Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

[Resolved] shuts down Explorer for my safety

Started by alumni72 , Sep 16 2006 04:39 PM

  • This topic is locked This topic is locked

#16
alumni72
Posted 24 September 2006 - 09:53 PM

alumni72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
HiJack This! log from after all the above steps:

Logfile of HijackThis v1.99.1
Scan saved at 11:48:54 PM, on 9/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Shavlik Technologies\NetChk\5.6.0.446\HfNetChkProService.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Generic\Seticon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\Novatix\ExplorerPlus\Nxdlghlp.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\ebgjyaaj.dll (file missing)
O2 - BHO: (no name) - {E8F60E85-5542-4B58-ADB5-BF1EEBD3B41C} - C:\WINDOWS\system32\pmnli.dll
O2 - BHO: (no name) - {FE4D4731-6E88-4B21-BF5E-4BAA8FCFF7D7} - C:\WINDOWS\system32\vtstt.dll (file missing)
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Generic\Seticon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: Dialog Tracker.lnk = C:\Program Files\Novatix\ExplorerPlus\Nxdlghlp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1136858992712
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O21 - SSODL: Regevdb - {9AB02624-8C60-421D-A052-DEF62C0598A7} - C:\WINDOWS\system32\vidodzip.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: NetChk Patch Service (NetChkPatch) - Unknown owner - C:\Program Files\Shavlik Technologies\NetChk\5.6.0.446\HfNetChkProService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

=================================
And the Save List step FINALLY worked:

7-Zip 4.42
Ad-Aware SE Personal
Adobe Reader 7.0.5
AOL Instant Messenger
ASUS Enhanced Display Driver
ASUS Utilities
avast! Antivirus
Canon Camera Support Core Library
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window DVC for ZoomBrowser EX
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
CleanUp!
Copy Utility
Creative System Information
Data Lifeguard Tools
dBpowerAMP CD Writer
dBpowerAMP Music Converter
Demise
DivX
DivX Converter
DivX Player
DivX Web Player
EA SPORTS online 2005
EasyCleaner
EPSON Photo Print
EPSON Printer Software
EPSON Smart Panel
EPSON TWAIN 5
ewido anti-spyware 4.0
ExplorerPlus 6
Forté Agent
Google Earth
Google Toolbar for Internet Explorer
Gunner 2
Heroes of the Pacific
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hijackthis 1.99.1
HijackThis 1.99.1
Infinite Worlds
J2SE Runtime Environment 5.0 Update 6
Kaspersky Online Scanner
Macromedia Flash Player 8
Macromedia Shockwave Player
Medal of Honor Pacific Assault™
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft AntiSpyware
Microsoft Combat Flight Simulator
Microsoft Encarta Premium 2006 DVD
Microsoft Office XP Professional
Microsoft Streets and Trips 2005
Microsoft Text-to-Speech Engine 4.0 (English)
Mordor 2: Darkness Awakening
Morpheus 5.2 (remove only)
MVP Baseball 2005
Nero PhotoShow Express
Nero Suite
NeroMIX
NVIDIA Drivers
Opera
Oregon Trail 5
Panda ActiveScan
PerfectDisk
PF 2450 PHOTO Guide
QuickTime
RollerCoaster Tycoon 3
ScanToWeb
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Shavlik NetChk Protect
SilverFast TWAIN
SimCity 4 Deluxe
SnagIt 7
Sound Blaster Audigy 2 ZS
Spybot - Search & Destroy 1.4
Sunbelt Kerio Personal Firewall
The Sims 2
ThumbsPlus version 7.0
Time and Chaos 6
Trend Micro PC-cillin Internet Security 2005
Trillian
Tweakui Powertoy for Windows XP
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
USB 2.0 Card Reader
ViewSonic Monitor Drivers
WavePad Uninstall
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
WinWay Resume Deluxe
WinZip
Yahoo! extras
Yahoo! Install Manager
Yahoo! Messenger
  • 0

Advertisements

#17
Flrman1
Posted 25 September 2006 - 03:45 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
* Run Hijack This again and put a check by this entry. Close ALL windows except HijackThis and click "Fix checked"

O21 - SSODL: Regevdb - {9AB02624-8C60-421D-A052-DEF62C0598A7} - C:\WINDOWS\system32\vidodzip.dll

Restart your computer.

Use Killbox to delete this file:

C:\WINDOWS\system32\vidodzip.dll


* Go to Add/Remove programs and uninstall this old version of Java:

J2SE Runtime Environment 5.0 Update 6


* Now go here and install the latest version of Java.

How is the computer running now?
  • 0

#18
alumni72
Posted 25 September 2006 - 05:11 PM

alumni72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Well, here's how it went:

I performed all the tasks outlined in your last post.

After I used Killbox to delete that one item, I opened IE to get the link to install Java Runtime. When I opened IE, I found that I had VSToolbar active (never heard of it before), and my toolbars were locked (never have it set that way) and my Links were to the right of the Address bar (they always go below it).
Then I got a popup from mediaplex.
** (after the last round before this, my PC had finally started to behave more or less normally - the taskbar finally stopped flashing on and off and response time was close to normal again.)

After I installed Java Runtime I got a popup telling me that if I have registry entries that are damaged it could be a problem - do I want to install SysProtect for free? I clicked the Cancel button. I have no idea if that was an offering from the Java website or if it was more spyware.

But I'm done. Let me know if you think I should do anything else based on those two weird popups I got just now.

Quick update - I just discovered that I have a tiny window in the upper left of my screen that is waiting for me to ok the installation of ActiveX controls to install SysProtect. I've attached a screenshot.

And as soon as I clicked on the 'Add This Attachment' button below, I got another popup from adfarm.mediaplex.com.

When I went to close that SysProtect window it generated another popup warning that I had not completed the scan. Definitely spyware - I'm attaching another HJT log in the next post.

Attached Thumbnails

  • SysProtect_offer.jpg

Edited by alumni72, 25 September 2006 - 05:18 PM.

  • 0

#19
alumni72
Posted 25 September 2006 - 05:20 PM

alumni72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Here's that next HJT log from after the SysProtect popup:

Logfile of HijackThis v1.99.1
Scan saved at 7:19:29 PM, on 9/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Shavlik Technologies\NetChk\5.6.0.446\HfNetChkProService.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Generic\Seticon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\Novatix\ExplorerPlus\Nxdlghlp.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Novatix\ExplorerPlus\NxExplo.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Generic\Seticon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: Dialog Tracker.lnk = C:\Program Files\Novatix\ExplorerPlus\Nxdlghlp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1136858992712
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: NetChk Patch Service (NetChkPatch) - Unknown owner - C:\Program Files\Shavlik Technologies\NetChk\5.6.0.446\HfNetChkProService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

------------------------------------------------------

And after I posted this and hit my Home button (IE) my Taskbar flashed off and then on again like it had been previously. Another indicator that something is wrong - again - is that I use Office Toolbar, and all my windows should justify taking into account the space used by Toolbar. I have the Toolbar on the right so the minimize, maximize and close buttons for all my windows should appear to the left of Toolbar...but with this problem they don't - they extend 'behind' Toolbar when the window is maximized.
I hope that last part is clearly explained. Let me know if it isn't.

Edited by alumni72, 25 September 2006 - 05:28 PM.

  • 0

#20
Flrman1
Posted 26 September 2006 - 06:46 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Please do the following:

* Download Rootkit Revealer from here (link is at the very bottom of the page).
  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go up to File > Save. Choose to save it to your desktop.
  • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here
* Download WinPFind
  • Right Click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
  • Dont do anything with it yet!

* Click here for info on how to boot to safe mode if you don't already know how.


Reboot into Safe Mode


Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient and let it complete.

Reboot back to Normal Mode!

  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Copy and paste WinPFind.txt in your next post here please.

  • 0

#21
Flrman1
Posted 26 September 2006 - 06:47 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Post a new uninstall list from the HJT Uninstall Manager too please.
  • 0

#22
Flrman1
Posted 26 September 2006 - 06:49 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Go ahead and go to Add/Remove programs and look for VSToolbar for Internet Explorer or similar and uninstall it.
  • 0

#23
alumni72
Posted 27 September 2006 - 11:48 AM

alumni72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
OK, this is getting more bizarre by the minute.
Last night I tried to reply to this thread with the information you requested, but I wasn't able to STAY logged in - whenever I went to the next screen, I would automatically get logged out. What's worse, when I clicked on the reply button, I was not only logged out but I was completely unable to log back in again! I have attached a screenshot of the error message I received.
====================================
I removed VSToolbar...I don't remember ever installing it and have no idea what it is for.
I know you have plenty to do - but is it possible to get a brief rundown of what I've been finding/removing and what it is? I don't know what in the HJT log is good or bad and I hate not knowing stuff. Even if there's a website somewhere that explains this stuff - that would be fine.
-----------------------------------------------------------------
Once again, the Uninstall Manager list didn't do what it should. I hit the Save List button and HJT just sat there doing nothing. I hit the button several times...same thing.
I closed HJT and reopened it, tried to save the list...and this time HJT just shut right down without warning, as before.
I uninstalled/reinstalled HJT, and once again hitting the Save List button - several times - did nothing at all. Wouldn't be a problem if I could copy/paste the list from the window.
-----------------------------------------------------------------
Here is the RootkitRevealer file (it would NOT let me save the file to my desktop - got a popup saying it wasn't a valid location. Same kind of msg as if I tried to save to a floppy drive without a disk in it.) It let me proceed as though I COULD save to the desktop, though - but I didn't check to see if the file was there and later, when it came time to post it, I couldn't find it anywhere. So I reran the scan. The first time it found 3 entries - the second time it found 5. The file contents below is from the second scan (completed after I had done everything else you wanted me to do).

HKLM\S-1-5-21-329068152-152049171-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings 9/27/2006 2:48 AM 77 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-329068152-152049171-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings 9/27/2006 2:48 AM 77 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\EPSON Stylus C84 Series\ChangeID 9/26/2006 10:38 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\EPSON Stylus C84 Series\Attributes 9/26/2006 10:38 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\TrendMicro\PC-cillin\ScanInfo\LastScanFile 9/27/2006 2:48 AM 56 bytes Windows API length not consistent with raw hive data.
---------------------------------------------------------------------
WinPFind.txt contents:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 9/27/2006 1:59:16 AM
WinPFind v1.5.0 Folder = C:\Documents and Settings\1 - Dad\Desktop\WinPFind\WinPFind\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
UPX! 8/8/2006 12:53:28 PM 635520 C:\WINDOWS\SYSTEM32\aswBoot.exe ()
aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll (Microsoft Corporation)
aspack 5/26/2005 3:34:52 PM 2297552 C:\WINDOWS\SYSTEM32\d3dx9_26.dll (Microsoft Corporation)
aspack 7/22/2005 7:59:04 PM 2319568 C:\WINDOWS\SYSTEM32\d3dx9_27.dll (Microsoft Corporation)
aspack 12/5/2005 6:09:18 PM 2323664 C:\WINDOWS\SYSTEM32\d3dx9_28.dll (Microsoft Corporation)
aspack 2/3/2006 8:43:16 AM 2332368 C:\WINDOWS\SYSTEM32\d3dx9_29.dll (Microsoft Corporation)
aspack 3/31/2006 12:40:58 PM 2388176 C:\WINDOWS\SYSTEM32\d3dx9_30.dll (Microsoft Corporation)
PEC2 8/18/2001 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc ()
PEC2 7/3/2006 5:40:50 PM 620180 C:\WINDOWS\SYSTEM32\DivX.dll (DivX, Inc.)
PECompact2 7/3/2006 5:40:50 PM 620180 C:\WINDOWS\SYSTEM32\DivX.dll (DivX, Inc.)
UpackByDwing 9/25/2006 6:43:02 PM 45525 C:\WINDOWS\SYSTEM32\hlwtyoyo.dll ()
PTech 5/17/2006 11:23:38 AM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL (Microsoft Corporation)
PECompact2 8/9/2006 3:03:04 PM 8325544 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 8/9/2006 3:03:04 PM 8325544 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
WSUD 8/4/2004 3:56:54 AM 1200128 C:\WINDOWS\SYSTEM32\ntbackup.exe (Microsoft Corporation)
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll (Microsoft Corporation)
WSUD 8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
UPX! 9/24/2006 9:32:52 PM 9216 C:\WINDOWS\SYSTEM32\VundoFixSVC.exe (Atribune.org)
winsync 8/18/2001 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()
PEC2 9/11/1998 12:00:00 PM 751080 C:\WINDOWS\SYSTEM32\WIN32.TLB ()

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys (Smart Link)
UPX! 11/9/2005 9:07:30 PM 1022432 C:\WINDOWS\SYSTEM32\drivers\VsapiNT.sys (Trend Micro Inc.)
aspack 11/9/2005 9:07:30 PM 1022432 C:\WINDOWS\SYSTEM32\drivers\VsapiNT.sys (Trend Micro Inc.)

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/27/2006 1:57:52 AM S 2048 C:\WINDOWS\bootstat.dat ()
8/24/2006 9:46:48 PM H 10820 C:\WINDOWS\Help\update.GID ()
9/25/2006 6:42:58 PM HS 810064 C:\WINDOWS\system32\ilnmp.bak1 ()
9/27/2006 2:08:14 AM HS 815772 C:\WINDOWS\system32\ilnmp.ini ()
9/26/2006 4:17:38 PM HS 823173 C:\WINDOWS\system32\ilnmp.ini2 ()
9/27/2006 1:57:56 AM H 12288 C:\WINDOWS\system32\config\default.LOG ()
9/26/2006 7:29:32 PM H 0 C:\WINDOWS\system32\config\SAM.DFG.LOG ()
9/27/2006 1:58:16 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG ()
9/27/2006 1:57:54 AM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG ()
9/26/2006 7:29:32 PM H 0 C:\WINDOWS\system32\config\software.DFG.LOG ()
9/27/2006 1:59:00 AM H 1024 C:\WINDOWS\system32\config\software.LOG ()
9/26/2006 7:29:32 PM H 0 C:\WINDOWS\system32\config\system.DFG.LOG ()
9/27/2006 1:58:26 AM H 1024 C:\WINDOWS\system32\config\system.LOG ()
8/15/2006 1:31:46 AM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG ()
9/16/2006 1:43:20 PM H 0 C:\WINDOWS\system32\dellog\9B4EEB9EE047A876A53342E52B473531B475D49F.qcx ()
9/9/2006 2:34:10 AM H 8628 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_QI021E.GID ()
9/27/2006 1:56:38 AM H 6 C:\WINDOWS\Tasks\SA.DAT ()
9/15/2006 7:27:12 PM HS 616448 C:\WINDOWS\Temp\2ad31c76.TMP ()

Checking for CPL files...
8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl (Sun Microsystems, Inc.)
8/18/2001 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
8/18/2001 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
11/17/2004 5:09:00 AM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl (NVIDIA Corporation)
8/18/2001 8:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
8/18/2001 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl (Microsoft Corporation)
5/26/2005 5:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
8/18/2001 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)
8/18/2001 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl (Microsoft Corporation)
8/18/2001 8:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl (Microsoft Corporation)
8/18/2001 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl (Microsoft Corporation)

Checking for Downloaded Program Files...
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - CKAVWebScan Object - CodeBase = http://www.kaspersky...can_unicode.cab
{166B1BCA-3F9C-11CF-8075-444553540000} - Shockwave ActiveX Control - CodeBase = http://download.macr...director/sw.cab
{17492023-C23A-453E-A040-C7C580BBF700} - Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft....k/?linkid=39204
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - YInstStarter Class - CodeBase = C:\Program Files\Yahoo!\Common\yinsthelper.dll
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - BDSCANONLINE Control - CodeBase = http://download.bitd...can8/oscan8.cab
{6414512B-B978-451D-A0D8-FCFDF33E833C} - WUWebControl Class - CodeBase = http://update.micros...b?1136858992712
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoft...free/asinst.cab
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - Shockwave Flash Object - CodeBase = http://fpdownload.ma...ash/swflash.cab

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
1/28/2006 3:29:16 PM 1764 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk ()
1/9/2006 9:57:36 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()
9/26/2006 7:06:22 PM 737 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GhostSurf.lnk ()
1/10/2006 12:46:30 AM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk ()
2/7/2006 10:47:28 PM 819 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SnagIt 7.lnk ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
1/9/2006 4:26:58 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini ()
5/30/2006 10:30:48 PM 2917 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache ()

Checking files in %USERPROFILE%\Startup folder...
1/9/2006 9:57:36 PM HS 84 C:\Documents and Settings\1 - Dad\Start Menu\Programs\Startup\desktop.ini ()
1/10/2006 12:58:32 AM 1712 C:\Documents and Settings\1 - Dad\Start Menu\Programs\Startup\Dialog Tracker.lnk ()

Checking files in %USERPROFILE%\Application Data folder...
1/9/2006 4:26:58 PM HS 62 C:\Documents and Settings\1 - Dad\Application Data\desktop.ini ()
7/3/2006 4:53:16 PM 27576 C:\Documents and Settings\1 - Dad\Application Data\GDIPFONTCACHEV1.DAT ()
2/22/2006 3:46:58 AM 1024 C:\Documents and Settings\1 - Dad\Application Data\WavCodec.wff ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.microsoft...p...ER}&ar=home
\\Search Bar - http://us.rd.yahoo.c...rch/search.html
\\Search Page - http://us.rd.yahoo.c...//www.yahoo.com
\\Default_Page_URL - http://www.microsoft...p...&ar=msnhome
\\Default_Search_URL - http://us.rd.yahoo.c...//www.yahoo.com
\\Local Page - %SystemRoot%\system32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.yahoo.com/
\\Search Bar - http://www.google.com/ie
\\Search Page - http://www.google.com

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn...st/srchcust.htm
\\SearchAssistant - http://www.google.com/ie


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
\{45DCFD29-AFC0-4552-A9A3-30DF4A8B5369} - = C:\WINDOWS\system32\pmnli.dll ()
\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - Yahoo! IE Services Button = C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
\{9527D42F-D666-11D3-B8DD-00600838CD5F} - IEWatchObj Class = C:\WINDOWS\system32\IETie.dll (Tenebril Incorporated)
\{955BE0B8-BC85-4CAF-856E-8E0D8B610560} - Encarta Web Companion Helper Object = C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL (Microsoft Corporation)
\{AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper = c:\program files\google\googletoolbar1.dll (Google Inc.)
\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - = C:\WINDOWS\system32\ebgjyaaj.dll ()
\{FE4D4731-6E88-4B21-BF5E-4BAA8FCFF7D7} - = C:\WINDOWS\system32\vtstt.dll ()

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4528BBE0-4E08-11D5-AD55-00010333D0AD} - &Yahoo! Messenger = C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll (Yahoo! Inc.)
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{32683183-48a0-441b-a342-7c2a440a9478} - = ()
\{4528BBE0-4E08-11D5-AD55-00010333D0AD} - &Yahoo! Messenger = C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll (Yahoo! Inc.)
\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
\\{147D6308-0614-4112-89B1-31402F9B82C4} - Encarta Web Companion = C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL (Microsoft Corporation)
\\{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar1.dll (Google Inc.)
\\{821F87FF-8245-4972-9E28-732E92EC2F51} - &VSToolBar = C:\Program Files\VSToolbar\VSToolBar.dll ()

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\WebBrowser\\{821F87FF-8245-4972-9E28-732E92EC2F51} - &VSToolBar = C:\Program Files\VSToolbar\VSToolBar.dll ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - 8192 =
\\NEXTID - 8198
\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - 8193 =
\\{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8194 = Windows Messenger
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8195 = Sun Java Console
\\{85d1f590-48f4-11d9-9669-0800200c9a66} - 8196 = Uninstall BitDefender Online Scanner v8
\\{578FC4E3-151E-456c-AF8E-B63061EFE228} - 8197 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc.)
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)(HKCU CLSID)
\{578FC4E3-151E-456c-AF8E-B63061EFE228}} - MenuText: = ()
\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - ButtonText: Yahoo! Services =
\{85d1f590-48f4-11d9-9669-0800200c9a66} - MenuText: Uninstall BitDefender Online Scanner v8 = ()
\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - ButtonText: AIM = C:\PROGRA~1\AIM\aim.exe (America Online, Inc.)
\{B205A35E-1FC4-4CE3-818B-899DBBB3388C} - MenuText: = ()
\{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc.)
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()
\\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()
\\{48F45200-91E6-11CE-8A4F-0080C81A28D4} - TMD Shell Extension = C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll (Trend Micro Incorporated.)
\\{771A9DA0-731A-11CE-993C-00AA004ADB6C} - VBPropSheet = C:\Program Files\Trend Micro\Internet Security 2005\VBProp.dll (Trend Micro Incorporated.)
\\{A70C977A-BF00-412C-90B7-034C51DA2439} - NvCpl DesktopContext Class = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation)
\\{FFB699E0-306A-11d3-8BD1-00104B6F7516} - Play on my TV helper = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation)
\\{1CDB2949-8F65-4355-8456-263E7C208A5D} - Desktop Explorer = C:\WINDOWS\system32\nvshell.dll (NVIDIA Corporation)
\\{1E9B04FB-F9E5-4718-997B-B8DA88302A47} - Desktop Explorer Menu = C:\WINDOWS\system32\nvshell.dll (NVIDIA Corporation)
\\{1E9B04FB-F9E5-4718-997B-B8DA88302A48} - nView Desktop Context Menu = C:\WINDOWS\system32\nvshell.dll (NVIDIA Corporation)
\\{E0D79304-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{E0D79305-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{E0D79306-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{E0D79307-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{FED7043D-346A-414D-ACD7-550D052499A7} - dBpowerAMP Music Converter 1 = C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll ()
\\{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5} - dBpowerAMP Music Converter = C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll ()
\\{CF74B903-3389-469c-B3B6-0204D204FCBD} - SnagIt Shell Extension = C:\Program Files\TechSmith\SnagIt 7\SnagItShellExt.dll (TechSmith Corporation)
\\{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = C:\Program Files\WinRAR\rarext.dll ()
\\{B327765E-D724-4347-8B16-78AE18552FC3} - NeroDigitalIconHandler = C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll (Nero AG)
\\{7F1CF152-04F8-453A-B34C-E609530A9DC8} - NeroDigitalPropSheetHandler = C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll (Nero AG)
\\{23170F69-40C1-278A-1000-000100020000} - 7-Zip Shell Extension = C:\Program Files\7-Zip\7-zip.dll ()
\\{472083B0-C522-11CF-8763-00608CC02F24} - avast = C:\Program Files\Alwil Software\Avast4\ashShell.dll (ALWIL Software)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]


>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\7-Zip - {23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zip.dll ()
\avast - {472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll (ALWIL Software)
\ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s.)
\ExplorerPlus Menu - {3A5C58F7-E421-4fcd-8DC2-F06B83E9E5AA} = C:\Program Files\Novatix\ExplorerPlus\NXShExt.dll (Novatix Corporation)
\Fix-It Menu - {A50302A0-8E15-11d2-887B-006008C1C087} = C:\Program Files\VCOM\SystemSuite\mxctxmnu.dll (V Communications, Inc.)
\SnagItMainShellExt - {CF74B903-3389-469c-B3B6-0204D204FCBD} = C:\Program Files\TechSmith\SnagIt 7\SnagItShellExt.dll (TechSmith Corporation)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\{48F45200-91E6-11CE-8A4F-0080C81A28D4} - = C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll (Trend Micro Incorporated.)

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\7-Zip - {23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zip.dll ()
\ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s.)
\ExplorerPlus Menu - {3A5C58F7-E421-4fcd-8DC2-F06B83E9E5AA} = C:\Program Files\Novatix\ExplorerPlus\NXShExt.dll (Novatix Corporation)
\Fix-It Menu - {A50302A0-8E15-11d2-887B-006008C1C087} = C:\Program Files\VCOM\SystemSuite\mxctxmnu.dll (V Communications, Inc.)
\SnagItMainShellExt - {CF74B903-3389-469c-B3B6-0204D204FCBD} = C:\Program Files\TechSmith\SnagIt 7\SnagItShellExt.dll (TechSmith Corporation)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]
\00nView - {1E9B04FB-F9E5-4718-997B-B8DA88302A48} = C:\WINDOWS\system32\nvshell.dll (NVIDIA Corporation)
\NvCplDesktopContext - {A70C977A-BF00-412C-90B7-034C51DA2439} = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation)

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\avast - {472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll (ALWIL Software)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\{48F45200-91E6-11CE-8A4F-0080C81A28D4} - = C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll (Trend Micro Incorporated.)

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
\{7D4D6379-F301-4311-BEBA-E26EB0561882} - NeroDigitalExt.NeroDigitalColumnHandler = C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll (Nero AG)
\{F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Column Info = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc.)
\{FED7043D-346A-414D-ACD7-550D052499A7} - dBpowerAMP Column Handler = C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll ()

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
pccguide.exe - C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe (Trend Micro Incorporated.)
NvCplDaemon - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll ()
nwiz - C:\WINDOWS\SYSTEM32\nwiz.exe (NVIDIA Corporation)
NvMediaCenter - RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll ()
SetIcon - C:\Program Files\Generic\Seticon.exe (Standard Microsystems Corp.)
CTHelper - C:\WINDOWS\SYSTEM32\CTHELPER.EXE (Creative Technology Ltd)
SBDrvDet - C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe (Creative Technology Ltd)
UpdReg - C:\WINDOWS\UpdReg.EXE (Creative Technology Ltd.)
EPSON Stylus C84 Series - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE (SEIKO EPSON CORPORATION)
gcasServ - C:\Program Files\Microsoft AntiSpyware\gcasServ.exe (Microsoft Corporation)
QuickTime Task - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
NeroFilterCheck - C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
avast! - C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe ()
!ewido - C:\Program Files\ewido anti-spyware 4.0\ewido.exe (Anti-Malware Development a.s.)
SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (Sun Microsystems, Inc.)
RCScheduleCheck - C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE (imagine LAN, Inc.)
Fix-It AV - C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe (V Communications, Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
PhotoShow Deluxe Media Manager - C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe (Ahead Software)
swg - C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe (Google Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GhostSurf.lnk - C:\Program Files\GhostSurf\GhostSurf.exe (Tenebril Incorporated)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SnagIt 7.lnk - C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe (TechSmith Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\1 - Dad\Start Menu\Programs\Startup\desktop.ini ()
C:\Documents and Settings\1 - Dad\Start Menu\Programs\Startup\Dialog Tracker.lnk - C:\Program Files\Novatix\ExplorerPlus\Nxdlghlp.exe (Novatix Corporation)

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
\\SV1 -

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)
\\{9EF34FF2-3396-4527-9D27-04C8C1C67806} - Microsoft.AntiSpyware.ShellExecuteHook.1 = C:\Program Files\Microsoft AntiSpyware\shellextension.dll (Microsoft Corporation)
\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll (Anti-Malware Development a.s.)
\\{a5780613-492e-4a2a-a7fd-549610edf6cc} - HookRC Class = C:\Program Files\VCOM\Recovery Commander\RCHOOK.DLL ()

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINDOWS\system32\userinit.exe,
\\Shell = Explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\pmnli - C:\WINDOWS\system32\pmnli.dll = ()
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{25F5E297-D75D-40DD-A7AD-F039263DF5E0} - (Linksys LNE100TX Fast Ethernet Adapter(LNE100TX v4))
{8FDED572-E4A4-40E1-AFE0-980C8DCC3A67} - (1394 Net Adapter)
{E492CE81-8A31-443F-83A4-54EF3C8BBD68} - (1394 Net Adapter)

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000014\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000015\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\ipp - ()
\msdaipp - ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Attached also please find a jpg screenshot of the error I get when I try to post to this thread from my home computer.

Attached Thumbnails

  • Cannot_log_into_Geeks_to_Go.jpg

  • 0

#24
Flrman1
Posted 27 September 2006 - 05:32 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
1. Click here to download The Avenger by Swandog46 and save it to your desktop.
  • Right click on Avenger.zip and choose "Extract All" extract the avenger.exe file.
  • Extract it to your desktop
2. Copy all the text contained in the quote box below to your Clipboard by highlighting it and pressing (Ctrl+C) or right clicking it and choosing "Copy":

Files to delete:
C:\WINDOWS\SYSTEM32\hlwtyoyo.dll
C:\WINDOWS\system32\pmnli.dll
C:\WINDOWS\system32\ebgjyaaj.dll
C:\WINDOWS\system32\vtstt.dll

Folders to delete:
C:\Program Files\VSToolbar

Registry keys to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{45DCFD29-AFC0-4552-A9A3-30DF4A8B5369}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE4D4731-6E88-4B21-BF5E-4BAA8FCFF7D7}


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Come back here to this thread. Copy and paste the contents of c:\avenger.txt into your reply along with a fresh HJT log .
  • 0

#25
Flrman1
Posted 27 September 2006 - 05:33 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Also go ahead and do this please:

* Click here to download Dr.Web CureIt and save it to your desktop.
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new Hijack This log.

  • 0

Advertisements

#26
Flrman1
Posted 27 September 2006 - 05:40 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Now to try and answer a few of your questions.

The problem with logging in here sounds like it may be due to your firewall or some other app that you have blocking the cookies. Check any cookie blocking seetinds in your Trend Micro firewall to try and correct that.

I don't know what the problem is with the HJT Uninstall Manger, but I see it quite often and suspect it to be a problem with HJT and not your computer. Compare the current uninstall list with the one you posted before and see if there is anything new there.

I don't recall everything that we have cleaned off hand, but I know some of it was nothing more than spware like the VS Toolbar. You also have/had the Vundo or Virtumonde trojan. Info here:

http://www.dslreports.com/faq/13331

Another was SDbot:

http://www.pandasoft...epanda=empresas
  • 0

#27
alumni72
Posted 27 September 2006 - 05:45 PM

alumni72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Thannks - I really appreciate all you're doing to help me!

I found out just a minutes ago that I can't log into eBay either - it also will not accept my password. So I would guess it's some setting in IE or somewhere else that got changed somehow quite recently, since up until the other night I was able to log into either website without any trouble. I'm typing this from my work laptop, since that is the only way I can log in to post a response at this point.

I'll try the steps you just outlined ASAP.

Thanks again!

- - edit - -

I'm also not completely sure which of these softwares I've downloaded/installed so far I need to keep installed. I know I should have only one AV package or Firewall, but as for which of them are considered AV and which strictly spyware detectors, I'm not 100% clear on that.

I guess I should uninstall TrendMicro, since am now using Avast! AV and Kerio Firewall. It isn't running, but it could still have something running in the background. Could that be causing any problems at all, at least anything like what you've seen so far?

Edited by alumni72, 27 September 2006 - 05:51 PM.

  • 0

#28
alumni72
Posted 27 September 2006 - 06:10 PM

alumni72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
AVENGER data:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\bopoiasn

*******************

Script file located at: \??\C:\WINDOWS\system32\oawvnhpu.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\SYSTEM32\hlwtyoyo.dll deleted successfully.
File C:\WINDOWS\system32\pmnli.dll deleted successfully.


File C:\WINDOWS\system32\ebgjyaaj.dll not found!
Deletion of file C:\WINDOWS\system32\ebgjyaaj.dll failed!

Could not process line:
C:\WINDOWS\system32\ebgjyaaj.dll
Status: 0xc0000034



File C:\WINDOWS\system32\vtstt.dll not found!
Deletion of file C:\WINDOWS\system32\vtstt.dll failed!

Could not process line:
C:\WINDOWS\system32\vtstt.dll
Status: 0xc0000034

Folder C:\Program Files\VSToolbar deleted successfully.


Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{45DCFD29-AFC0-4552-A9A3-30DF4A8B5369} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{45DCFD29-AFC0-4552-A9A3-30DF4A8B5369} failed!
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE4D4731-6E88-4B21-BF5E-4BAA8FCFF7D7} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

====================================
HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:06:09 PM, on 9/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Shavlik Technologies\NetChk\5.6.0.446\HfNetChkProService.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Generic\Seticon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\GhostSurf\GhostSurf.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\Novatix\ExplorerPlus\Nxdlghlp.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: (no name) - {A765EE2A-6F1C-47C7-82DA-CE64DC466A10} - C:\WINDOWS\system32\pmnli.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Generic\Seticon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: Dialog Tracker.lnk = C:\Program Files\Novatix\ExplorerPlus\Nxdlghlp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GhostSurf.lnk = C:\Program Files\GhostSurf\GhostSurf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Allow personal info to reach this site - file://C:\Program Files\GhostSurf\info.allow.html
O8 - Extra context menu item: Allow popups on this site - file://C:\Program Files\GhostSurf\popup.allow.html
O8 - Extra context menu item: Allow this advertisement - file://C:\Program Files\GhostSurf\menu.allowimg.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Block personal info from this site - file://C:\Program Files\GhostSurf\info.block.html
O8 - Extra context menu item: Block popups on this site - file://C:\Program Files\GhostSurf\popup.block.html
O8 - Extra context menu item: Block this advertisement - file://C:\Program Files\GhostSurf\menu.blockimg.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1136858992712
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: pmnli - C:\WINDOWS\system32\pmnli.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: NetChk Patch Service (NetChkPatch) - Unknown owner - C:\Program Files\Shavlik Technologies\NetChk\5.6.0.446\HfNetChkProService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

=================================
Moving on to your second set of instructions now.....
  • 0

#29
alumni72
Posted 27 September 2006 - 09:00 PM

alumni72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
DrWeb information:

ylnfenqv.dll;C:\Documents and Settings\2 - Mom\Local Settings\Temp;Adware.Duncan;Incurable.Moved.;
WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;Incurable.Moved.;
vtstt.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
tpiprccv.exe;C:\WINDOWS\system32;Adware.SearchColours;Incurable.Moved.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.2.2;Probably BACKDOOR.Trojan;Incurable.Moved.;
Process.exe;C:\Documents and Settings\1 - Dad\Desktop\SDFix\SDFix\apps;Tool.Prockill;Incurable.Moved.;
pmnli.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
mt.exe;C:\;Trojan.DownLoader.13289;Deleted.;
load0[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Z97HOPKL;Trojan.DownLoader.13289;Deleted.;
ebgjyaaj.dll.bad;C:\VundoFix Backups;Adware.Duncan;Incurable.Moved.;
cl5.exe;C:\Program Files\Shavlik Technologies\NetChk\ShavlikDataFiles;Probably WIN.WORM.Virus;Incurable.Moved.;
cl5.exe;C:\WINDOWS\ProPatches;Probably WIN.WORM.Virus;Incurable.Moved.;
Actions.dll;C:\Program Files\Shavlik Technologies\NetChk\ShavlikDataFiles;Probably WIN.WORM.Virus;Incurable.Moved.;
A0090094.exe;C:\System Volume Information\_restore{E2521943-92D1-43B1-B8D9-139603D9B477}\RP262;Trojan.DownLoader.13289;Deleted.;
A0090089.dll;C:\System Volume Information\_restore{E2521943-92D1-43B1-B8D9-139603D9B477}\RP262;Adware.SearchColours;Incurable.Moved.;
A0090088.dll;C:\System Volume Information\_restore{E2521943-92D1-43B1-B8D9-139603D9B477}\RP262;Trojan.Virtumod;Deleted.;
A0089604.dll;C:\System Volume Information\_restore{E2521943-92D1-43B1-B8D9-139603D9B477}\RP259;Trojan.Virtumod;Deleted.;
A0089593.dll;C:\System Volume Information\_restore{E2521943-92D1-43B1-B8D9-139603D9B477}\RP259;Adware.Duncan;Incurable.Moved.;
A0089563.exe;C:\System Volume Information\_restore{E2521943-92D1-43B1-B8D9-139603D9B477}\RP259;Tool.Prockill;Incurable.Moved.;
A0085841.dll;C:\System Volume Information\_restore{E2521943-92D1-43B1-B8D9-139603D9B477}\RP254;Adware.Aws;Incurable.Moved.;
A0085827.exe;C:\System Volume Information\_restore{E2521943-92D1-43B1-B8D9-139603D9B477}\RP254;Trojan.DownLoader.13289;Deleted.;
A0085806.exe;C:\System Volume Information\_restore{E2521943-92D1-43B1-B8D9-139603D9B477}\RP254;Trojan.DownLoader.13289;Deleted.;
A0085786.exe;C:\System Volume Information\_restore{E2521943-92D1-43B1-B8D9-139603D9B477}\RP254;Trojan.DownLoader.13289;Deleted.;

=======================================

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:55:04 PM, on 9/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Shavlik Technologies\NetChk\5.6.0.446\HfNetChkProService.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Generic\Seticon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\GhostSurf\GhostSurf.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\Novatix\ExplorerPlus\Nxdlghlp.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: (no name) - {A765EE2A-6F1C-47C7-82DA-CE64DC466A10} - C:\WINDOWS\system32\pmnli.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Generic\Seticon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: Dialog Tracker.lnk = C:\Program Files\Novatix\ExplorerPlus\Nxdlghlp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GhostSurf.lnk = C:\Program Files\GhostSurf\GhostSurf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Allow personal info to reach this site - file://C:\Program Files\GhostSurf\info.allow.html
O8 - Extra context menu item: Allow popups on this site - file://C:\Program Files\GhostSurf\popup.allow.html
O8 - Extra context menu item: Allow this advertisement - file://C:\Program Files\GhostSurf\menu.allowimg.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Block personal info from this site - file://C:\Program Files\GhostSurf\info.block.html
O8 - Extra context menu item: Block popups on this site - file://C:\Program Files\GhostSurf\popup.block.html
O8 - Extra context menu item: Block this advertisement - file://C:\Program Files\GhostSurf\menu.blockimg.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1136858992712
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: pmnli - C:\WINDOWS\system32\pmnli.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: NetChk Patch Service (NetChkPatch) - Unknown owner - C:\Program Files\Shavlik Technologies\NetChk\5.6.0.446\HfNetChkProService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
  • 0

#30
Flrman1
Posted 28 September 2006 - 10:45 AM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
How is the computer behaving now other than the login problems?

Go to Start > Run. Copy and Paste each of the following lines in the Run box one at a time. Click OK after each one and wait for the success or fail message before you proceed to the next.

regsvr32 Mssip32.dll
regsvr32 wuapi.dll
regsvr32 wuaueng.dll
regsvr32 wucltui.dll
regsvr32 wups.dll
regsvr32 wuweb.dll
regsvr32 atl.dll
regsvr32 Softpub.dll
regsvr32 Wintrust.dll
regsvr32 Initpki.dll

Restart your computer.

Try accessing ebay now.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP