Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan/Downloader.Qoologic/Command Service Infection

Started by twist4 , Sep 27 2006 04:23 PM

  • This topic is locked This topic is locked

#1
twist4
Posted 27 September 2006 - 04:23 PM

twist4

    New Member

  • Member
  • Pip
  • 7 posts
I have followed all your recommended steps in trying to remove the malware from my computer to no avail. Here's what's happening. I have been plagued with malware for months, regularly run ewido and spybot and other programs, but I never get rid of it all. A few days ago my computer appeared to be running pretty well with a few pop-ups when I received a message: "Windows has been closed down. kernel-data-inpage-error." When I tried to restart the computer, I received a message, "disk boot failure, insert system disk and press enter." I re-booted in safe mode, ran ewido and spybot which I run regularly, but then the same thing happened again. I then followed all your recommended steps. Trojan Hunter found a number of infections, some which it purported to remove, a few which it didn't. When I ran ewido a second time after running Trojan Hunter, the following high risks still appeared: Downloader.Qoologic.bj/ Downloader.Small.ajc/ Downloader.PurityScan.cz/Hijacker.Small.jf/Downloader.Small/Trojan.Zapchast.bl/Dropper.VB.mz. Every time I run ewido "Downloader.Qoologic" appears and every time I run Spybot, "Command Services" appears. Also every time I start my computer chkdsk runs. Thanks so much for any help you can give me. Here is my HiJackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 6:15:25 PM, on 9/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1130274426\ee\AOLSoftware.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 6.0a\aoltray.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalo...asp?si=20073&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalo...asp?si=20073&k=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://memberservic.../ProvisionLogin
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\xkrxy.exe
F2 - REG:system.ini: UserInit=userinit.exe,jgxcjtm.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_0_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {A5E7FC66-1EA7-460C-F5AD-641340DC389F} - C:\WINDOWS\system32\jczickq.dll (file missing)
O2 - BHO: Kweaj Class - {DFE7D27E-C021-4C72-80F3-254B776E0992} - C:\WINDOWS\system32\ubbv.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_0_0.dll
O3 - Toolbar: WordReferenceEnEs - {5776A2BC-D803-47F6-9DC0-8344DB8D604C} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [pi4iGMUl] C:\documents and settings\owner\local settings\temp\pi4iGMUl.exe
O4 - HKLM\..\Run: [SCEhg.exe] c:\windows\system32\SCEhg.exe
O4 - HKLM\..\Run: [0] C:\windows\system32\0.exe
O4 - HKLM\..\Run: [14c50e6ce648] C:\WINDOWS\System32\atitvo32.exe
O4 - HKLM\..\Run: [fX] C:\windows\system32\fX.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\system32\Yxu5.exe
O4 - HKLM\..\Run: [mpcsrv] C:\WINDOWS\system32\mpcsrv.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1130274426\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [0o8w0320.dll] RUNDLL32.EXE 0o8w0320.dll,b 99914921
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [win3208691-1996575] C:\WINDOWS\win3208691-1996575.exe
O4 - HKLM\..\Run: [win32075691-199657] C:\WINDOWS\win32075691-199657.exe
O4 - HKLM\..\Run: [sys0396575691-19] C:\WINDOWS\sys0396575691-19.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [Notn] "C:\PROGRA~1\CROSOF~1.NET\taskmgr.exe" -vt yazr
O4 - HKCU\..\Run: [Thcqfq] C:\Program Files\Common Files\??mbols\??rvices.exe
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0a\aoltray.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Aventail OnDemand - https://remote.nixon...va/ondemand.cab
O16 - DPF: {22D4879A-92DB-470D-8A83-E158797D8176} (Liquid.LiquidHelper) - file://E:\components\Liquid.ocx
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webi...Q/bin/WebIQ.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep....42037/sb02a.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1156341424046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - AppInit_DLLs: ping.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Secure MSVS (MicroService32) - Unknown owner - C:\WINDOWS\msvcrs.exe (file missing)
O23 - Service: OSdebug (Microsoft Regulator) - Unknown owner - C:\WINDOWS\msoevc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Remote Procedure Call (RPC) Relocator (RpcRelocator) - Unknown owner - C:\WINDOWS\relocater.exe (file missing)
  • 0

