954,132 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article
5 Years Ago
0

Bad adware problem

hello


I have been having extreme adware issues for the past week or so, and it is really irritating the crap out of me. I have had SP2, and my windows update runs every morning. Despite this, my explorer hangs because pop ups load every few seconds, all my system resources are being sucked up, and all my applications are slowed down drastically.
I have spybot, Adaware, and AVG and have ran these at least 100 times each. I have ran all 3 in safe-mode as well. Here is my hijackThis log, I hope SOMEONE can help me get my computer back to it's normal state.


Logfile of HijackThis v1.99.1
Scan saved at 12:16:41 PM, on 6/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\PopUp Killer\popupkiller.EXE
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\?ppPatch\d?dplay.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qjfae.exe
F2 - REG:system.ini: UserInit=userinit.exe,cemeppa.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7A32D9F2-4A35-69EB-6153-4C71B32ECD98} - C:\WINDOWS\system32\pdie.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\popupkiller.EXE
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [{DD-D8-8B-B9-ZN}] c:\windows\system32\prdsregj.exe GID003
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [defender] C:\\defender24.exe
O4 - HKLM\..\Run: [luxzgtcA] C:\WINDOWS\luxzgtcA.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [keyboard] C:\\keyboard24.exe
O4 - HKLM\..\Run: [newname] C:\\newname24.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Roct] "C:\DOCUME~1\Linda\APPLIC~1\ICROSO~1.NET\smss.exe" -vt yazr
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Iygzjpr] C:\WINDOWS\?ppPatch\d?dplay.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Zeno.lnk.disabled
O4 - Startup: Z_Start.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: WarpSpeeder Tray Icon.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://remote.trostel.com/msrdp.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: repairs303169587.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

rufio20
Newbie Poster
6 posts since Jun 2006
Reputation Points: 10
Solved Threads: 0
 
5 Years Ago
0

Hi,
Download The Avenger by Swandog46 to your Desktop.

Download CCleaner and install it. Do not run it now!

Download and install Ewido Security Suite v3.5 . After download, double click on the file to launch the install process. During installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". Launch ewido by double-clicking the "e" icon on your desktop. The program will prompt you to update - click the "OK" button. On the left side of the main screen, click on "Update" and then click "Start Update". The update will start and a progress bar will show the updates being installed. After the updates are installed, you will see "Update Successful" in the lower left corner.
If you are having problems with the updater, use this link to manually update. Exit Ewido when done - DO NOT perform a scan yet.


Reboot in Safe Mode:-
Restart (or switch ON) the PC. Then, keep tapping the F8 Key. From the menu that will be displayed, out of which choose Safe Mode and press Enter.


Uninstall this Software from Add/Remove Programs in Control Panel, if found:-
Purity Scan


Run HijackThis and click Do only a System scan. Then put a check mark infront of below listed entries:-

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qjfae.exe
F2 - REG:system.ini: UserInit=userinit.exe,cemeppa.exe
O2 - BHO: (no name) - {7A32D9F2-4A35-69EB-6153-4C71B32ECD98} - C:\WINDOWS\system32\pdie.dll
O4 - HKLM\..\Run: [{DD-D8-8B-B9-ZN}] c:\windows\system32\prdsregj.exe GID003
O4 - HKLM\..\Run: [defender] C:\\defender24.exe
O4 - HKLM\..\Run: [luxzgtcA] C:\WINDOWS\luxzgtcA.exe
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [keyboard] C:\\keyboard24.exe
O4 - HKLM\..\Run: [newname] C:\\newname24.exe
O4 - HKCU\..\Run: [Roct] "C:\DOCUME~1\Linda\APPLIC~1\ICROSO~1.NET\smss.exe" -vt yazr
O4 - HKCU\..\Run: [Iygzjpr] C:\WINDOWS\?ppPatch\d?dplay.exe
O4 - Startup: Zeno.lnk.disabled
O4 - Startup: Z_Start.lnk.disabled
O4 - Global Startup: WarpSpeeder Tray Icon.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O20 - AppInit_DLLs: repairs303169587.dll

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.

Run CCleaner, click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner" and click "OK" to continue cleaning.

Run Ewido, click on the "Scanner" button in the left menu, then click on the "Settings", here select the option "Scan every file" and click "OK". Next, click "Complete System Scan" button to start scan. If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK. When the scan finishes, click on "Save Report". This will create a text file.


Reboot to Normal Mode. Double click on Avenger.zip to open the file and extract avenger.exe to your Desktop.Copy the below quoted text (which is a script for Avenger) into your clipboard by highlighting it and pressing CTRL C keys:-
Files to delete:
C:\WINDOWS\system32\qjfae.exe
C:\WINDOWS\system32\cemeppa.exe
C:\WINDOWS\cemeppa.exe
c:\windows\system32\prdsregj.exe
C:\WINDOWS\system32\dmonwv.dll
C:\defender24.exe
C:\WINDOWS\luxzgtcA.exe
C:\WINDOWS\xload.exe
C:\keyboard24.exe
C:\newname24.exe
C:\WINDOWS\system32\repairs303169587.dllNow, run The Avenger program by double clicking its icon on your Desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script".
Paste the text copied to clipboard into this window by pressing Ctrl V keys.
Click Done.
Now click on the Green Light to begin execution of the script.
Answer "Yes" twice when prompted.

