0

".... you did only copy the text and not the lines, and you did not have notepad format wordwrapped checked?" In that I was asking you what you did, not telling you; unchecked is the way to go because punctuation [line returns] will get added if there is wordwrapping, and that interferes.
Anyway.
"The second O2 is MyGlobalSearch toolbar... and should have been removed by running fixkey.reg." - when I posted that I was actually referring to the Panda scan entry which should have been removed, not the one in the hijackthis log [that is a different key]. I could have phrased it better...ok, properly :):-
Panda log:- Potentially unwanted tool:application/myglobalsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{37B85A21-692B-4205-9CAD-2626E4993404}
Hijack O2:- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37B85A29-692B-4205-9CAD-2626E4993404}
-you do not see that actual key in full in the HT log, but the above is it. Note the same CLSID, {37B85....}.
However what I have done is confuse the syntax of this registry editor with that of regedit.exe. I don't often do that. This new file will work.... I have added the extra keys to remove what you are seeing in the HT log also.

__________________________________________________________
Windows Registry Editor Version 5.00

[-HKEY_USER\S-1-5-21-436374069-1284227242-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WhenUSave]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{37B85A21-692B-4205-9CAD-2626E4993404]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}]

[-HKEY_CLASSES_ROOT\clsid\{014DA6C9-189F-421a-88CD-07CFE51CFF10}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37B85A29-692B-4205-9CAD-2626E4993404}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
__________________________________________________________

Sigh... I have given you a bit of a run around the block. Too much to remember. Have I answered everything?
I ask for an ATF run because it cleans out cookies, which things I don't really need to see in a Panda scan because they are benign text objects. There are no rookits in your Panda log.. but it does look truncated. May I assume that the unwanted tool is actually SDFix, as in the previous log?

0

Yea, i misread that part but i originally had it unchecked and with the new file i also made sure it was unchecked and when i double clicked it and restarted my computer the:

Hijack O2:- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37B85A29-692B-4205-9CAD-2626E4993404}

or the toolbar that appears in hijackthis is still there when i run hijackthis. Does this mean that the other commands didn't work either?

Also the SDFix.exe was something i used to remove part of the virus when i had just gotten the virus. I have deleted the exe file but i still have 2 files called SDFIX and SDFIX_First_Run in C:\WINDOWS\ERUNT are they also part of the SDFix.exe file?

0

This is the latest Panda scan after running the new fixkey.reg file:


Incident Status Location

Adware:adware/savenow Not disinfected Windows Registry
Potentially unwanted tool:application/myglobalsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{37B85A21-692B-4205-9CAD-2626E4993404}
Adware:adware/abox Not disinfected Windows Registry

0

It worked, but it looks like you have active myglobalsearch files in there somewhere which put those keys back up. This will find them:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

0

Hi, i still have 2 files called SDFIX and SDFIX_First_Run in C:\WINDOWS\ERUNT are they also part of the SDFix.exe file? as in, is ERUNT a legitimate windows folder?

There's one crazy entry with a gajillion question marks lol, is that a rootkit? Also, i didn't save the log in notepad when i closed it, it just disappeared but i copy/pasted before i closed it. Anyway, here's the log:

ComboFix 08-02.05.3 - user 2008-02-04 18:48:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.597 [GMT -8:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\msettings.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-02-04 13:01 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-03 14:53 . 2008-02-04 15:03 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-03 14:53 . 2008-02-04 15:02 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-03 14:53 . 2008-02-04 15:02 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-03 14:53 . 2008-02-04 15:02 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-01 20:41 . 2008-02-01 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-01-31 20:28 . 2008-02-04 13:24 <DIR> d-------- C:\Program Files\Unlocker
2008-01-31 19:49 . 2008-01-31 19:49 <DIR> d-------- C:\Documents and Settings\user\Application Data\Grisoft
2008-01-31 19:49 . 2008-01-31 19:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-31 19:49 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-16 14:11 . 2008-01-16 14:11 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-01-14 15:38 . 2008-01-28 23:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-14 15:38 . 2008-01-14 15:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-14 15:35 . 2008-01-14 15:35 <DIR> d-------- C:\Program Files\QuickTime
2008-01-14 14:59 . 2008-01-14 14:59 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-14 14:57 . 2008-01-14 14:57 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-10 22:36 . 2008-01-10 22:39 <DIR> d-------- C:\Documents and Settings\user\.idlerc
2008-01-10 22:35 . 2008-01-10 22:42 <DIR> d-------- C:\Python25

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 21:20 --------- d-----w C:\Program Files\MSN Messenger
2008-02-04 21:16 --------- d-----w C:\Program Files\Common Files\Scanner
2008-02-04 02:15 --------- d-----w C:\Program Files\PokerStars
2008-02-03 22:42 --------- d-----w C:\Program Files\Steam
2008-02-02 04:37 --------- d-----w C:\Program Files\ATI Technologies
2008-01-24 00:33 --------- d-----w C:\Program Files\World of Warcraft
2008-01-17 06:49 --------- d-----w C:\Program Files\BackgammonMasters
2008-01-14 22:57 --------- d-----w C:\Documents and Settings\user\Application Data\LimeWire
2007-12-21 05:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2007-12-21 03:53 2,843,136 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-21 03:09 368,640 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-12-21 03:08 272,384 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-12-21 03:02 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-12-21 02:59 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-12-21 02:59 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-12-21 02:59 147,456 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-12-21 02:59 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-12-21 02:58 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-12-21 02:57 512,000 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-12-21 02:56 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-12-21 02:53 9,826,304 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-12-21 02:47 3,120,640 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-12-21 02:36 1,661,696 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-12-21 02:24 46,080 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2007-12-21 02:20 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-12-21 02:20 385,024 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-12-21 02:18 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-12-21 02:17 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-12-21 02:15 159,744 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-12-21 02:11 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-12-17 07:10 --------- d-----w C:\Program Files\DivX
2007-12-11 22:34 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-12-11 22:34 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2004-10-01 23:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerBar"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [ ]
"TEPA.exe"="C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" [2007-05-14 09:10 2061816]
"TELUS eProtect"="C:\Program Files\TELUS\TELUS eProtect\Rps.exe" [2007-09-13 16:22 310000]
"-FreedomNeedsReboot"="C:\Program Files\TELUS\TELUS eProtect\ZkRunOnceR.exe" [2007-09-13 16:22 13552]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
--a------ 2006-04-06 07:58 9125888 C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-02 18:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 10:56 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2005-03-22 17:26 102400 C:\WINDOWS\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\syscache]
C:\Program Files\Windows NT\NTmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TELUS Security service]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-06-21 09:14 35328 C:\Program Files\Winamp\winampa.exe

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-07-25 20:50]
S3 atirage;atirage;C:\WINDOWS\system32\DRIVERS\atiragem.sys [2001-08-17 12:48]
S3 Radialpoint Security Services;TELUS eProtect;C:\WINDOWS\system32\dllhost.exe [2004-08-04 04:00]

*Newly Created Service* - FVDPUEQIOGXC
.
Contents of the 'Scheduled Tasks' folder
"2007-06-09 16:09:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-31 08:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\AsLV34tt.exe
"2007-08-22 22:35:57 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\AsLV34tt.exe
"2007-11-22 18:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\AsLV34tt.exe
"2007-12-03 19:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\AsLV34tt.exe
"2008-01-12 20:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\AsLV34tt.exe
"2008-02-04 21:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\AsLV34tt.exe
"2008-02-04 22:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\AsLV34tt.exe
"2008-02-04 23:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\AsLV34tt.exe
"2008-02-05 00:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\AsLV34tt.exe
"2008-02-05 01:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\AsLV34tt.exe
"2008-02-05 02:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\AsLV34tt.exe
"2008-01-17 09:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\AsLV34tt.exe
"2008-02-04 03:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\AsLV34tt.exe
"2008-02-04 04:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\AsLV34tt.exe
"2008-02-04 05:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\AsLV34tt.exe
"2008-02-04 06:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\AsLV34tt.exe
"2008-02-04 07:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\AsLV34tt.exe
"2008-01-12 10:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\AsLV34tt.exe
"2008-01-13 11:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\AsLV34tt.exe
"2007-12-31 12:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\AsLV34tt.exe
"2007-12-22 13:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\AsLV34tt.exe
"2007-11-29 14:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\AsLV34tt.exe
"2007-08-22 22:35:57 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\AsLV34tt.exe
"2007-08-22 22:35:57 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\AsLV34tt.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 18:50:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ????<????4@?h??????w????h???Z??w(???*??wt?@?l?@?X?a?????????????????????????,??????????????????????w????g??w0??w????*??w???w?????4@?Z??????????w????l?@????????w????t?@???`?????????l?@?l?@????????w????t?@?????l?@?8?@?l?@?3??s????????????????????8?@?_??s8?@?8?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-04 18:50:31
ComboFix-quarantined-files.txt 2008-02-05 02:50:22
.
2008-01-09 01:21:52 --- E O F ---

0

ERUNT is a registry backup tool used by SDFix. Those files are okay.
I see that you have CyberLink DVD Solution. That uses a process called Powerbar.exe, and I seem to remember that Combofix has always had trouble with that one.
Anyway, that key is broken in your sys because it should show in hijackthis log as an O3 entry. We can remove it; if you wish to have the DVD Solution toolbar you will have to reinstall it.
*Newly Created Service* - FVDPUEQIOGXC : is that to do with Telus?? Does it show in a hijackthis log as an O23 entry?
If you wish to search registry for it, services are located under key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]
If you would like me to look, do this next:
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt
__________________________________________________________
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" /s >>C:\showkey.txt
start C:\showkey.txt
__________________________________________________________

Zip up that file and attach it via Go Advanced button.
Now to try to remove those recalcitrant items run this as Fixkey.bat:

_________________________________________________
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerBar"=-

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{37B85A21-692B-4205-9CAD-2626E4993404}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37B85A29-692B-4205-9CAD-2626E4993404}]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37B85A29-692B-4205-9CAD-2626E4993404}]
_________________________________________________

0

Hi, sorry but i have a bunch of questions this time. So it's ok to delete the SDFix files anyway? Also, What is the toolbar for DVD Solution do and do i need it to use the program? Also if i reinstall the program will the Powerbar.exe come back? Those are my questions before i run Fixkey.bat to remove everything.

I ran the showkey.bat and it produced a huge log. It has my ip address and everything in it and if i attach the zipped log will anyone else besides you be able to view it?

Heres the latest hijackthis log, i dont seem to see it under 023 but you should take a look as well to be sure:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:14 PM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\TELUS\TELUS eProtect\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TELUS\eProtect Advisor\TEPA.exe
C:\Program Files\TELUS\TELUS eProtect\Rps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TELUS\TELUS eProtect\rpsupdaterR.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS eProtect\pkR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [TELUS eProtect] "C:\Program Files\TELUS\TELUS eProtect\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\TELUS\TELUS eProtect\ZkRunOnceR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: TELUS eProtect Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\TELUS\TELUS eProtect\rpsupdaterR.exe
O23 - Service: TELUS eProtect Firewall (RP_FWS) - TELUS - C:\Program Files\TELUS\TELUS eProtect\Fws.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 5322 bytes

0

=Cyberlink DVD Solution which you have is for watching, editing and burning DVD's. I don't have it so I do not know what capabilities the toolbar has, but I can tell that yours is broken. To get it to work you would have to reinstall DVD Solution again, anyway.
=SDFix backs up your registry before it makes changes when you run it. You are finished with it, you can delete those files.
=The Showkey log - please edit out anything you regard as sensitive before you post the log because it is publicly available. Really, to be totally secure, you could do the search instead of posting it. I was going to do a text search in notepad for that string FVDPUEQIOGXC from the Combofix log entry *Newly Created Service* - FVDPUEQIOGXC. I wanted to know if that service was associated with Telus, and using an encrypted name. In notepad, Find is under the edit tab. If that string is there just post the relevent key's data starting from the HKEY\ line above. Not being familiar with Telus' product I just wanted to check. Nothing shows in your log.
Yeah, you do the search and just post the result... safer and easier... :)

0

Alright, i searched in showkey.txt for FVDPUEQIOGXC and it said ==Cannot find "FVDPUEQIOGXC"==

Also, am i suppose to [format/wordwrap unchecked] and save as Fixkey.bat, as type "all files", to my desktop; and dclick it to run, this here that you wrote (i'm just double checking):
_________________________________________________
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerBar"=-

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{37B85A21-692B-4205-9CAD-2626E4993404}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37B85A29-692B-4205-9CAD-2626E4993404}]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37B85A29-692B-4205-9CAD-2626E4993404}]
_________________________________________________

0

Yep, do that re fixkey.bat... same procedure as before.
I have noted your not finding that service.
If the BHO at O3 with no file still pops in hijackthis you will have to find it via IE, Tools, Manage Add-ons and disable it in there. Make sure in that window that you select Addons that have been used by IE.

0

Ok, i ran the Fixkey.bat but i haven't restarted my computer yet and i just ran the hijackthis and the O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
is still there. What did you mean BHO at O3? There are 3 BHO under the toolbar one.

Also, if i go to tools manage add-ons/enable disable addons and select Addons that have been used by IE, what am i suppose to look for in there?

I now restarted my computer and the toolbar still shows up in hijackthis.

0

You just reported on the BHO I meant. It is used by MyGlobalSearch, and that may or may not show in the Manage Addons window.

0

There is nothing under the name MyGlobalSearch in the Manage Addons window. There are 3 things under the 'Type' Browser Helper Object, they are:

Name: PopKill class
Publisher: Radialpoint

Name: SVVHelper Class
Publisher: Sun Microsystems, Inc.

the last one is Adobe Systems, Incorporated

0

By the way i posted twice, please look at the one above this one as well.
I got a little confused and i still am. I looked back at previous logs and i used to have
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
and that was gone even in the last hijackthis log that i posted, please check this new log and tell me if that global thing is gone from the hijackthis log. Also do you know what
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
is?:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:15 PM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\TELUS\TELUS eProtect\Fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TELUS\eProtect Advisor\TEPA.exe
C:\Program Files\TELUS\TELUS eProtect\Rps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\TELUS\TELUS eProtect\rpsupdaterR.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\user\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS eProtect\pkR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [TELUS eProtect] "C:\Program Files\TELUS\TELUS eProtect\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\TELUS\TELUS eProtect\ZkRunOnceR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: TELUS eProtect Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\TELUS\TELUS eProtect\rpsupdaterR.exe
O23 - Service: TELUS eProtect Firewall (RP_FWS) - TELUS - C:\Program Files\TELUS\TELUS eProtect\Fws.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 5355 bytes

0

Those Addons are fine; the radialpoint one is your BHO popup blocker, pkR.dll.
This one we removed: [live messenger, no file]:{7E853D72-626A-48EC-A868-BA8D5E23E045} with fixkey.bat
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file) is the MyGlobalSearch entry, and I don't know why it will not go. Combofix did not find any files associated with it. Did we try fixing it with hijackthis also?
Anyway, it is merely a null registry entry that is not calling any file so it can do no harm if it is left - it points to nothing.

0

LOL we have never tried to fix it with hijackthis yet. You never told me to put a check next to it so i thought you were trying to remove it another way. So should i put a check next to
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
and click on Fix Checked?

Also, --> This one we removed: [live messenger, no file]:{7E853D72-626A-48EC-A868-BA8D5E23E045} with fixkey.bat

Can i ask what that was?

0

Oh dear. Looking back, I see that I wanted to remove some other keys that were not in the hijackthis log so I bundled that O3 entry that refuses to go in with them.
This will show me the contents of the "parent" key:
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt
__________________________________________________________
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s >C:\showkey.txt
start C:\showkey.txt
__________________________________________________________
That done, start hijackthis, place a check against this item and press Fix Checked...
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
..and say if it goes. :)
That other key that we removed is from Windows Live Messenger, an instant messenger service that is the update of MSN messenger. It includes voice, video as well as text messaging.

0

Ok i ran the showkey.bat and then fix checked the O3 toolbar in hijackthis and now the
O3 toolbar doesn't appear in hijackthis anymore when i run it.

Also, "That other key that we removed is from Windows Live Messenger, an instant messenger service that is the update of MSN messenger. It includes voice, video as well as text messaging." Was that file corrupt or something? and will it affect the way i use MSN messenger now?

Here's the log of showkey.txt:


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
<NO NAME> REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3C060EA2-E6A9-4E49-A530-D4657B8C449A}
<NO NAME> REG_SZ Pop-Up Blocker BHO

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
NoExplorer REG_DWORD 0x1

0

Re messenger, no, they are different prgrams, your MSN messenger will not be affected.
And thanks for the showkey info - now I must find what other keys hijackthis looks at when searching for BHOs. A bit of homework for me.
Well, are you all clean now, everything working satisfactorily?

0

I checked and the messenger i use is windows live messenger, i think it deleted the folder that was in C:\program files.

I ran another panda scan and this is the log, it seems like the same 3 files that showed up last time show up again here and some combofix files:

Incident Status Location

Adware:adware/savenow Not disinfected Windows Registry
Potentially unwanted tool:application/myglobalsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{37B85A21-692B-4205-9CAD-2626E4993404}
Adware:adware/abox Not disinfected Windows Registry
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\user\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\user\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\Nircmd.exe

0

Hi again.
All we did wasstop the toolbar for live messenger displaying [it was corrupted?] - you can put it back on from Messenger options, I believe, or by reinstalling Live Messenger. But the pgm should still be working.
The two Panda entries..
Adware:adware/savenow Not disinfected Windows Registry and...
Adware:adware/abox Not disinfected Windows Registry ... are empty registry entries, they point to no files nor have they process identifiers [CLSIDs like {37B85A21-692B-4205-9CAD-2626E4993404} for eg]; they are merely a couple of empty labels and can do no harm. Unfortunately Panda is not waying where they are and AVG AS did not pick them up, so I cannot remove them for you.
If you are comfortable playing in registry you could search for [using the Find function] and delete them, but if they were in my machine I would not bother devoting the time to that, registry is loaded with such empty entries. Sometimes a good reg cleaner will find a few and remove them, another reg cleaner may well overlook them. They are safe.
If they were active a panda entry would look like this:
Adware:adware/abox Not disinfected C:\WINDOWS\LOGON.EXE
This one....
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{37B85A21-692B-4205-9CAD-2626E4993404}
Something we cannot see is protecting it. So:
==Download gmer.zip from http://www.majorgeeks.com/GMER_d5198.html
-dclick on gmer.zip and unzip the file to its own folder or to your desktop.
-disconnect from the Internet and close all running programs including those in the system tray (bottom righthand corner ).
-dclick Gmer.exe to start it; using the default settings [ensure your system drive (C: ?) is the only drive checked] just click the Scan button and wait for the scan to finish (do not use your computer during the scan).
-click on the Copy button - this will copy the results to the clipboard. Open Notepad and paste into it.
Post the result here - if it is very long zip it and post as an attachment via Go Advanced.

0

Ok, i searched the registry and found savenow and deleted that. I also searched for abox but it didn't find it. I then searched for HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{37B85A21-692B-4205-9CAD-2626E4993404}

and i found it in the registry. There is another one right under it with i think the exact name except 2 numbers are different. I didn't touch it encase your trying to find out what is protecting it. Should i still download and run gmer.zip like you explained?

0

Hey, go ahead and delete it... see what happens - nothing bad, I am sure it will not delete else if it does it will be regenerated quite soon after.
Then or now please run gmer.
Btw, 2 numbers is a world of difference - those things are unique name tags.

0

Actually, cynikal, this is a better plan to check that key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{37B85A21-692B-4205-9CAD-2626E4993404}:
Go back to that key in registry, rclick on it, go permissions and see if you [also sys admin] have full control and read permission over it; if not then give yourself full control and read permission [the boxes would be checked, just click on the checks to remove them]; apply n ok. Then you should be able to delete it. See if it comes back [you may have to close/open the reg window].
It may have just been a case that the only protection that key has is those permissions being denied to you. If so, no need to run gmer.

0

i just right clicked and deleted HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{37B85A21-692B-4205-9CAD-2626E4993404}

and it went away. On the other hand, i deleted savenow and its gone from registry but it still appears in the panda scan.

Heres the new panda log:

Incident Status Location

Adware:adware/savenow Not disinfected Windows Registry
Adware:adware/abox Not disinfected Windows Registry
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\user\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\user\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\Nircmd.exe

0

Grrr... fun with registry editor. I don't know why it could not delete that entry if you could do it manually. It is a strange place... the Find function does not always find what is plainly there, either.
That Panda scan looks clean enough to me, cynikal. I cannot pinpoint those empty savenow and abox registry entries for you.
I am afraid also that I am cutting my work here for a while, not taking on any more new queries/threads until I don't know when, so I may not be able to help further. I will be tidying up outstanding issues for a few days, but if you have further problems may I suggest you post anew with those, make a new thread?
It's been fun, and I hope I have helped....
Cheers.

0

THANK YOU SOO MUCH!! You really put alot of time and effort into helping me fix these problems and rid my computer of viruses and rootkits and other such things. I really appreciate your help and i hope we talk again sometime in the future.

By the way, i'm trying to delete the "gmer" files and the ComboFix files. All the files in the windows folder named gmer (ex. gmer.ini) are part of that program you told me to download and are ok to delete? Also, how do you get rid of all the combofix files? Is it ok if i delete C:\WINDOWS\nircmd.exe ?

Thanks again.

0

=Combofix... for you, very simply go start, run...
ComboFix /u
[if you have not already deleted combofix.exe...]
This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and reset System Restore. But you will have to delete C:\Combofix folder [Nircmd.exe should be in that folder]...., and in Explorer folder options, view settings, uncheck Hide extensions for known file types - most important!
Optionally, or if you have already removed combofix.exe, just delete C:\Qoobox, C:\Documents and Settings\user\Desktop\ComboFix.exe, C:\combofix.txt and C:\Combofix. Ajust Explorer folder options, view settings, to hide Protected operating system files.
=GMER... navigate to C:\WINDOWS\gmer_uninstall.cmd and dclick it; then delete that file and gmer.ini, and also gmer.exe from the folder where you extracted it to. And gmer.zip. :)
=Delete hijackthis.exe. You may wish to keep its .txt files [logs] for comparison purposes.
Easy. Yeah. Complex stuff, computer software... the way it spreads itself about.

0

Hi, I wasn't able to get on my computer for a while but i have 1 question about when you said to "ajust Explorer folder options, view settings, to hide Protected operating system files." I can't find "explorer folder options" is it under "Internet Options" if so where in there?

0

Hi again. Just open an Explorer window [eg to your C: drive] and go Tools, Folder options, View tab.. I like to see my hidden files and folders and also all file extensions.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.