were NONE! I am hopeful that you finally helped me solve my Malware infection!

What should I scan with to make sure?

EDIT: Alas, I'm still getting WinAntiVirus 2006 popups, though not nearly as many as a few hours ago. But my original problem seems gone - SpyBot doesn't find Command Service! LOL

Edited by TraeSher, 02 August 2006 - 12:32 AM.

[JSntgRvr]

Hi, TraeSher

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please navigate to the following location and rename Hijackthis.exe to HJT.exe.

C:\Documents and Settings\HP_Owner\My Documents\ForComputerWork\HijackThis

You can right click on HJT.exe and create a shortcut to your desktop.

Re-scan with HJT.exe and save the report. Post its contents in a reply.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Warning : running option #2 on a non infected computer in Normal Mode will remove your Desktop background.

[TraeSher]

The strangest thing happened - it won't let me move the HJT shortcut to the desktop! So I gave it its own folder on C:\HJT and ran it without using a shortcut.

Logfile of HijackThis v1.99.1
Scan saved at 4:46:07 PM, on 8/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\ScreenshotCaptor\ScreenshotCaptor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.subeta.org/news.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Smart Evrox] C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\~AceTemp\crack\evrox.exe e
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1146371638484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1146604840093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec.../ols3/fscax.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe



SmitFraud Report

SmitFraudFix v2.79

Scan done at 16:47:27.70, Wed 08/02/2006
Run from C:\Documents and Settings\HP_Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\HP_Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\HP_Owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\microsoft frontpage\\xunyhyv.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Internet Explorer\\vilofosaq.html"
"SubscribedURL"=""
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

[JSntgRvr]

Hi, TraeSher.

Please print these instructions, or copy them to a NotePad file for reference while in Safe Mode.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

[TraeSher]

SmitFraudFix v2.79

Scan done at 20:39:56.79, Wed 08/02/2006
Run from C:\Documents and Settings\HP_Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

[JSntgRvr]

Hi, TraeSher

Download the enclosed file:
Extract its contents to the desktop. It is a batch file, Look.bat. Once extracted, double click on Look.bat. A document will be produced. Post its contents in a reply.

[TraeSher]

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0
Source REG_SZ About:Home
SubscribedURL REG_SZ About:Home
FriendlyName REG_SZ My Current Home Page
Flags REG_DWORD 0x2
Position REG_BINARY 2C000000000100000000000000040000DE030000000000000100000001000000010000000000000000000000
CurrentState REG_DWORD 0x40000004
OriginalStateInfo REG_BINARY 18000000FFFF0000FFFF0000FFFFFFFFFFFFFFFF04000000
RestoredStateInfo REG_BINARY 180000006A02000023000000A40000009A00000001000000

[JSntgRvr]

Hi, TraeSher

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\Program Files\Internet Explorer\vilofosaq.html
C:\Program Files\microsoft frontpage\xunyhyv.html

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Please copy/paste the content of c:\avenger.txt into your next reply.

Test the computer and let me know how is it doing.

[TraeSher]

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\fjdaqcqi

*******************

Script file located at: \??\C:\Documents and Settings\gwnhgfgc.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Program Files\Internet Explorer\vilofosaq.html deleted successfully.


File C:\Program Files\microsoft frontpage\xunyhyv.html not found!
Deletion of file C:\Program Files\microsoft frontpage\xunyhyv.html failed!

Could not process line:
C:\Program Files\microsoft frontpage\xunyhyv.html
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.





I don't want to jinx myself, but I have not had one single popup since running SmitFraudFix. I'm so happy, I'm quivering!!

[JSntgRvr]

Hi, TraeSher

Please go to the Add/Remove Programs option in the Control Panel and Remove ALL previous versions of JAVA:

J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03

Then, please click here to download the latest version of JAVA 1.5.0.07. and Install the application. If you experience a problen autoinstalling from the site, click on Manual Download for the Offline Bundle.

Click Here to download AVG Free. Save the installer in a place you can remember. Remove Trend Micro\PC-cillin 2002 then doubleclick on the AVG installer. After the installation update the programs definition and perform a full scan.

Click Here to download Zone Alarm Free. Install the application and update its definitions.

Let me know the outcome.

[TraeSher]

Thank you, JStngRvr!

Everything seems to be going great now. I can hardly believe I'm now popup free!

ZoneAlarm is better than I expected - it allows me to choose if I want to allow access for a certain program!

I'm still not sure what "debugger" is in memory and preventing my Intervideo WinDVD Creator from starting, but I'm going to delete my 'cleanup' programs you've had me download, and hopefully that fixes it. If not, I'll be looking for you again

Since today is payday, it's only right that I make a donation to help further the cause. I only wish I could give more, but after my husband's back surgery, I've really been squeezing the budget painfully. Your time has been invaluable to me, though!



TraeSher

Edited by TraeSher, 03 August 2006 - 12:03 AM.

[JSntgRvr]

Hi, TraeSher.

Congratulations.

Reset and Re-enable your System Restore once again to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

• Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  
• AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  
• SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  
• SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  
• IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  
• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

In regard to the WinDVD issue, you are welcome to post at our Application or Operating Systems Forums. We have a few MVPs in those areas.

Glad to be of help. Best wishes!

[JSntgRvr]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.