Advertisements

#2
JSntgRvr
Posted 27 September 2006 - 05:25 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Hi, twist4 :whistling:

Welcome to Geeks to go.
  • Please download Combofix to your desktop from Here or Here:
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
twist4
Posted 28 September 2006 - 07:53 AM

twist4

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you. :whistling: Here are the logs:Owner - 06-09-28 9:23:00.00 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


O4 - HKCU\...\Run C:\WINDOWS\SYSTEM32\hbatyn.exe
O4 - HKLM\...\Run C:\WINDOWS\system32\hbatyn.exe
F2 -REG:system.ini: Shell C:\WINDOWS\system32\xkrxy.exe
F2 -REG:system.ini: UserInit C:\WINDOWS\SYSTEM32\jgxcjtm.exe


* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\SYSTEM32\hbatyn.exe
C:\WINDOWS\SYSTEM32\niatpvx.dll
C:\WINDOWS\SYSTEM32\jgxcjtm.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ajmuf.exe
C:\WINDOWS\gwhbp.dll
C:\WINDOWS\SYSTEM32\nypwk.dat
C:\WINDOWS\SYSTEM32\xkrxy.exe


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-08-01 11:38 127488 ajmuf.exe.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Alex\Application Data\Sskknwrd.dll
C:\Documents and Settings\Dad\Application Data\Sskcwrd.dll
C:\Documents and Settings\Dad\Application Data\Sskknwrd.dll
C:\Documents and Settings\Metman\Application Data\Sskcwrd.dll
C:\Documents and Settings\Metman\Application Data\Sskknwrd.dll
C:\Documents and Settings\Metman\Application Data\Sskuknwrd.dll
C:\WINDOWS\system32\bk.exe
C:\WINDOWS\system32\CLOUDSIM.EXE


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Owner\Start Menu\Programs\Startup\z_start.lnk
C:\WINDOWS\system32\adrot-uninst.exe
C:\WINDOWS\system32\VSL05.exe
C:\WINDOWS\YOINSI.exe
C:\Program Files\Deskbar
C:\Program Files\windows

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\CROSOF~1
C:\QooBox\Purity\Program Files\CROSOF~1.NET
C:\QooBox\Purity\Program Files\RACLE~1
C:\QooBox\Purity\Program Files\Common Files\ECURIT~1
C:\QooBox\Purity\Program Files\Common Files\MBOLS~1
C:\QooBox\Purity\Program Files\Common Files\MCROSO~1
C:\QooBox\Purity\Program Files\Common Files\WNSXS~1
C:\QooBox\Purity\Program Files\Common Files\YMBOLS~1
C:\QooBox\Purity\Program Files\Common Files\ECURIT~1\ECURIT~1
C:\QooBox\Purity\Program Files\CROSOF~1.NET\CROSOF~1.NET
C:\QooBox\Purity\WINDOWS\FNTS~1
C:\QooBox\Purity\WINDOWS\WNSXS~1
C:\QooBox\Purity\WINDOWS\SYSTEM32\SMBOLS~1