The Avenger will automatically do the following:-It will Restart your computer.
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the reboot, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt

Run HijackThis again, click Do a System scan and save log, and post the fresh log along with the Ewido log and Avenger lpg.

swatkat
Practically a Master Poster
645 posts since Jul 2005
Reputation Points: 25
Solved Threads: 51
 
5 Years Ago
0

After doing above mentioned things, run this batch file. Here's how to create it, open NotePad and copy the contents of the below "Quote" box:-
cd\
cd DOCUME~1
cd Linda
cd APPLIC~1
dir ICROSO* > C:\info1.txt
cd\
cd %windir%
dir ?ppPatch > C:\info2.txt
cd\
copy info1.txt + info2.txt = info.txt
del info1.txt
del info2.txt
InNotePad, go to File Menu > Save AS and type the filename as Test.BAT and save the file in desired location. Exit from NotePad.

Double-click on the Test.bat file. A DOS type window should open and close by itself. After this, there will be a text file named Info.txt in C:\ drive. Copy the contents of this Info.txt file and please post it here, in your next reply.

swatkat
Practically a Master Poster
645 posts since Jul 2005
Reputation Points: 25
Solved Threads: 51
 
5 Years Ago
0

Ok, this probably isnt good. Followed your instructions to a T. Here are the results.


Ewido Anti-Virus:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:35:15 AM, 6/5/2006
+ Report-Checksum: FDD88420

+ Scan result:

:mozilla.13:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Linda\Cookies\linda@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Linda\Cookies\linda@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Linda\Cookies\linda@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Linda\Cookies\linda@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\Linda\Cookies\linda@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Linda\Cookies\linda@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup


::Report End

AVENGER

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not create zip file.
Error code: 0


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vbfrmaav

*******************

Script file located at: \??\C:\WINDOWS\wdbvtnyo.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\qjfae.exe not found!
Deletion of file C:\WINDOWS\system32\qjfae.exe failed!

Could not process line:
C:\WINDOWS\system32\qjfae.exe
Status: 0xc0000034

File C:\WINDOWS\system32\cemeppa.exe not found!
Deletion of file C:\WINDOWS\system32\cemeppa.exe failed!

Could not process line:
C:\WINDOWS\system32\cemeppa.exe
Status: 0xc0000034

File C:\WINDOWS\cemeppa.exe not found!
Deletion of file C:\WINDOWS\cemeppa.exe failed!

Could not process line:
C:\WINDOWS\cemeppa.exe
Status: 0xc0000034

File C:\WINDOWS\system32\prdsregj.exe not found!
Deletion of file C:\WINDOWS\system32\prdsregj.exe failed!

Could not process line:
C:\WINDOWS\system32\prdsregj.exe
Status: 0xc0000034

File C:\WINDOWS\system32\dmonwv.dll not found!
Deletion of file C:\WINDOWS\system32\dmonwv.dll failed!

Could not process line:
C:\WINDOWS\system32\dmonwv.dll
Status: 0xc0000034

File C:\defender24.exe not found!
Deletion of file C:\defender24.exe failed!

Could not process line:
C:\defender24.exe
Status: 0xc0000034

File C:\WINDOWS\luxzgtcA.exe not found!
Deletion of file C:\WINDOWS\luxzgtcA.exe failed!

Could not process line:
C:\WINDOWS\luxzgtcA.exe
Status: 0xc0000034

File C:\WINDOWS\xload.exe not found!
Deletion of file C:\WINDOWS\xload.exe failed!

Could not process line:
C:\WINDOWS\xload.exe
Status: 0xc0000034

File C:\keyboard24.exe not found!
Deletion of file C:\keyboard24.exe failed!

Could not process line:
C:\keyboard24.exe
Status: 0xc0000034

File C:\newname24.exe not found!
Deletion of file C:\newname24.exe failed!

Could not process line:
C:\newname24.exe
Status: 0xc0000034

File C:\WINDOWS\system32\repairs303169587.dll not found!
Deletion of file C:\WINDOWS\system32\repairs303169587.dll failed!

Could not process line:
C:\WINDOWS\system32\repairs303169587.dll
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

HJTlog

Logfile of HijackThis v1.99.1
Scan saved at 10:43:10 AM, on 6/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\PopUp Killer\popupkiller.EXE
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qjfae.exe
F2 - REG:system.ini: UserInit=userinit.exe,cemeppa.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\popupkiller.EXE
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [keyboard] C:\\keyboard24.exe
O4 - HKLM\..\Run: [newname] C:\\newname24.exe
O4 - HKLM\..\Run: [{DD-D8-8B-B9-ZN}] c:\windows\system32\prdsregj.exe GID003
O4 - HKLM\..\Run: [luxzgtcA] C:\WINDOWS\luxzgtcA.exe
O4 - HKLM\..\Run: [defender] C:\\defender24.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Roct] "C:\DOCUME~1\Linda\APPLIC~1\ICROSO~1.NET\smss.exe" -vt yazr
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Iygzjpr] C:\WINDOWS\?ppPatch\d?dplay.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Zeno.lnk.disabled
O4 - Startup: Z_Start.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://remote.trostel.com/msrdp.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: repairs303169587.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

and here is info.txt

Volume in drive C has no label.
Volume Serial Number is 288D-D8B9

Directory of C:\DOCUME~1\Linda\APPLIC~1

06/02/2006 02:14 PM ?icrosoft.NET
0 File(s) 0 bytes
1 Dir(s) 46,720,790,528 bytes free
Volume in drive C has no label.
Volume Serial Number is 288D-D8B9

Directory of C:\WINDOWS

05/12/2006 01:52 AM AppPatch
05/31/2006 10:57 AM ?ppPatch
0 File(s) 0 bytes
2 Dir(s) 46,720,790,528 bytes free


I deleted the objects in hijack this during the safemode phase. However, they seemed to install themselves back. Avenger said it found nothing, and the only thing the malware detector found was tracking cookies.

I decided to run spybot in safemode after this process, and found this


--- Search result list ---
Command Service: System Service (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: Autorun settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newname

Command Service: Autorun settings (keyboard) (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\keyboard

Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

The software says it can fix it in safe mode, but it fails everytime. Maybe this has something to do with it?

rufio20
Newbie Poster
6 posts since Jun 2006
Reputation Points: 10
Solved Threads: 0
 
5 Years Ago
0

Hi,
Click My Computer, then C: \
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "BFU"

Please download Brute Force Uninstaller to your desktop.Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not run the Uninstaller and the Remover yet.

Please reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.


Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu

Press execute and let it do its job.

Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.


Reboot into Normal mode. Now, download
sidekickFix.bat (rightclick on that link and
choose save as)Place sidekickFix.bat in your C:\BFU folder (Important!).
Close all browsers and explorer folders.
Double-click on sidekickFix.bat
Click Yes and follow the prompts, when prompted to restart
the PC please do so.

swatkat
Practically a Master Poster
645 posts since Jul 2005
Reputation Points: 25
Solved Threads: 51
 
5 Years Ago
0

After carrying out above two steps, delete these two folders. The "?" (question mark) in the folder name might appear as it is or as any other character. Please be careful while deleting the folders, because there may be other legitimate folders by that name. Before deleting, right-click on each of the folder and click "Properties". Now here, check the Date and Time of folder creation. If they match with the date and time given below, then delete the folders:-

C:\DOCUMENTS AND SETTINGS\Linda\APPLICATION DATA\?icrosoft.NET --> Date: 06/02/2006 and Time: 02:14 PM

C:\WINDOWS\?ppPatch --> Date: 05/31/2006 and Time: 10:57 AM


Finally, please post a fresh HijackThis log.

swatkat
Practically a Master Poster
645 posts since Jul 2005
Reputation Points: 25
Solved Threads: 51
 
5 Years Ago
0

I dont think anything happened. I am going to post a bfu log as well.

Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 1:46:11 PM, on 6/5/2006

Option Unload Explorer: Yes
Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)
Failed: ServiceStop Network Monitor (service not found)
Failed: ServiceStop cmdService (operation failed)
Failed: ServiceDisable Network Monitor (service not found)
Failed: ServiceDelete Network Monitor (service not found)
Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (key not found)
Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (key not found)
Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|winlog (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)
Failed: RegDelValue HKCU\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|WinUpdate.exe (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)
Failed: FolderDelete C:\Program Files\winupdates (folder not found)
Failed: FolderDelete C:\Program Files\winupdate (folder not found)
Failed: FolderDelete C:\Program Files\winsupdater (folder not found)
Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)
Failed: FolderDelete C:\Program Files\MsMovies (folder not found)
Failed: FolderDelete C:\Program Files\wmplayer (folder not found)
Failed: FolderDelete C:\Program Files\outlook (folder not found)
Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)
Failed: FileDelete C:\DOCUME~1\ADMINI~1.OWN\LOCALS~1\Temp\~DF5320.tmp (operation failed)
Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)
Failed: FolderDelete C:\Program Files\DNS (folder not found)
Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)
Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\svchostsys (folder not found)
Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)
Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)
Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)
Failed: FolderDelete C:\Program Files\Update06 (folder not found)
Failed: FolderDelete C:\Program Files\Update03 (folder not found)
Failed: FolderDelete C:\Program Files\Update04 (folder not found)
Failed: FolderDelete C:\Program Files\Update08 (folder not found)
Failed: FolderDelete C:\Program Files\W-Update (folder not found)
Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)
Failed: FolderDelete C:\Program Files\Cas (folder not found)
Failed: FolderDelete C:\Program Files\CasStub (folder not found)
Failed: FolderDelete C:\Program Files\Cas2Stub (folder not found)
Failed: FolderDelete C:\Program Files\ipwins (folder not found)
Failed: FolderDelete C:\WINDOWS\mdrive (folder not found)
Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)
Script completed.

Here is the hijackthis log, all entries are still intact >.>

Logfile of HijackThis v1.99.1
Scan saved at 2:05:46 PM, on 6/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PopUp Killer\popupkiller.EXE
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qjfae.exe
F2 - REG:system.ini: UserInit=userinit.exe,cemeppa.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\popupkiller.EXE
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [{DD-D8-8B-B9-ZN}] c:\windows\system32\prdsregj.exe GID003
O4 - HKLM\..\Run: [luxzgtcA] C:\WINDOWS\luxzgtcA.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard24.exe
O4 - HKLM\..\Run: [newname] C:\\newname24.exe
O4 - HKLM\..\Run: [defender] C:\\defender24.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Roct] "C:\DOCUME~1\Linda\APPLIC~1\ICROSO~1.NET\smss.exe" -vt yazr
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Iygzjpr] C:\WINDOWS\?ppPatch\d?dplay.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Zeno.lnk.disabled
O4 - Startup: Z_Start.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://remote.trostel.com/msrdp.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: repairs303169587.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe


Those 2 folders I am not sure about, here is what I got:

C:\Documents and Settings\Linda\Application Data\Μicrosoft.NET
This folder contains an empty folder called
ICROSO~1.NET Monday, May 29, 2006, 10:34:27 AM

I have two AppPatch folders, one containing only 1 file called
dvdplay Monday, May 29, 2006, 10:34:41 AM

=/

rufio20
Newbie Poster
6 posts since Jun 2006
Reputation Points: 10
Solved Threads: 0
 
5 Years Ago
Show Comments
1

Hi,
Download WinPFind.ZIP and completely extract it to a folder.

We shall do an online scan at F-Secure. Please visit: F-Secure Online Scanner Next Generation Beta
1. Click on the link "F-Secure Online Scanner Next Generation Beta".
2. You may receive an alert on the address bar at this point to install the ActiveX control.
3. Click on that alert and then Click Insall ActiveX component.
4. Read the license agreement and click "Accept".
5. Click "Full System Scan" to download the scanning components and begin scan and cleaning.
6. When done click "Show report" and copy/paste its contents into your next reply.

(F-Secure scan works only in Internet Explorer browser)

After the scan run WinPFind.exe and click "Start Scan". When the scan completes, click "Copy to Clipboard" button to copy the log it gives, and please post it here along with F-Secure scan log.



C:\Documents and Settings\Linda\Application Data\Μicrosoft.NET
This folder contains an empty folder called
ICROSO~1.NET Monday, May 29, 2006, 10:34:27 AM

I have two AppPatch folders, one containing only 1 file called
dvdplay Monday, May 29, 2006, 10:34:41 AM


Yes, please delete those two folders.

swatkat
Practically a Master Poster
645 posts since Jul 2005
Reputation Points: 25
Solved Threads: 51
 
5 Years Ago
0

I had a problem with the Anti-Virus...
Scanned twice, and everytime it starts to clean it says there is an error and restarts everything.

here is the winPFind log:

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 10/17/2005 7:05:48 AM 200192 C:\WINDOWS\eiunin21.exe

Checking %System% folder...
PEC2 8/4/2004 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 5/24/2006 5:42:26 PM 619156 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 5/24/2006 5:42:26 PM 619156 C:\WINDOWS\SYSTEM32\DivX.dll
PTech 5/23/2006 5:26:00 PM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 5/3/2006 9:26:24 PM 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 5/3/2006 9:26:24 PM 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 7:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 7:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/4/2004 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 5/23/2006 5:25:52 PM 285488 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
UPX! 6/1/2006 12:30:30 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 6/1/2006 12:30:30 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 6/1/2006 12:30:30 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 6/1/2006 12:30:30 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/5/2006 11:06:58 PM S 2048 C:\WINDOWS\bootstat.dat
6/6/2006 11:53:28 AM H 54156 C:\WINDOWS\QTFont.qfn
5/12/2006 9:04:40 AM RH 749 C:\WINDOWS\WindowsShell.Manifest
5/12/2006 9:04:50 AM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
5/12/2006 9:05:38 AM HS 67 C:\WINDOWS\Fonts\desktop.ini
6/1/2006 12:54:46 PM H 0 C:\WINDOWS\inf\oem7.inf
5/12/2006 9:04:50 AM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
5/12/2006 9:05:16 AM RHS 727 C:\WINDOWS\pchealth\helpctr\PackageStore\package_1.cab
5/12/2006 9:05:16 AM RHS 19854 C:\WINDOWS\pchealth\helpctr\PackageStore\package_2.cab
5/12/2006 9:05:16 AM RHS 244933 C:\WINDOWS\pchealth\helpctr\PackageStore\package_3.cab
5/12/2006 9:06:22 AM H 225280 C:\WINDOWS\repair\ntuser.dat
5/12/2006 5:06:38 PM RHS 88 C:\WINDOWS\system32\1E00B0BBD9.sys
5/12/2006 9:04:40 AM RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
5/12/2006 9:04:50 AM RH 488 C:\WINDOWS\system32\logonui.exe.manifest
5/12/2006 9:04:40 AM RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
5/12/2006 9:04:40 AM RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
5/12/2006 9:04:40 AM RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
5/12/2006 9:04:50 AM RH 488 C:\WINDOWS\system32\WindowsLogon.manifest
5/12/2006 9:04:40 AM RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
4/18/2006 2:17:08 AM S 14054 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB908531.cat
5/2/2006 1:02:32 AM S 464431 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem3.CAT
5/17/2006 11:24:42 AM S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WGA.cat
5/23/2006 5:27:00 PM S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
6/6/2006 9:33:26 AM H 1024 C:\WINDOWS\system32\config\default.LOG
6/5/2006 11:07:02 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
6/6/2006 12:17:02 AM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
6/6/2006 12:59:18 PM H 1024 C:\WINDOWS\system32\config\software.LOG
6/6/2006 12:21:32 PM H 1024 C:\WINDOWS\system32\config\system.LOG
5/12/2006 1:52:38 AM H 1024 C:\WINDOWS\system32\config\TempKey.LOG
5/12/2006 1:52:40 AM H 1024 C:\WINDOWS\system32\config\userdiff.LOG
6/2/2006 9:36:26 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
5/12/2006 1:54:04 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini
5/12/2006 1:54:04 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
5/12/2006 9:09:44 AM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
5/12/2006 9:09:44 AM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
5/12/2006 9:09:44 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
5/12/2006 9:09:44 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
5/12/2006 9:09:44 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4V8J45S5\desktop.ini
5/12/2006 9:09:44 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6LKF27UB\desktop.ini
5/12/2006 9:09:44 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UN016PSX\desktop.ini
5/12/2006 9:09:44 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WTWTU9C7\desktop.ini
5/12/2006 9:04:52 AM HS 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini
5/12/2006 1:54:04 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini
5/12/2006 9:06:20 AM HS 148 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini
5/12/2006 9:06:20 AM HS 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
5/12/2006 9:06:20 AM HS 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
5/12/2006 9:06:20 AM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
5/12/2006 9:06:20 AM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
5/11/2006 6:33:46 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\0fadf055-87ac-4354-84ff-4da37ade8ce6
5/11/2006 6:33:46 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
5/12/2006 9:09:48 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\8cb73233-8a8c-4297-9cf0-032f9643dcd6
5/11/2006 6:43:20 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\f75f327a-6f40-498c-abc8-1d3efcc64f6b
5/11/2006 6:43:20 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
6/5/2006 11:07:02 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 7:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 4/20/2006 5:01:06 PM 18788352 C:\WINDOWS\SYSTEM32\alsndmgr.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
3/9/2006 3:29:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Wacom Technology, Corp. 4/6/2006 8:58:26 AM 1282048 C:\WINDOWS\SYSTEM32\PenTablet.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
WIBU-SYSTEMS AG 12/27/2001 10:59:22 AM 716800 C:\WINDOWS\SYSTEM32\Wibuke32.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Realtek Semiconductor Corp. 1/11/2006 5:36:26 PM 18780160 C:\WINDOWS\SYSTEM32\ReinstallBackups\0007\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
5/22/2006 10:43:02 PM 1918 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
5/12/2006 6:15:24 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
5/12/2006 9:06:20 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
5/21/2006 12:09:30 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
5/12/2006 3:50:42 PM 878 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
5/12/2006 1:54:04 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
5/28/2006 8:02:08 AM 1755 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
5/12/2006 6:22:48 PM 988 C:\Documents and Settings\Linda\Start Menu\Programs\Startup\Adobe Gamma.lnk
5/22/2006 8:01:16 PM 718 C:\Documents and Settings\Linda\Start Menu\Programs\Startup\BitTorrent.lnk
5/12/2006 9:06:20 AM HS 84 C:\Documents and Settings\Linda\Start Menu\Programs\Startup\desktop.ini
5/11/2006 11:14:18 PM 876 C:\Documents and Settings\Linda\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk

Checking files in %USERPROFILE%\Application Data folder...
5/12/2006 6:13:50 PM 1563 C:\Documents and Settings\Linda\Application Data\AdobeDLM.log
5/12/2006 1:54:04 AM HS 62 C:\Documents and Settings\Linda\Application Data\desktop.ini
5/12/2006 6:13:50 PM 0 C:\Documents and Settings\Linda\Application Data\dm.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{2610AEF6-7C4A-4427-B2E0-65F733290F76} =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\CTMTPMediaExplorer
{7895F317-A125-42CC-BD3E-5830765CE577} = C:\PROGRA~1\Creative\SHARED~1\CTCmeCtx.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\CTMTPMediaExplorer
{7895F317-A125-42CC-BD3E-5830765CE577} = C:\PROGRA~1\Creative\SHARED~1\CTCmeCtx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{00020000-0000-1011-8004-0000C06B5161}
= C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}
= "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{CE3A44D8-BC88-4D62-A890-42D96245F8D6}
= C:\WINDOWS\system32\dmonwv.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AOL Instant Messenger (TM) : C:\Program Files\AIM95\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
ButtonText = Yahoo! Messenger : C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
VTTrayp VTtrayp.exe
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
RemoteControl "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
SoundMan SOUNDMAN.EXE
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
Adobe Photo Downloader "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
PopUpKiller C:\Program Files\PopUp Killer\popupkiller.EXE
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
Google Desktop Search "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
nwiz nwiz.exe /install
xload "C:\WINDOWS\xload.exe"
keyboard C:\\keyboard24.exe
newname C:\\newname24.exe
{DD-D8-8B-B9-ZN} c:\windows\system32\prdsregj.exe GID003
luxzgtcA C:\WINDOWS\luxzgtcA.exe
defender C:\\defender24.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
PhotoShow Deluxe Media Manager C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
Creative Detector "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
AIM C:\Program Files\AIM95\aim.exe -cnetwait.odl
MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
Yahoo! Pager "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
Roct "C:\DOCUME~1\Linda\APPLIC~1\ICROSO~1.NET\smss.exe" -vt yazr
Iygzjpr C:\WINDOWS\?ppPatch\d?dplay.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
iPodService 3


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^shbwl.exe
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\shbwl.exe
backup C:\WINDOWS\pss\shbwl.exeCommon Startup
location Common Startup
command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\shbwl.exe
item shbwl
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\shbwl.exe
backup C:\WINDOWS\pss\shbwl.exeCommon Startup
location Common Startup
command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\shbwl.exe
item shbwl

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Linda^Start Menu^Programs^Startup^Zeno.lnk
path C:\Documents and Settings\Linda\Start Menu\Programs\Startup\Zeno.lnk
backup C:\WINDOWS\pss\Zeno.lnkStartup
location Startup
command C:\WINDOWS\system32\lwinsqez.exe GID003
item Zeno
path C:\Documents and Settings\Linda\Start Menu\Programs\Startup\Zeno.lnk
backup C:\WINDOWS\pss\Zeno.lnkStartup
location Startup
command C:\WINDOWS\system32\lwinsqez.exe GID003
item Zeno

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Linda^Start Menu^Programs^Startup^Z_Start.lnk
path C:\Documents and Settings\Linda\Start Menu\Programs\Startup\Z_Start.lnk
backup C:\WINDOWS\pss\Z_Start.lnkStartup
location Startup
command C:\WINDOWS\system32\prdsregj.exe GID003
item Z_Start
path C:\Documents and Settings\Linda\Start Menu\Programs\Startup\Z_Start.lnk
backup C:\WINDOWS\pss\Z_Start.lnkStartup
location Startup
command C:\WINDOWS\system32\prdsregj.exe GID003
item Z_Start

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AIM
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command C:\Program Files\AIM95\aim.exe -cnetwait.odl
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command C:\Program Files\AIM95\aim.exe -cnetwait.odl
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\aqsnei
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aaovek
hkey HKLM
command C:\WINDOWS\system32\aaovek.exe reg_run
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aaovek
hkey HKLM
command C:\WINDOWS\system32\aaovek.exe reg_run
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\defender
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item defender24
hkey HKLM
command C:\\defender24.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item defender24
hkey HKLM
command C:\\defender24.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Google Desktop Search
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item GoogleDesktop
hkey HKLM
command "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item GoogleDesktop
hkey HKLM
command "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command "C:\Program Files\iTunes\iTunesHelper.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command "C:\Program Files\iTunes\iTunesHelper.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\luxzgtcA
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item luxzgtcA
hkey HKLM
command C:\WINDOWS\luxzgtcA.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item luxzgtcA
hkey HKLM
command C:\WINDOWS\luxzgtcA.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MsnMsgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MsnMsgr
hkey HKCU
command "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MsnMsgr
hkey HKCU
command "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\New.net Startup
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NEWDOT~2
hkey HKLM
command rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NEWDOT~2
hkey HKLM
command rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\nwiz
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item nwiz
hkey HKLM
command nwiz.exe /install
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item nwiz
hkey HKLM
command nwiz.exe /install
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SurfSideKick 3
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Ssk
hkey HKLM
command C:\Program Files\SurfSideKick 3\Ssk.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Ssk
hkey HKLM
command C:\Program Files\SurfSideKick 3\Ssk.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vnapg
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aaovek
hkey HKCU
command C:\WINDOWS\system32\aaovek.exe reg_run
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aaovek
hkey HKCU
command C:\WINDOWS\system32\aaovek.exe reg_run
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\xload
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item xload
hkey HKLM
command "C:\WINDOWS\xload.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item xload
hkey HKLM
command "C:\WINDOWS\xload.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\{DD-D8-8B-B9-ZN}
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item prdsregj
hkey HKLM
command c:\windows\system32\prdsregj.exe GID003
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item prdsregj
hkey HKLM
command c:\windows\system32\prdsregj.exe GID003
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 2
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = userinit.exe,cemeppa.exe
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs repairs303169587.dll


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/6/2006 1:03:53 PM

rufio20
Newbie Poster
6 posts since Jun 2006
Reputation Points: 10
Solved Threads: 0
 
5 Years Ago
0

Something else just occured.

I have an internet explorer window integrated into my desktop now, it randomly says DEFAULT in big grey letters, or it is just a white box.
I traced the page to ads.zwoops.com

rufio20
Newbie Poster
6 posts since Jun 2006
Reputation Points: 10
Solved Threads: 0
 
5 Years Ago
0

Hi,
Let's remove the SurfSideKick now! Copy the below quoted text (which is a script for Avenger) into your clipboard by highlighting it and pressing CTRL C keys:-
Files to delete:
C:\WINDOWS\system32\dmonwv.dll
C:\WINDOWS\xload.exe
C:\keyboard24.exe
C:\newname24.exe
c:\windows\system32\prdsregj.exe
C:\WINDOWS\luxzgtcA.exe
C:\defender24.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\shbwl.exe
C:\WINDOWS\pss\shbwl.exe
C:\Documents and Settings\Linda\Start Menu\Programs\Startup\Zeno.lnk
C:\WINDOWS\pss\Zeno.lnk
C:\WINDOWS\system32\lwinsqez.exe
C:\Documents and Settings\Linda\Start Menu\Programs\Startup\Z_Start.lnk
C:\WINDOWS\pss\Z_Start.lnk
C:\WINDOWS\system32\aaovek.exe
C:\WINDOWS\system32\repairs303169587.dll
C:\WINDOWS\repairs303169587.dll
C:\Program Files\SurfSideKick 3\Ssk.exe

Folders to delete:
C:\Program Files\SurfSideKick 3

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLsNow, run The Avenger program by double clicking its icon on your Desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script".
Paste the text copied to clipboard into this window by pressing Ctrl V keys.
Click Done.
Now click on the Green Light to begin execution of the script.
Answer "Yes" twice when prompted.

The Avenger will automatically do the following:-It will Restart your computer.
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the reboot, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt

Reboot in Safe Mode:-
Restart (or switch ON) the PC. Then, keep tapping the F8 Key. From the menu that will be displayed, out of which choose Safe Mode and press Enter.


Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qjfae.exe
F2 - REG:system.ini: UserInit=userinit.exe,cemeppa.exe
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [{DD-D8-8B-B9-ZN}] c:\windows\system32\prdsregj.exe GID003
O4 - HKLM\..\Run: [luxzgtcA] C:\WINDOWS\luxzgtcA.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard24.exe
O4 - HKLM\..\Run: [newname] C:\\newname24.exe
O4 - HKLM\..\Run: [defender] C:\\defender24.exe
O4 - HKCU\..\Run: [Roct] "C:\DOCUME~1\Linda\APPLIC~1\ICROSO~1.NET\smss.exe" -vt yazr
O4 - HKCU\..\Run: [Iygzjpr] C:\WINDOWS\?ppPatch\d?dplay.exe
O4 - Startup: Zeno.lnk.disabled
O4 - Startup: Z_Start.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - AppInit_DLLs: repairs303169587.dll

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Run Ewido, click on the "Scanner" button in the left menu, then click on the "Settings", here select the option "Scan every file" and click "OK". Next, click "Complete System Scan" button to start scan. If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK. When the scan finishes, click on "Save Report". This will create a text file, save it in a convinient location.


Reboot to Normal Mode. Run HijackThis again, click Do a System scan and save log, and post the fresh log along with the Avenger log and Ewido log.

swatkat
Practically a Master Poster
645 posts since Jul 2005
Reputation Points: 25
Solved Threads: 51
 
5 Years Ago
0

Woo, I think some progress was made.

Here are the logs:

Avenger

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\chkbaepq
*******************
Script file located at: \??\C:\yapfpnqa.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:

File C:\\WINDOWSsystem32dmonwv.dll not found!
Deletion of file C:\\WINDOWSsystem32dmonwv.dll failed!
Could not process line:
C:\\WINDOWSsystem32dmonwv.dll
Status: 0xc0000034

File C:\\WINDOWSxload.exe not found!
Deletion of file C:\\WINDOWSxload.exe failed!
Could not process line:
C:\\WINDOWSxload.exe
Status: 0xc0000034

File C:\\keyboard24.exe not found!
Deletion of file C:\\keyboard24.exe failed!
Could not process line:
C:\\keyboard24.exe
Status: 0xc0000034

File C:\\newname24.exe not found!
Deletion of file C:\\newname24.exe failed!
Could not process line:
C:\\newname24.exe
Status: 0xc0000034

File c:\\windowssystem32prdsregj.exe not found!
Deletion of file c:\\windowssystem32prdsregj.exe failed!
Could not process line:
c:\\windowssystem32prdsregj.exe
Status: 0xc0000034

File C:\\WINDOWSluxzgtcA.exe not found!
Deletion of file C:\\WINDOWSluxzgtcA.exe failed!
Could not process line:
C:\\WINDOWSluxzgtcA.exe
Status: 0xc0000034

File C:\\defender24.exe not found!
Deletion of file C:\\defender24.exe failed!
Could not process line:
C:\\defender24.exe
Status: 0xc0000034

File C:\\Documents and Settings\All Users\Start Menu\Programs\Startup\shbwl.exe not found!
Deletion of file C:\\Documents and Settings\All Users\Start Menu\Programs\Startup\shbwl.exe failed!
Could not process line:
C:\\Documents and Settings\All Users\Start Menu\Programs\Startup\shbwl.exe
Status: 0xc0000034

File C:\\WINDOWS\pss\shbwl.exe not found!
Deletion of file C:\\WINDOWS\pss\shbwl.exe failed!
Could not process line:
C:\\WINDOWS\pss\shbwl.exe
Status: 0xc0000034

File C:\\Documents and Settings\Linda\Start Menu\Programs\StartupZeno.lnk not found!
Deletion of file C:\\Documents and Settings\Linda\Start Menu\Programs\StartupZeno.lnk failed!
Could not process line:
C:\\Documents and Settings\Linda\Start Menu\Programs\StartupZeno.lnk
Status: 0xc0000034

File C:\\WINDOWS\pss\Zeno.lnk not found!
Deletion of file C:\\WINDOWS\pss\Zeno.lnk failed!
Could not process line:
C:\\WINDOWS\pss\Zeno.lnk
Status: 0xc0000034

File C:\\WINDOWS\system32\lwinsqez.exe not found!
Deletion of file C:\\WINDOWS\system32\lwinsqez.exe failed!
Could not process line:
C:\\WINDOWS\system32\lwinsqez.exe
Status: 0xc0000034

File C:\\Documents and Settings\Linda\Start Menu\Programs\Startup\Z_Start.lnk not found!
Deletion of file C:\\Documents and Settings\Linda\Start Menu\Programs\Startup\Z_Start.lnk failed!
Could not process line:
C:\\Documents and Settings\Linda\Start Menu\Programs\Startup\Z_Start.lnk
Status: 0xc0000034

File C:\\WINDOWS\pss\Z_Start.lnk not found!
Deletion of file C:\\WINDOWS\pss\Z_Start.lnk failed!
Could not process line:
C:\\WINDOWS\pss\Z_Start.lnk
Status: 0xc0000034

File C:\\WINDOWS\system32\aaovek.exe not found!
Deletion of file C:\\WINDOWS\system32\aaovek.exe failed!
Could not process line:
C:\\WINDOWS\system32\aaovek.exe
Status: 0xc0000034

File C:\\WINDOWS\system32\repairs303169587.dll not found!
Deletion of file C:\\WINDOWS\system32\repairs303169587.dll failed!
Could not process line:
C:\\WINDOWS\system32\repairs303169587.dll
Status: 0xc0000034

File C:\\WINDOWS\repairs303169587.dll not found!
Deletion of file C:\\WINDOWS\repairs303169587.dll failed!
Could not process line:
C:\\WINDOWS\repairs303169587.dll
Status: 0xc0000034

Could not open file C:\\Program Files\SurfSideKick 3\Ssk.exe for deletion
Deletion of file C:\\Program Files\SurfSideKick 3\Ssk.exe failed!
Could not process line:
C:\\Program Files\SurfSideKick 3\Ssk.exe
Status: 0xc000003a

Folder C:\\Program Files\SurfSideKick 3 not found!
Deletion of folder C:\\Program Files\SurfSideKick 3 failed!
Could not process line:
C:\\Program Files\SurfSideKick 3
Status: 0xc0000034
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.
Completed script processing.
*******************
Finished! Terminate.

+ Scan result:
:mozilla.13:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Linda\Cookies\linda@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Linda\Cookies\linda@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Linda\Cookies\linda@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Linda\Cookies\linda@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\Linda\Cookies\linda@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Linda\Cookies\linda@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup

::Report End



Logfile of HijackThis v1.99.1
Scan saved at 9:56:47 AM, on 6/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\PopUp Killer\popupkiller.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\popupkiller.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Roct] "C:\DOCUME~1\Linda\APPLIC~1\ICROSO~1.NET\smss.exe" -vt yazr
O4 - HKCU\..\Run: [Iygzjpr] C:\WINDOWS\?ppPatch\d?dplay.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://remote.trostel.com/msrdp.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

rufio20
Newbie Poster
6 posts since Jun 2006
Reputation Points: 10
Solved Threads: 0
 
5 Years Ago
0

Hi,
Yes, looks like we got rid of SurfSideKick, a nasty malware! Now, to remove the leftovers of another malware, PurityScan! Download CCleaner and install it. Do not run it now!


Please boot the PC into Safe Mode.


Make Windows to show all files:-
Go to Start > My Computer. Go to Tools menu, click Folder Options. Uncheck Hide protected operating system files. Then, click to select the option Show hidden files and folders. Click Apply and then click OK to exit.

Delete these folders:-
C:\Documents and Settings\Linda\Application Data\ICROSO~1.NET <-- Delete this, if found.

C:\Documents and Settings\Linda\Application Data\Μicrosoft.NET <--- This folder contains an empty folder called ICROSO~1.NET, dated Monday, May 29, 2006, 10:34:27 AM.

C:\WINDOWS\?ppPatch <--- It will be displayed as AppPatch, and delete the one which containing file called dvdplay, dated Monday, May 29, 2006, 10:34:41 AM. Legitimate AppPatch folder will have many files (mostly DLL files), do NOT delete legitimate folder.


Now run CCleaner, click the "Options" button in the left pane of CCleaner. Here, click "Settings" and then click "Advanced" button. Here, Uncheck the options "Only delete files in Windows Temp folder older than 48 hours" and "Show prompt to backup registry issues".
After unchecking them, click the "Issues" button in the left pane. Here, click "Scan for issues". It takes some time to scan. Once it finishes the scan, click "Fix selected issues". This opens up a new window, here click "Fix all selected issues" button to remove all the detected issues.
After this, click the "Cleaner" button in the left pane and click "Run Cleaner" to clean the temp files.


Run HijackThis and click Do only a System scan. Then put a check mark infront of below listed entries:-

O4 - HKCU\..\Run: [Roct] "C:\DOCUME~1\Linda\APPLIC~1\ICROSO~1.NET\smss.exe" -vt yazr
O4 - HKCU\..\Run: [Iygzjpr] C:\WINDOWS\?ppPatch\d?dplay.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Reboot to Normal Mode. Perform an online virus scan at Kaspersky Online Scanner (Click the "Kaspersky Online Scanner" button). Save the log it gives after the scan.

Run HijackThis again, click Do a System scan and save log, and post the fresh log along with the Kaspersky log.

swatkat
Practically a Master Poster
645 posts since Jul 2005
Reputation Points: 25
Solved Threads: 51
 

This article has been dead for over three months

Post: Markdown Syntax: Formatting Help
You
 
© 2012 DaniWeb® LLC
Home | About Us | Contact Us | Terms of Service | Advertising Opportunities
RSS Feed RSS Feed