((((((((((((((((((((((((((((((( Files Created from 2006-08-28 to 2006-09-28 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-28 09:24 -------- d-a------ C:\Program Files\Common Files
2006-09-28 09:00 937 --a------ C:\WINDOWS\gwhbp.dll
2006-09-27 18:15 -------- d-------- C:\Program Files\Hijackthis
2006-09-26 17:44 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-26 09:47 -------- d-------- C:\Program Files\QuickTime
2006-09-26 09:44 -------- d-------- C:\Program Files\Messenger
2006-09-26 09:36 -------- d-------- C:\Program Files\iTunes
2006-09-26 09:35 -------- d-------- C:\Program Files\Internet Explorer
2006-09-26 09:23 -------- d-------- C:\Program Files\America Online 6.0a
2006-09-25 23:41 -------- d-------- C:\Program Files\Games
2006-09-25 21:09 -------- d-------- C:\Program Files\CleanUp!
2006-09-25 20:22 -------- d-------- C:\Program Files\TrojanHunter 4.6
2006-09-25 19:38 -------- d-------- C:\Documents and Settings\Owner\Application Data\TrojanHunter
2006-09-24 19:19 -------- d-------- C:\Program Files\Kali95
2006-09-19 16:38 -------- d-------- C:\Program Files\Apple Software Update
2006-09-17 19:04 -------- d-------- C:\Documents and Settings\Owner\Application Data\acccore
2006-09-17 19:03 -------- d-------- C:\Program Files\Common Files\AOL
2006-09-17 19:03 -------- d-------- C:\Program Files\AOL
2006-09-17 19:02 -------- d-------- C:\Program Files\aod
2006-09-17 10:53 -------- d-------- C:\Program Files\AIM95
2006-09-04 21:20 2 --a------ C:\WINDOWS\SYSTEM32\winttr.exe
2006-09-04 21:20 -------- d-------- C:\Program Files\Common Files\àdobe
2006-08-23 21:57 -------- d--h----- C:\Program Files\WindowsUpdate
2006-08-23 09:23 -------- d-------- C:\Program Files\ArcSoft
2006-08-23 09:07 -------- d-------- C:\Program Files\HP RecordNow
2006-08-22 20:55 503 --a------ C:\WINDOWS\SYSTEM32\batmeter.exe
2006-08-22 20:54 49734 --a------ C:\WINDOWS\SYSTEM32\atl71060.exe
2006-08-22 20:53 503 --a------ C:\WINDOWS\SYSTEM32\catsrvut.exe
2006-08-22 20:52 506 --a------ C:\WINDOWS\SYSTEM32\bfc42d88.exe
2006-08-22 20:52 49734 --a------ C:\WINDOWS\SYSTEM32\cddbcont.exe
2006-08-22 20:52 49734 --a------ C:\WINDOWS\SYSTEM32\avifile5.exe
2006-08-22 10:27 -------- d-------- C:\Program Files\Oberon Media
2006-08-22 10:24 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-22 10:15 -------- d-------- C:\Program Files\The Complete National Geographic
2006-08-21 08:21 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\SYSTEM32\drivers\fltmgr.sys
2006-07-27 09:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
@=""
"ATI Launchpad"="\"C:\\Program Files\\ATI Multimedia\\main\\launchpd.exe\""
"Notn"="\"C:\\PROGRA~1\\CROSOF~1.NET\\taskmgr.exe\" -vt yazr"
"Thcqfq"="C:\\Program Files\\Common Files\\??mbols\\??rvices.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"checktime"="c:\\program files\\HPSelect\\Frontend\\ct.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"pi4iGMUl"="C:\\documents and settings\\owner\\local settings\\temp\\pi4iGMUl.exe"
"SCEhg.exe"="c:\\windows\\system32\\SCEhg.exe"
"0"="C:\\windows\\system32\\0.exe"
"14c50e6ce648"="C:\\WINDOWS\\System32\\atitvo32.exe"
"fX"="C:\\windows\\system32\\fX.exe"
"2P6WFAX43ZHE7C"="C:\\WINDOWS\\system32\\Yxu5.exe"
"mpcsrv"="C:\\WINDOWS\\system32\\mpcsrv.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1130274426\\ee\\AOLSoftware.exe"
"0o8w0320.dll"="RUNDLL32.EXE 0o8w0320.dll,b 99914921"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\apdproxy.exe\""
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"lspins"="\"C:\\WINDOWS\\system32\\igps.exe\""
"win3208691-1996575"="C:\\WINDOWS\\win3208691-1996575.exe"
"win32075691-199657"="C:\\WINDOWS\\win32075691-199657.exe"
"sys0396575691-19"="C:\\WINDOWS\\sys0396575691-19.exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\HP RecordNow\\kyzez.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Games\\howywyw.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wufk"="C:\\PROGRA~1\\COMMON~1\\wufk\\wufkm.exe"
"Notn"="\"C:\\PROGRA~1\\DOBE~1\\notepad.exe\" -vt yazr"
"Zcd"="C:\\WINDOWS\\W?nSxS\\??rvices.exe"
"dplma"="C:\\WINDOWS\\system32\\hbatyn.exe reg_run"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wufk"="C:\\PROGRA~1\\COMMON~1\\wufk\\wufkm.exe"
"Notn"="\"C:\\PROGRA~1\\DOBE~1\\notepad.exe\" -vt yazr"
"Zcd"="C:\\WINDOWS\\W?nSxS\\??rvices.exe"
"dplma"="C:\\WINDOWS\\system32\\hbatyn.exe reg_run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: Thu 09/28/2006 9:43:19.75
ComboFix.txt



Logfile of HijackThis v1.99.1
Scan saved at 9:51:00 AM, on 9/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1130274426\ee\AOLSoftware.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 6.0a\aoltray.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalo...asp?si=20073&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalo...asp?si=20073&k=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://memberservic.../ProvisionLogin
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_0_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {A5E7FC66-1EA7-460C-F5AD-641340DC389F} - C:\WINDOWS\system32\jczickq.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [pi4iGMUl] C:\documents and settings\owner\local settings\temp\pi4iGMUl.exe
O4 - HKLM\..\Run: [SCEhg.exe] c:\windows\system32\SCEhg.exe
O4 - HKLM\..\Run: [0] C:\windows\system32\0.exe
O4 - HKLM\..\Run: [14c50e6ce648] C:\WINDOWS\System32\atitvo32.exe
O4 - HKLM\..\Run: [fX] C:\windows\system32\fX.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\system32\Yxu5.exe
O4 - HKLM\..\Run: [mpcsrv] C:\WINDOWS\system32\mpcsrv.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1130274426\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [0o8w0320.dll] RUNDLL32.EXE 0o8w0320.dll,b 99914921
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
O4 - HKLM\..\Run: [win3208691-1996575] C:\WINDOWS\win3208691-1996575.exe
O4 - HKLM\..\Run: [win32075691-199657] C:\WINDOWS\win32075691-199657.exe
O4 - HKLM\..\Run: [sys0396575691-19] C:\WINDOWS\sys0396575691-19.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [Notn] "C:\PROGRA~1\CROSOF~1.NET\taskmgr.exe" -vt yazr
O4 - HKCU\..\Run: [Thcqfq] C:\Program Files\Common Files\??mbols\??rvices.exe
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0a\aoltray.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Aventail OnDemand - https://remote.nixon...va/ondemand.cab
O16 - DPF: {22D4879A-92DB-470D-8A83-E158797D8176} (Liquid.LiquidHelper) - file://E:\components\Liquid.ocx
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webi...Q/bin/WebIQ.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep....42037/sb02a.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1156341424046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Secure MSVS (MicroService32) - Unknown owner - C:\WINDOWS\msvcrs.exe (file missing)
O23 - Service: OSdebug (Microsoft Regulator) - Unknown owner - C:\WINDOWS\msoevc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Remote Procedure Call (RPC) Relocator (RpcRelocator) - Unknown owner - C:\WINDOWS\relocater.exe (file missing)
  • 0

#4
JSntgRvr
Posted 28 September 2006 - 12:27 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Hi, twist4 :whistling:

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalo...asp?si=20073&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalo...asp?si=20073&k=
O2 - BHO: (no name) - {A5E7FC66-1EA7-460C-F5AD-641340DC389F} - C:\WINDOWS\system32\jczickq.dll (file missing)
O4 - HKLM\..\Run: [pi4iGMUl] C:\documents and settings\owner\local settings\temp\pi4iGMUl.exe
O4 - HKLM\..\Run: [SCEhg.exe] c:\windows\system32\SCEhg.exe
O4 - HKLM\..\Run: [0] C:\windows\system32\0.exe
O4 - HKLM\..\Run: [14c50e6ce648] C:\WINDOWS\System32\atitvo32.exe
O4 - HKLM\..\Run: [fX] C:\windows\system32\fX.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\system32\Yxu5.exe
O4 - HKLM\..\Run: [mpcsrv] C:\WINDOWS\system32\mpcsrv.exe
O4 - HKLM\..\Run: [0o8w0320.dll] RUNDLL32.EXE 0o8w0320.dll,b 99914921
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
O4 - HKLM\..\Run: [win3208691-1996575] C:\WINDOWS\win3208691-1996575.exe
O4 - HKLM\..\Run: [win32075691-199657] C:\WINDOWS\win32075691-199657.exe
O4 - HKLM\..\Run: [sys0396575691-19] C:\WINDOWS\sys0396575691-19.exe
O4 - HKCU\..\Run: [Notn] "C:\PROGRA~1\CROSOF~1.NET\taskmgr.exe" -vt yazr
O4 - HKCU\..\Run: [Thcqfq] C:\Program Files\Common Files\??mbols\??rvices.exe
O23 - Service: Secure MSVS (MicroService32) - Unknown owner - C:\WINDOWS\msvcrs.exe (file missing)
O23 - Service: OSdebug (Microsoft Regulator) - Unknown owner - C:\WINDOWS\msoevc.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Relocator (RpcRelocator) - Unknown owner - C:\WINDOWS\relocater.exe (file missing)

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

Go to Start->Run, type CMD and click Ok. The MSDOS windo will be displayed. At the prompt type the following and press Enter after each line:

SC Stop MicroService32
SC Delete MicroService32
SC Stop Microsoft Regulator
SC Delete Microsoft Regulator
SC Stop RpcRelocator
SC Delete RpcRelocator
Exit

Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\CROSOF~1.NET ->> Note the folder's name first six letters are CROSOF
C:\Program Files\Common Files\??mbols->> Note the folder's name starts with ??

Search and delete the following file:

0o8w0320.dll
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\SYSTEM32\winttr.exe
    C:\WINDOWS\gwhbp.dll
    C:\WINDOWS\SYSTEM32\batmeter.exe
    C:\WINDOWS\SYSTEM32\atl71060.exe
    C:\WINDOWS\SYSTEM32\catsrvut.exe
    C:\WINDOWS\SYSTEM32\bfc42d88.exe
    C:\WINDOWS\SYSTEM32\cddbcont.exe
    C:\WINDOWS\SYSTEM32\avifile5.exe
    C:\documents and settings\owner\local settings\temp\pi4iGMUl.exe
    c:\windows\system32\SCEhg.exe
    C:\windows\system32\0.exe
    C:\WINDOWS\System32\atitvo32.exe
    C:\windows\system32\fX.exe
    C:\WINDOWS\system32\Yxu5.exe
    C:\WINDOWS\system32\mpcsrv.exe
    C:\WINDOWS\system32\igps.exe
    C:\WINDOWS\win3208691-1996575.exe
    C:\WINDOWS\win32075691-199657.exe
    C:\WINDOWS\sys0396575691-19.exe

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
  • Launch Ewido
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly in Safe Mode.

Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

Boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Perform the following steps in safe mode:

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido .
Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Restart back into Windows normally now.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post a fresh Hijackthis log along with the Ewido and ActiveScan reports.

Edited by JSntgRvr, 28 September 2006 - 12:30 PM.

  • 0

#5
twist4
Posted 28 September 2006 - 10:58 PM

twist4

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Okay! I have followed all your steps, but based on the scan results, I am quessing we are not done yet. A couple of notes. When I ran ewido, a message popped up: "!ewido-exe.-corrupt file. The file or directory C: is corrupt and unreadable. Please run the Chkdsk utility." I have received this message periodically before and sometimes receive a similar message when running Spybot. Also Chkdsk is still running every time I start the computer. Also when I log in, I get two pop-up messages that I don't know how to get rid of: "Windows cannot open this file BackWeb--137903.exe_to be deleted." "Runner file name (BackWeb--137903.exe_to be deleted) must end in.dll or .exe." Here are the Hijackthis log and the Ewido and ActiveScan reports. Thanks! :whistling:

Logfile of HijackThis v1.99.1
Scan saved at 12:52:18 AM, on 9/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1130274426\ee\aolsoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 6.0a\aoltray.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us3.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://memberservic.../ProvisionLogin
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_0_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1130274426\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0a\aoltray.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Aventail OnDemand - https://remote.nixon...va/ondemand.cab
O16 - DPF: {22D4879A-92DB-470D-8A83-E158797D8176} (Liquid.LiquidHelper) - file://E:\components\Liquid.ocx
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webi...Q/bin/WebIQ.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep....42037/sb02a.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1156341424046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OSdebug (Microsoft Regulator) - Unknown owner - C:\WINDOWS\msoevc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS


---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:03:10 PM 9/28/2006

+ Scan result:



C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP1179\A0655311.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP1179\A0655307.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP1179\A0655308.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP1179\A0655309.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP1179\A0655310.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP1179\A0655306.exe -> Downloader.PurityScan.cz : Cleaned with backup (quarantined).
C:\Program Files\TrojanHunter 4.6\Quarantine\rN4h.dat -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP1179\A0655304.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP1181\A0658393.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP1181\A0658398.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP1181\A0658400.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP1181\A0658444.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP1181\A0658445.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP1181\A0658446.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP1181\A0658447.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP1181\A0658448.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\hbatyn.exe.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\jgxcjtm.exe.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\niatpvx.dll.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\nypwk.dat.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\xkrxy.exe.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP1179\A0655305.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).


::Report end


Incident Status Location

Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe
Spyware:spyware/whazit Not disinfected c:\windows\system32\fiz1
Adware:adware/virtualbouncer Not disinfected c:\windows\system32\INNERADINSTALL.LOG
Adware:adware/sidestep Not disinfected c:\windows\downloaded program files\SbCIe02a.inf
Spyware:spyware/betterinet Not disinfected c:\windows\inf\biini.inf
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Owner\Application Data\tvmknwrd.dll
Adware:adware/ncase Not disinfected c:\windows\msbb.exe.temp
Adware:adware/sidesearch Not disinfected c:\windows\sepsd.bin
Adware:adware/portalscan Not disinfected c:\program files\System Soap Pro
Adware:adware/iedriver Not disinfected Windows Registry
Adware:adware/commad Not disinfected Windows Registry
Spyware:spyware/apropos Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{147A976E-EEE1-4377-8EA7-4716E4CDD239}
Adware:adware/limeshop Not disinfected Windows Registry
Adware:adware/savenow Not disinfected Windows Registry
Adware:adware/sahagent Not disinfected Windows Registry
Adware:adware/sqwire Not disinfected Windows Registry
Adware:adware/zipclix Not disinfected Windows Registry
Adware:adware/adrotator Not disinfected Windows Registry
Adware:adware/popupsearches Not disinfected Windows Registry
Adware:adware/mirar Not disinfected Windows Registry
Spyware:spyware/virtumonde Not disinfected Windows Registry
Adware:adware/sbsoft Not disinfected Windows Registry
Adware:adware/topmoxie Not disinfected Windows Registry
Spyware:spyware/safesurf Not disinfected Windows Registry
Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
Adware:Adware/IEDriver Not disinfected C:\bintheredunthat\Overpro-401.exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\VundoFix\VundoFix\process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\VundoFix.exe[process.exe]
Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\hp\bin\Terminator.exe
Adware:Adware/LookSmart Not disinfected C:\Program Files\WordReferenceEnEs\wordreferenceEnEs.dll
Spyware:Cookie/360i Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc117.txt
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc122.txt
Spyware:Cookie/DomainSponsor Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc123.txt
Spyware:Cookie/Go Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc142.txt
Spyware:Cookie/Humanclick Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc146.txt
Spyware:Cookie/DomainSponsor Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc159.txt
Spyware:Cookie/Maxserving Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc168.txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc183.txt
Spyware:Cookie/Sandboxer Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc194.txt
Spyware:Cookie/421 Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc200.txt
Spyware:Cookie/Tickle Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc241.txt
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc307.txt
Spyware:Cookie/Azjmp Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc308.txt
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc309.txt
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc310.txt
Spyware:Cookie/Azjmp Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc311.txt
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc317.txt
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc318.txt
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc326.txt
Spyware:Cookie/Azjmp Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc327.txt
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc328.txt
Spyware:Cookie/Azjmp Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc337.txt
Spyware:Cookie/Hbmediapro Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc75.txt
Spyware:Cookie/Gorillanation Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc82.txt
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc97.txt
Spyware:Cookie/Azjmp Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc98.txt
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\S-1-5-21-1487682723-2731309904-3410288154-1006\Dc99.txt
Adware:Adware/CommAd Not disinfected C:\WINDOWS\IA\KE.vbs
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\INF\biC.inf
Adware:Adware/KeenValue Not disinfected C:\WINDOWS\SYSTEM32\in5bCs.dlltmp
  • 0

#6
JSntgRvr
Posted 29 September 2006 - 10:01 AM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Hi, twist4 :whistling:

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep....42037/sb02a.cab


Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

Go to Start->Run, type CMD and click Ok. The MSDOS windo will be displayed. At the prompt type the following (including the quotes) and press Enter after each line:

SC Stop "Microsoft Regulator"
SC Delete "Microsoft Regulator"
Exit

Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

c:\program files\System Soap Pro
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe
    c:\windows\system32\fiz1
    c:\windows\system32\INNERADINSTALL.LOG
    c:\windows\downloaded program files\SbCIe02a.inf
    c:\windows\inf\biini.inf
    C:\Documents and Settings\Owner\Application Data\tvmknwrd.dll
    c:\windows\msbb.exe.temp
    c:\windows\sepsd.bin
    hkey_classes_root\clsid\{147A976E-EEE1-4377-8EA7-4716E4CDD239}
    C:\bintheredunthat\Overpro-401.exe
    C:\WINDOWS\IA\KE.vbs
    C:\WINDOWS\INF\biC.inf
    C:\WINDOWS\SYSTEM32\in5bCs.dlltmp


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Here are some routine maintenance practices that you should do on a regular basis to keep your machine running efficiently. Hopefully going through these steps will solve the alerts you are experiencing.

Disk Cleanup:

http://www.theelderg...nup_utility.htm

Defrag your HD:

http://artsweb.bham....rag-win2kxp.htm

Run chkdsk:

To use Chkdsk, click Start and My Computer. Right-click the hard drive you want to check, and click Properties. Select the Tools tab and click Check Now. Check both boxes. Click Start. You'll get a message that the computer must be rebooted to run a complete check. Click Yes and reboot. Chkdsk will take awhile, so run it when you don't need to use the computer for something else.

Remove unnecessary startups

This should be done through the System Configuration Utility. Go to Start > Run and type in msconfig.
Click OK or hit the Enter key.

Click on the "Startup" tab and remove the check by the items that you have determined are unnecessary. Click "Apply" then "Close"

You will be prompted to restart. Go ahead and restart.

Upon restart you will be confronted with a dialogue box warning about running in selective startup. Just ignore that message and put a check in the box by "Don't show me this message or launch the System Configuration Utility when Windows starts" and click "OK". You will not be bothered by the message again.

Keep in mind that some entries will be re-enabled in the startups each time you use that particular program. Therefore, you will have to find the option in that programs preferences that says something like "Load with Windows" or "Run when Windows Starts" and disable that option.

Go here for info on msconfig:

Pacs Portal

You can look up the startups at the following links to help determine what is needed and what is not:

ComputerCops
BleepingComputer
Answers That Work
Windows Startup

Post a fresh Hiijackthis log afterward and let me know how is the computer doing.
  • 0

#7
twist4
Posted 02 October 2006 - 08:05 AM

twist4

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
:whistling: Thank you JSntgRvr. My computer has been working great all weekend. It has been a long time since it has run this well. I have donated to the site. Thank you so much for all your help. This has been a real lifesaver for me. Here is my latest HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:54:16 AM, on 10/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\AOL\1130274426\ee\AOLSoftware.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 6.0a\aoltray.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM95\aim.exe
c:\program files\common files\aol\1130274426\ee\aolsoftware.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us3.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://memberservic.../ProvisionLogin
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_0_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1130274426\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0a\aoltray.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Aventail OnDemand - https://remote.nixon...va/ondemand.cab
O16 - DPF: {22D4879A-92DB-470D-8A83-E158797D8176} (Liquid.LiquidHelper) - file://E:\components\Liquid.ocx
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webi...Q/bin/WebIQ.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1156341424046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
  • 0

#8
JSntgRvr
Posted 02 October 2006 - 02:32 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Hi, twist4. :blink:

Congratulations.Posted Image

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

Glad I could be of help. :whistling: Best wishes!
  • 0

#9
twist4
Posted 04 October 2006 - 10:25 AM

twist4

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
:whistling: Okay, the computer has seemed to be running pretty well but yesterday while I was working in MicrosoftWord, and the internet was closed, the computer started making scary grinding noises and I again received a message, "Windows has been closed down. kernel-data-inpage-error" followed by a message, "dumping physical memory." You may recall this is the same message I received when I first sought your help. I re-booted the computer and everything appeared to be normal. I ran Spybot and "Command Services" appeared again (which also was appearing all the time before I got your help.) After asking Spybot to fix these problems, I ran a complete scan on ewido and no high risks appeared--just some tracking cookies (although I did again get the message I was getting earlier: "!ewido-exe.-corrupt file. The file or directory C: is corrupt and unreadable. Please run the Chkdsk utility". Do you think the kernel-data-inpage-error" I received is unrelated to the malware problems I was experiencing? Any suggestions? Thanks again!
  • 0

#10
JSntgRvr
Posted 04 October 2006 - 10:37 AM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Hi, twist4 :whistling:

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.

RegSearch Options File

[Search]
CMDSERVICE

[Exclude]

[Options]
Filter=KVDLUI



2. Download Registry Search to your desktop.
  • Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
  • Open the new folder, and double click on regsearch.exe
  • Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
  • Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
  • Please reply here with the entire contents of the Notepad file from RegSearch.

  • 0

#11
twist4
Posted 04 October 2006 - 07:10 PM

twist4

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi JSntgRvr :whistling: Here's the Registry Search file. Many thanks.

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 10/4/2006 8:59:15 PM for strings:
; 'cmdservice'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000]
"Service"="cmdService"

; End Of The Log...
  • 0

#12
JSntgRvr
Posted 04 October 2006 - 08:41 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Hi, twist4 :whistling:

Click Here to download delcmdservice (by Marckie), and save it to your Desktop.
  • Unzip the content to your Desktop (a folder named delcmdservice)
  • Double-click on the delcmdservice folder
  • Double-click on delreg.bat to launch the tool
  • When the tool has finished, please reboot your computer.
After restarting the computer, run Registry Search with the same options above again to confirm the removal of these entries, and post the report.

Keep me posted.
  • 0

#13
twist4
Posted 05 October 2006 - 06:15 AM

twist4

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
:whistling: Thanks, JSntgRvr. Here are the contents of the new RegSearch file:

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 10/5/2006 8:09:07 AM for strings:
; 'cmdservice'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_USERS\S-1-5-21-1487682723-2731309904-3410288154-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\Temporary Directory 2 for delcmdservice[1].zip\\delcmdservice\\delreg.bat"="delreg"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\Temporary Directory 3 for delcmdservice[1].zip\\delcmdservice\\delreg.bat"="delreg"
"C:\\Documents and Settings\\Owner\\Local Settings\\Temporary Internet Files\\Content.IE5\\V2HLMG5Z\\delcmdservice[1]\\delcmdservice\\delreg.bat"="delreg"

; End Of The Log...
  • 0

#14
JSntgRvr
Posted 05 October 2006 - 11:20 AM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Hi, twist4 :whistling:

It is gone. How is the computer doing?
  • 0

#15
JSntgRvr
Posted 22 October 2006 - 01:31 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP