0

hello


I have been having extreme adware issues for the past week or so, and it is really irritating the crap out of me. I have had SP2, and my windows update runs every morning. Despite this, my explorer hangs because pop ups load every few seconds, all my system resources are being sucked up, and all my applications are slowed down drastically.
I have spybot, Adaware, and AVG and have ran these at least 100 times each. I have ran all 3 in safe-mode as well. Here is my hijackThis log, I hope SOMEONE can help me get my computer back to it's normal state.


Logfile of HijackThis v1.99.1
Scan saved at 12:16:41 PM, on 6/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\PopUp Killer\popupkiller.EXE
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\?ppPatch\d?dplay.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qjfae.exe
F2 - REG:system.ini: UserInit=userinit.exe,cemeppa.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7A32D9F2-4A35-69EB-6153-4C71B32ECD98} - C:\WINDOWS\system32\pdie.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\popupkiller.EXE
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [{DD-D8-8B-B9-ZN}] c:\windows\system32\prdsregj.exe GID003
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [defender] C:\\defender24.exe
O4 - HKLM\..\Run: [luxzgtcA] C:\WINDOWS\luxzgtcA.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [keyboard] C:\\keyboard24.exe
O4 - HKLM\..\Run: [newname] C:\\newname24.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Roct] "C:\DOCUME~1\Linda\APPLIC~1\ICROSO~1.NET\smss.exe" -vt yazr
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Iygzjpr] C:\WINDOWS\?ppPatch\d?dplay.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Zeno.lnk.disabled
O4 - Startup: Z_Start.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: WarpSpeeder Tray Icon.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://remote.trostel.com/msrdp.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: repairs303169587.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

2
Contributors
12
Replies
13
Views
11 Years
Discussion Span
Last Post by swatkat
0

Hi,
Download The Avenger by Swandog46 to your Desktop.

Download CCleaner and install it. Do not run it now!

Download and install Ewido Security Suite v3.5. After download, double click on the file to launch the install process. During installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". Launch ewido by double-clicking the "e" icon on your desktop. The program will prompt you to update - click the "OK" button. On the left side of the main screen, click on "Update" and then click "Start Update". The update will start and a progress bar will show the updates being installed. After the updates are installed, you will see "Update Successful" in the lower left corner.
If you are having problems with the updater, use this link to manually update. Exit Ewido when done - DO NOT perform a scan yet.


Reboot in Safe Mode:-
Restart (or switch ON) the PC. Then, keep tapping the F8 Key. From the menu that will be displayed, out of which choose Safe Mode and press Enter.


Uninstall this Software from Add/Remove Programs in Control Panel, if found:-
Purity Scan


Run HijackThis and click Do only a System scan. Then put a check mark infront of below listed entries:-

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qjfae.exe
F2 - REG:system.ini: UserInit=userinit.exe,cemeppa.exe
O2 - BHO: (no name) - {7A32D9F2-4A35-69EB-6153-4C71B32ECD98} - C:\WINDOWS\system32\pdie.dll
O4 - HKLM\..\Run: [{DD-D8-8B-B9-ZN}] c:\windows\system32\prdsregj.exe GID003
O4 - HKLM\..\Run: [defender] C:\\defender24.exe
O4 - HKLM\..\Run: [luxzgtcA] C:\WINDOWS\luxzgtcA.exe
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [keyboard] C:\\keyboard24.exe
O4 - HKLM\..\Run: [newname] C:\\newname24.exe
O4 - HKCU\..\Run: [Roct] "C:\DOCUME~1\Linda\APPLIC~1\ICROSO~1.NET\smss.exe" -vt yazr
O4 - HKCU\..\Run: [Iygzjpr] C:\WINDOWS\?ppPatch\d?dplay.exe
O4 - Startup: Zeno.lnk.disabled
O4 - Startup: Z_Start.lnk.disabled
O4 - Global Startup: WarpSpeeder Tray Icon.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O20 - AppInit_DLLs: repairs303169587.dll

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.

Run CCleaner, click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner" and click "OK" to continue cleaning.

Run Ewido, click on the "Scanner" button in the left menu, then click on the "Settings", here select the option "Scan every file" and click "OK". Next, click "Complete System Scan" button to start scan. If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK. When the scan finishes, click on "Save Report". This will create a text file.


Reboot to Normal Mode. Double click on Avenger.zip to open the file and extract avenger.exe to your Desktop.

  • Copy the below quoted text (which is a script for Avenger) into your clipboard by highlighting it and pressing CTRL C keys:-

Files to delete:
C:\WINDOWS\system32\qjfae.exe
C:\WINDOWS\system32\cemeppa.exe
C:\WINDOWS\cemeppa.exe
c:\windows\system32\prdsregj.exe
C:\WINDOWS\system32\dmonwv.dll
C:\defender24.exe
C:\WINDOWS\luxzgtcA.exe
C:\WINDOWS\xload.exe
C:\keyboard24.exe
C:\newname24.exe
C:\WINDOWS\system32\repairs303169587.dll

  • Now, run The Avenger program by double clicking its icon on your Desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script".
  • Paste the text copied to clipboard into this window by pressing Ctrl V keys.
  • Click Done.
  • Now click on the Green Light to begin execution of the script.
  • Answer "Yes" twice when prompted.

The Avenger will automatically do the following:-

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the reboot, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt

Run HijackThis again, click Do a System scan and save log, and post the fresh log along with the Ewido log and Avenger lpg.

0

After doing above mentioned things, run this batch file. Here's how to create it, open NotePad and copy the contents of the below "Quote" box:-

cd\
cd DOCUME~1
cd Linda
cd APPLIC~1
dir ICROSO* > C:\info1.txt
cd\
cd %windir%
dir ?ppPatch > C:\info2.txt
cd\
copy info1.txt + info2.txt = info.txt
del info1.txt
del info2.txt

In NotePad, go to File Menu > Save AS and type the filename as Test.BAT and save the file in desired location. Exit from NotePad.

Double-click on the Test.bat file. A DOS type window should open and close by itself. After this, there will be a text file named Info.txt in C:\ drive. Copy the contents of this Info.txt file and please post it here, in your next reply.

0

Ok, this probably isnt good. Followed your instructions to a T. Here are the results.

Ewido Anti-Virus:
---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:            10:35:15 AM, 6/5/2006
 + Report-Checksum:        FDD88420

 + Scan result:

    :mozilla.13:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
    :mozilla.14:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
    :mozilla.15:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
    :mozilla.16:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
    :mozilla.17:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
    :mozilla.18:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
    :mozilla.19:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
    :mozilla.20:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
    :mozilla.28:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
    :mozilla.33:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.34:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.35:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Linda\Cookies\linda@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Linda\Cookies\linda@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
    C:\Documents and Settings\Linda\Cookies\linda@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
    C:\Documents and Settings\Linda\Cookies\linda@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
    C:\Documents and Settings\Linda\Cookies\linda@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Linda\Cookies\linda@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup


::Report End

AVENGER

//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Error:  could not create zip file.
Error code: 0


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vbfrmaav

*******************

Script file located at: \??\C:\WINDOWS\wdbvtnyo.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\qjfae.exe not found!
Deletion of file C:\WINDOWS\system32\qjfae.exe failed!

Could not process line:
C:\WINDOWS\system32\qjfae.exe
Status: 0xc0000034



File C:\WINDOWS\system32\cemeppa.exe not found!
Deletion of file C:\WINDOWS\system32\cemeppa.exe failed!

Could not process line:
C:\WINDOWS\system32\cemeppa.exe
Status: 0xc0000034



File C:\WINDOWS\cemeppa.exe not found!
Deletion of file C:\WINDOWS\cemeppa.exe failed!

Could not process line:
C:\WINDOWS\cemeppa.exe
Status: 0xc0000034



File C:\WINDOWS\system32\prdsregj.exe not found!
Deletion of file C:\WINDOWS\system32\prdsregj.exe failed!

Could not process line:
C:\WINDOWS\system32\prdsregj.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmonwv.dll not found!
Deletion of file C:\WINDOWS\system32\dmonwv.dll failed!

Could not process line:
C:\WINDOWS\system32\dmonwv.dll
Status: 0xc0000034



File C:\defender24.exe not found!
Deletion of file C:\defender24.exe failed!

Could not process line:
C:\defender24.exe
Status: 0xc0000034



File C:\WINDOWS\luxzgtcA.exe not found!
Deletion of file C:\WINDOWS\luxzgtcA.exe failed!

Could not process line:
C:\WINDOWS\luxzgtcA.exe
Status: 0xc0000034



File C:\WINDOWS\xload.exe not found!
Deletion of file C:\WINDOWS\xload.exe failed!

Could not process line:
C:\WINDOWS\xload.exe
Status: 0xc0000034



File C:\keyboard24.exe not found!
Deletion of file C:\keyboard24.exe failed!

Could not process line:
C:\keyboard24.exe
Status: 0xc0000034



File C:\newname24.exe not found!
Deletion of file C:\newname24.exe failed!

Could not process line:
C:\newname24.exe
Status: 0xc0000034



File C:\WINDOWS\system32\repairs303169587.dll not found!
Deletion of file C:\WINDOWS\system32\repairs303169587.dll failed!

Could not process line:
C:\WINDOWS\system32\repairs303169587.dll
Status: 0xc0000034


Completed script processing.

*******************

Finished!  Terminate.

HJTlog

Logfile of HijackThis v1.99.1
Scan saved at 10:43:10 AM, on 6/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\PopUp Killer\popupkiller.EXE
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qjfae.exe
F2 - REG:system.ini: UserInit=userinit.exe,cemeppa.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\popupkiller.EXE
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [keyboard] C:\\keyboard24.exe
O4 - HKLM\..\Run: [newname] C:\\newname24.exe
O4 - HKLM\..\Run: [{DD-D8-8B-B9-ZN}] c:\windows\system32\prdsregj.exe GID003
O4 - HKLM\..\Run: [luxzgtcA] C:\WINDOWS\luxzgtcA.exe
O4 - HKLM\..\Run: [defender] C:\\defender24.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Roct] "C:\DOCUME~1\Linda\APPLIC~1\ICROSO~1.NET\smss.exe" -vt yazr
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Iygzjpr] C:\WINDOWS\?ppPatch\d?dplay.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Zeno.lnk.disabled
O4 - Startup: Z_Start.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - [url]http://remote.trostel.com/msrdp.cab[/url]
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: repairs303169587.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

and here is info.txt

 Volume in drive C has no label.
 Volume Serial Number is 288D-D8B9

 Directory of C:\DOCUME~1\Linda\APPLIC~1

06/02/2006  02:14 PM    <DIR>          ?icrosoft.NET
               0 File(s)              0 bytes
               1 Dir(s)  46,720,790,528 bytes free
 Volume in drive C has no label.
 Volume Serial Number is 288D-D8B9

 Directory of C:\WINDOWS

05/12/2006  01:52 AM    <DIR>          AppPatch
05/31/2006  10:57 AM    <DIR>          ?ppPatch
               0 File(s)              0 bytes
               2 Dir(s)  46,720,790,528 bytes free

I deleted the objects in hijack this during the safemode phase. However, they seemed to install themselves back. Avenger said it found nothing, and the only thing the malware detector found was tracking cookies.

I decided to run spybot in safemode after this process, and found this

--- Search result list ---
Command Service: System Service (Registry key, fixing failed)
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: Autorun settings (Registry value, fixed)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newname

Command Service: Autorun settings (keyboard) (Registry value, fixed)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\keyboard

Command Service: Settings (Registry key, fixing failed)
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

The software says it can fix it in safe mode, but it fails everytime. Maybe this has something to do with it?

Edited by mike_2000_17: Fixed formatting

0

Hi,
Click My Computer, then C: \
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "BFU"

Please download Brute Force Uninstaller to your desktop.

  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C: ) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).


Do not run the Uninstaller and the Remover yet.

Please reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.


Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu

Press execute and let it do its job.

Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.


Reboot into Normal mode. Now, download
sidekickFix.bat (rightclick on that link and
choose save as)

  • Place sidekickFix.bat in your C:\BFU folder (Important!).
  • Close all browsers and explorer folders.
  • Double-click on sidekickFix.bat
  • Click Yes and follow the prompts, when prompted to restart
    the PC please do so.
0

After carrying out above two steps, delete these two folders. The "?" (question mark) in the folder name might appear as it is or as any other character. Please be careful while deleting the folders, because there may be other legitimate folders by that name. Before deleting, right-click on each of the folder and click "Properties". Now here, check the Date and Time of folder creation. If they match with the date and time given below, then delete the folders:-

C:\DOCUMENTS AND SETTINGS\Linda\APPLICATION DATA\?icrosoft.NET --> Date: 06/02/2006 and Time: 02:14 PM

C:\WINDOWS\?ppPatch --> Date: 05/31/2006 and Time: 10:57 AM


Finally, please post a fresh HijackThis log.

0

I dont think anything happened. I am going to post a bfu log as well.

Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 1:46:11 PM, on 6/5/2006

Option Unload Explorer: Yes
Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)
Failed: ServiceStop Network Monitor (service not found)
Failed: ServiceStop cmdService (operation failed)
Failed: ServiceDisable Network Monitor (service not found)
Failed: ServiceDelete Network Monitor (service not found)
Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (key not found)
Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (key not found)
Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|winlog (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)
Failed: RegDelValue HKCU\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|WinUpdate.exe (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)
Failed: FolderDelete C:\Program Files\winupdates (folder not found)
Failed: FolderDelete C:\Program Files\winupdate (folder not found)
Failed: FolderDelete C:\Program Files\winsupdater (folder not found)
Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)
Failed: FolderDelete C:\Program Files\MsMovies (folder not found)
Failed: FolderDelete C:\Program Files\wmplayer (folder not found)
Failed: FolderDelete C:\Program Files\outlook (folder not found)
Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)
Failed: FileDelete C:\DOCUME~1\ADMINI~1.OWN\LOCALS~1\Temp\~DF5320.tmp (operation failed)
Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)
Failed: FolderDelete C:\Program Files\DNS (folder not found)
Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)
Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\svchostsys (folder not found)
Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)
Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)
Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)
Failed: FolderDelete C:\Program Files\Update06 (folder not found)
Failed: FolderDelete C:\Program Files\Update03 (folder not found)
Failed: FolderDelete C:\Program Files\Update04 (folder not found)
Failed: FolderDelete C:\Program Files\Update08 (folder not found)
Failed: FolderDelete C:\Program Files\W-Update (folder not found)
Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)
Failed: FolderDelete C:\Program Files\Cas (folder not found)
Failed: FolderDelete C:\Program Files\CasStub (folder not found)
Failed: FolderDelete C:\Program Files\Cas2Stub (folder not found)
Failed: FolderDelete C:\Program Files\ipwins (folder not found)
Failed: FolderDelete C:\WINDOWS\mdrive (folder not found)
Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)
Script completed.

Here is the hijackthis log, all entries are still intact >.>

Logfile of HijackThis v1.99.1
Scan saved at 2:05:46 PM, on 6/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PopUp Killer\popupkiller.EXE
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qjfae.exe
F2 - REG:system.ini: UserInit=userinit.exe,cemeppa.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\popupkiller.EXE
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [{DD-D8-8B-B9-ZN}] c:\windows\system32\prdsregj.exe GID003
O4 - HKLM\..\Run: [luxzgtcA] C:\WINDOWS\luxzgtcA.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard24.exe
O4 - HKLM\..\Run: [newname] C:\\newname24.exe
O4 - HKLM\..\Run: [defender] C:\\defender24.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Roct] "C:\DOCUME~1\Linda\APPLIC~1\ICROSO~1.NET\smss.exe" -vt yazr
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Iygzjpr] C:\WINDOWS\?ppPatch\d?dplay.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Zeno.lnk.disabled
O4 - Startup: Z_Start.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://remote.trostel.com/msrdp.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: repairs303169587.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe


Those 2 folders I am not sure about, here is what I got:

C:\Documents and Settings\Linda\Application Data\Μicrosoft.NET
This folder contains an empty folder called
ICROSO~1.NET Monday, May 29, 2006, 10:34:27 AM

I have two AppPatch folders, one containing only 1 file called
dvdplay Monday, May 29, 2006, 10:34:41 AM

=/

1

Hi,
Download WinPFind.ZIP and completely extract it to a folder.

We shall do an online scan at F-Secure. Please visit: F-Secure Online Scanner Next Generation Beta
1. Click on the link "F-Secure Online Scanner Next Generation Beta".
2. You may receive an alert on the address bar at this point to install the ActiveX control.
3. Click on that alert and then Click Insall ActiveX component.
4. Read the license agreement and click "Accept".
5. Click "Full System Scan" to download the scanning components and begin scan and cleaning.
6. When done click "Show report" and copy/paste its contents into your next reply.

(F-Secure scan works only in Internet Explorer browser)


After the scan run WinPFind.exe and click "Start Scan". When the scan completes, click "Copy to Clipboard" button to copy the log it gives, and please post it here along with F-Secure scan log.

C:\Documents and Settings\Linda\Application Data\Μicrosoft.NET
This folder contains an empty folder called
ICROSO~1.NET Monday, May 29, 2006, 10:34:27 AM

I have two AppPatch folders, one containing only 1 file called
dvdplay Monday, May 29, 2006, 10:34:41 AM

Yes, please delete those two folders.

Votes + Comments
This person is thorough, knowledgeable, and way supportive
0

I had a problem with the Anti-Virus...
Scanned twice, and everytime it starts to clean it says there is an error and restarts everything.

here is the winPFind log:

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX!                 10/17/2005 7:05:48 AM       200192     C:\WINDOWS\eiunin21.exe

Checking %System% folder...
PEC2                 8/4/2004 7:00:00 AM         41397      C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2                 5/24/2006 5:42:26 PM        619156     C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2           5/24/2006 5:42:26 PM        619156     C:\WINDOWS\SYSTEM32\DivX.dll
PTech                5/23/2006 5:26:00 PM        579888     C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2           5/3/2006 9:26:24 PM         5818784    C:\WINDOWS\SYSTEM32\MRT.exe
aspack               5/3/2006 9:26:24 PM         5818784    C:\WINDOWS\SYSTEM32\MRT.exe
aspack               8/4/2004 7:00:00 AM         708096     C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor             8/4/2004 7:00:00 AM         657920     C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync              8/4/2004 7:00:00 AM         1309184    C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech                5/23/2006 5:25:52 PM        285488     C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
UPX!                 6/1/2006 12:30:30 PM        776096     C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG!                 6/1/2006 12:30:30 PM        776096     C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2                 6/1/2006 12:30:30 PM        776096     C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack               6/1/2006 12:30:30 PM        776096     C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
                     6/5/2006 11:06:58 PM      S 2048       C:\WINDOWS\bootstat.dat
                     6/6/2006 11:53:28 AM     H  54156      C:\WINDOWS\QTFont.qfn
                     5/12/2006 9:04:40 AM    RH  749        C:\WINDOWS\WindowsShell.Manifest
                     5/12/2006 9:04:50 AM     H  65         C:\WINDOWS\Downloaded Program Files\desktop.ini
                     5/12/2006 9:05:38 AM     HS 67         C:\WINDOWS\Fonts\desktop.ini
                     6/1/2006 12:54:46 PM     H  0          C:\WINDOWS\inf\oem7.inf
                     5/12/2006 9:04:50 AM     H  65         C:\WINDOWS\Offline Web Pages\desktop.ini
                     5/12/2006 9:05:16 AM    RHS 727        C:\WINDOWS\pchealth\helpctr\PackageStore\package_1.cab
                     5/12/2006 9:05:16 AM    RHS 19854      C:\WINDOWS\pchealth\helpctr\PackageStore\package_2.cab
                     5/12/2006 9:05:16 AM    RHS 244933     C:\WINDOWS\pchealth\helpctr\PackageStore\package_3.cab
                     5/12/2006 9:06:22 AM     H  225280     C:\WINDOWS\repair\ntuser.dat
                     5/12/2006 5:06:38 PM    RHS 88         C:\WINDOWS\system32\1E00B0BBD9.sys
                     5/12/2006 9:04:40 AM    RH  749        C:\WINDOWS\system32\cdplayer.exe.manifest
                     5/12/2006 9:04:50 AM    RH  488        C:\WINDOWS\system32\logonui.exe.manifest
                     5/12/2006 9:04:40 AM    RH  749        C:\WINDOWS\system32\ncpa.cpl.manifest
                     5/12/2006 9:04:40 AM    RH  749        C:\WINDOWS\system32\nwc.cpl.manifest
                     5/12/2006 9:04:40 AM    RH  749        C:\WINDOWS\system32\sapi.cpl.manifest
                     5/12/2006 9:04:50 AM    RH  488        C:\WINDOWS\system32\WindowsLogon.manifest
                     5/12/2006 9:04:40 AM    RH  749        C:\WINDOWS\system32\wuaucpl.cpl.manifest
                     4/18/2006 2:17:08 AM      S 14054      C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB908531.cat
                     5/2/2006 1:02:32 AM       S 464431     C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem3.CAT
                     5/17/2006 11:24:42 AM     S 7160       C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WGA.cat
                     5/23/2006 5:27:00 PM      S 7160       C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
                     6/6/2006 9:33:26 AM      H  1024       C:\WINDOWS\system32\config\default.LOG
                     6/5/2006 11:07:02 PM     H  1024       C:\WINDOWS\system32\config\SAM.LOG
                     6/6/2006 12:17:02 AM     H  1024       C:\WINDOWS\system32\config\SECURITY.LOG
                     6/6/2006 12:59:18 PM     H  1024       C:\WINDOWS\system32\config\software.LOG
                     6/6/2006 12:21:32 PM     H  1024       C:\WINDOWS\system32\config\system.LOG
                     5/12/2006 1:52:38 AM     H  1024       C:\WINDOWS\system32\config\TempKey.LOG
                     5/12/2006 1:52:40 AM     H  1024       C:\WINDOWS\system32\config\userdiff.LOG
                     6/2/2006 9:36:26 PM      H  1024       C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
                     5/12/2006 1:54:04 AM     HS 62         C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini
                     5/12/2006 1:54:04 AM     HS 62         C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
                     5/12/2006 9:09:44 AM     HS 113        C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
                     5/12/2006 9:09:44 AM     HS 113        C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
                     5/12/2006 9:09:44 AM     HS 67         C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
                     5/12/2006 9:09:44 AM     HS 67         C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
                     5/12/2006 9:09:44 AM     HS 67         C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4V8J45S5\desktop.ini
                     5/12/2006 9:09:44 AM     HS 67         C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6LKF27UB\desktop.ini
                     5/12/2006 9:09:44 AM     HS 67         C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UN016PSX\desktop.ini
                     5/12/2006 9:09:44 AM     HS 67         C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WTWTU9C7\desktop.ini
                     5/12/2006 9:04:52 AM     HS 181        C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini
                     5/12/2006 1:54:04 AM     HS 62         C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini
                     5/12/2006 9:06:20 AM     HS 148        C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini
                     5/12/2006 9:06:20 AM     HS 482        C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
                     5/12/2006 9:06:20 AM     HS 348        C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
                     5/12/2006 9:06:20 AM     HS 84         C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
                     5/12/2006 9:06:20 AM     HS 84         C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
                     5/11/2006 6:33:46 PM     HS 388        C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\0fadf055-87ac-4354-84ff-4da37ade8ce6
                     5/11/2006 6:33:46 PM     HS 24         C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
                     5/12/2006 9:09:48 AM     HS 388        C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\8cb73233-8a8c-4297-9cf0-032f9643dcd6
                     5/11/2006 6:43:20 PM     HS 388        C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\f75f327a-6f40-498c-abc8-1d3efcc64f6b
                     5/11/2006 6:43:20 PM     HS 24         C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
                     6/5/2006 11:07:02 PM     H  6          C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation          8/4/2004 7:00:00 AM         68608      C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp.    4/20/2006 5:01:06 PM        18788352   C:\WINDOWS\SYSTEM32\alsndmgr.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         549888     C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         110592     C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         135168     C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         80384      C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         155136     C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         358400     C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         129536     C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         380416     C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         68608      C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc.         11/10/2005 1:03:50 PM       49265      C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         187904     C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         618496     C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         35840      C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         25600      C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         257024     C:\WINDOWS\SYSTEM32\nusrmgr.cpl
                               3/9/2006 3:29:00 PM         73728      C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         32768      C:\WINDOWS\SYSTEM32\odbccp32.cpl
Wacom Technology, Corp.        4/6/2006 8:58:26 AM         1282048    C:\WINDOWS\SYSTEM32\PenTablet.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         114688     C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         298496     C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         28160      C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         94208      C:\WINDOWS\SYSTEM32\timedate.cpl
WIBU-SYSTEMS AG                12/27/2001 10:59:22 AM      716800     C:\WINDOWS\SYSTEM32\Wibuke32.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         148480     C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation          5/26/2005 4:16:30 AM        174360     C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         68608      C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         549888     C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         135168     C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         80384      C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         155136     C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         358400     C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         129536     C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         68608      C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         187904     C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         618496     C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         35840      C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         25600      C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         257024     C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         32768      C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         114688     C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         155648     C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         298496     C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         28160      C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         94208      C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation          8/4/2004 7:00:00 AM         148480     C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation          5/26/2005 4:16:30 AM        174360     C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Realtek Semiconductor Corp.    1/11/2006 5:36:26 PM        18780160   C:\WINDOWS\SYSTEM32\ReinstallBackups\0007\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
                     5/22/2006 10:43:02 PM       1918       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
                     5/12/2006 6:15:24 PM        1757       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
                     5/12/2006 9:06:20 AM     HS 84         C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
                     5/21/2006 12:09:30 PM       1730       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
                     5/12/2006 3:50:42 PM        878        C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
                     5/12/2006 1:54:04 AM     HS 62         C:\Documents and Settings\All Users\Application Data\desktop.ini
                     5/28/2006 8:02:08 AM        1755       C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
                     5/12/2006 6:22:48 PM        988        C:\Documents and Settings\Linda\Start Menu\Programs\Startup\Adobe Gamma.lnk
                     5/22/2006 8:01:16 PM        718        C:\Documents and Settings\Linda\Start Menu\Programs\Startup\BitTorrent.lnk
                     5/12/2006 9:06:20 AM     HS 84         C:\Documents and Settings\Linda\Start Menu\Programs\Startup\desktop.ini
                     5/11/2006 11:14:18 PM       876        C:\Documents and Settings\Linda\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk

Checking files in %USERPROFILE%\Application Data folder...
                     5/12/2006 6:13:50 PM        1563       C:\Documents and Settings\Linda\Application Data\AdobeDLM.log
                     5/12/2006 1:54:04 AM     HS 62         C:\Documents and Settings\Linda\Application Data\desktop.ini
                     5/12/2006 6:13:50 PM        0          C:\Documents and Settings\Linda\Application Data\dm.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    SV1     = 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    {2610AEF6-7C4A-4427-B2E0-65F733290F76}     = 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
    {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}     = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\CTMTPMediaExplorer
    {7895F317-A125-42CC-BD3E-5830765CE577}     = C:\PROGRA~1\Creative\SHARED~1\CTCmeCtx.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03}     = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936}     = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46}     = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA}     = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    Start Menu Pin     = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
    {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}     = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\CTMTPMediaExplorer
    {7895F317-A125-42CC-BD3E-5830765CE577}     = C:\PROGRA~1\Creative\SHARED~1\CTCmeCtx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA}     = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46}     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03}     = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}     = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA}     = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{00020000-0000-1011-8004-0000C06B5161}
     = C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}
     = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{CE3A44D8-BC88-4D62-A890-42D96245F8D6}
     = C:\WINDOWS\system32\dmonwv.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
     = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
    &Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
    {EF99BD32-C1FB-11D2-892F-0090271D4F88}     = Yahoo! Toolbar    : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    MenuText     = Sun Java Console    : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
    ButtonText     = AOL Instant Messenger (TM)    : C:\Program Files\AIM95\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
    ButtonText     = Yahoo! Messenger    : C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
    ButtonText     = Messenger    : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address    : %SystemRoot%\system32\browseui.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links    : %SystemRoot%\system32\SHELL32.dll
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar    : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    VTTrayp    VTtrayp.exe
    NeroFilterCheck    C:\WINDOWS\system32\NeroCheck.exe
    RemoteControl    "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    SoundMan    SOUNDMAN.EXE
    NvCplDaemon    RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    NvMediaCenter    RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    Adobe Photo Downloader    "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    QuickTime Task    "C:\Program Files\QuickTime\qttask.exe" -atboottime
    PopUpKiller    C:\Program Files\PopUp Killer\popupkiller.EXE
    AVG7_CC    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    SunJavaUpdateSched    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    iTunesHelper    "C:\Program Files\iTunes\iTunesHelper.exe"
    Google Desktop Search    "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    nwiz    nwiz.exe /install
    xload    "C:\WINDOWS\xload.exe"
    keyboard    C:\\keyboard24.exe
    newname    C:\\newname24.exe
    {DD-D8-8B-B9-ZN}    c:\windows\system32\prdsregj.exe GID003
    luxzgtcA    C:\WINDOWS\luxzgtcA.exe
    defender    C:\\defender24.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
    IMAIL    Installed = 1
    MAPI    Installed = 1
    MSFS    Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    PhotoShow Deluxe Media Manager    C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
    Creative Detector    "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
    AIM    C:\Program Files\AIM95\aim.exe -cnetwait.odl
    MsnMsgr    "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    ctfmon.exe    C:\WINDOWS\system32\ctfmon.exe
    Yahoo! Pager    "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    Roct    "C:\DOCUME~1\Linda\APPLIC~1\ICROSO~1.NET\smss.exe" -vt yazr
    Iygzjpr    C:\WINDOWS\?ppPatch\d?dplay.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
    iPodService    3


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^shbwl.exe
    path    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\shbwl.exe
    backup    C:\WINDOWS\pss\shbwl.exeCommon Startup
    location    Common Startup
    command    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\shbwl.exe
    item    shbwl
    path    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\shbwl.exe
    backup    C:\WINDOWS\pss\shbwl.exeCommon Startup
    location    Common Startup
    command    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\shbwl.exe
    item    shbwl

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Linda^Start Menu^Programs^Startup^Zeno.lnk
    path    C:\Documents and Settings\Linda\Start Menu\Programs\Startup\Zeno.lnk
    backup    C:\WINDOWS\pss\Zeno.lnkStartup
    location    Startup
    command    C:\WINDOWS\system32\lwinsqez.exe GID003
    item    Zeno
    path    C:\Documents and Settings\Linda\Start Menu\Programs\Startup\Zeno.lnk
    backup    C:\WINDOWS\pss\Zeno.lnkStartup
    location    Startup
    command    C:\WINDOWS\system32\lwinsqez.exe GID003
    item    Zeno

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Linda^Start Menu^Programs^Startup^Z_Start.lnk
    path    C:\Documents and Settings\Linda\Start Menu\Programs\Startup\Z_Start.lnk
    backup    C:\WINDOWS\pss\Z_Start.lnkStartup
    location    Startup
    command    C:\WINDOWS\system32\prdsregj.exe GID003
    item    Z_Start
    path    C:\Documents and Settings\Linda\Start Menu\Programs\Startup\Z_Start.lnk
    backup    C:\WINDOWS\pss\Z_Start.lnkStartup
    location    Startup
    command    C:\WINDOWS\system32\prdsregj.exe GID003
    item    Z_Start

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AIM
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    aim
    hkey    HKCU
    command    C:\Program Files\AIM95\aim.exe -cnetwait.odl
    inimapping    0
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    aim
    hkey    HKCU
    command    C:\Program Files\AIM95\aim.exe -cnetwait.odl
    inimapping    0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\aqsnei
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    aaovek
    hkey    HKLM
    command    C:\WINDOWS\system32\aaovek.exe reg_run
    inimapping    0
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    aaovek
    hkey    HKLM
    command    C:\WINDOWS\system32\aaovek.exe reg_run
    inimapping    0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\defender
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    defender24
    hkey    HKLM
    command    C:\\defender24.exe
    inimapping    0
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    defender24
    hkey    HKLM
    command    C:\\defender24.exe
    inimapping    0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Google Desktop Search
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    GoogleDesktop
    hkey    HKLM
    command    "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    inimapping    0
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    GoogleDesktop
    hkey    HKLM
    command    "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    inimapping    0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    iTunesHelper
    hkey    HKLM
    command    "C:\Program Files\iTunes\iTunesHelper.exe"
    inimapping    0
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    iTunesHelper
    hkey    HKLM
    command    "C:\Program Files\iTunes\iTunesHelper.exe"
    inimapping    0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\luxzgtcA
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    luxzgtcA
    hkey    HKLM
    command    C:\WINDOWS\luxzgtcA.exe
    inimapping    0
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    luxzgtcA
    hkey    HKLM
    command    C:\WINDOWS\luxzgtcA.exe
    inimapping    0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    msmsgs
    hkey    HKCU
    command    "C:\Program Files\Messenger\msmsgs.exe" /background
    inimapping    0
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    msmsgs
    hkey    HKCU
    command    "C:\Program Files\Messenger\msmsgs.exe" /background
    inimapping    0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MsnMsgr
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    MsnMsgr
    hkey    HKCU
    command    "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    inimapping    0
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    MsnMsgr
    hkey    HKCU
    command    "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    inimapping    0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\New.net Startup
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    NEWDOT~2
    hkey    HKLM
    command    rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
    inimapping    0
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    NEWDOT~2
    hkey    HKLM
    command    rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
    inimapping    0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\nwiz
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    nwiz
    hkey    HKLM
    command    nwiz.exe /install
    inimapping    0
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    nwiz
    hkey    HKLM
    command    nwiz.exe /install
    inimapping    0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SurfSideKick 3
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    Ssk
    hkey    HKLM
    command    C:\Program Files\SurfSideKick 3\Ssk.exe
    inimapping    0
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    Ssk
    hkey    HKLM
    command    C:\Program Files\SurfSideKick 3\Ssk.exe
    inimapping    0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vnapg
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    aaovek
    hkey    HKCU
    command    C:\WINDOWS\system32\aaovek.exe reg_run
    inimapping    0
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    aaovek
    hkey    HKCU
    command    C:\WINDOWS\system32\aaovek.exe reg_run
    inimapping    0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\xload
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    xload
    hkey    HKLM
    command    "C:\WINDOWS\xload.exe"
    inimapping    0
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    xload
    hkey    HKLM
    command    "C:\WINDOWS\xload.exe"
    inimapping    0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\{DD-D8-8B-B9-ZN}
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    prdsregj
    hkey    HKLM
    command    c:\windows\system32\prdsregj.exe GID003
    inimapping    0
    key    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    prdsregj
    hkey    HKLM
    command    c:\windows\system32\prdsregj.exe GID003
    inimapping    0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
    system.ini    0
    win.ini    0
    bootini    0
    services    2
    startup    2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
    {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
    {0DF44EAA-FF21-4412-828E-260A8728E7F1} = 


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    dontdisplaylastusername    0
    legalnoticecaption    
    legalnoticetext    
    shutdownwithoutlogon    1
    undockwithoutlogon    1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun    145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    PostBootReminder                   {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
    CDBurn                             {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
    WebCheck                           {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
    SysTray                            {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit    = userinit.exe,cemeppa.exe
    Shell        = explorer.exe
    System        = 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
     = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
     = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
     = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
     = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
     = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
     = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
     = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
     = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
     = WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
     = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
    Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs    repairs303169587.dll


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1    - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/6/2006 1:03:53 PM

Edited by mike_2000_17: Fixed formatting

0

Something else just occured.

I have an internet explorer window integrated into my desktop now, it randomly says DEFAULT in big grey letters, or it is just a white box.
I traced the page to ads.zwoops.com

0

Hi,
Let's remove the SurfSideKick now! Copy the below quoted text (which is a script for Avenger) into your clipboard by highlighting it and pressing CTRL C keys:-

Files to delete:
C:\WINDOWS\system32\dmonwv.dll
C:\WINDOWS\xload.exe
C:\keyboard24.exe
C:\newname24.exe
c:\windows\system32\prdsregj.exe
C:\WINDOWS\luxzgtcA.exe
C:\defender24.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\shbwl.exe
C:\WINDOWS\pss\shbwl.exe
C:\Documents and Settings\Linda\Start Menu\Programs\Startup\Zeno.lnk
C:\WINDOWS\pss\Zeno.lnk
C:\WINDOWS\system32\lwinsqez.exe
C:\Documents and Settings\Linda\Start Menu\Programs\Startup\Z_Start.lnk
C:\WINDOWS\pss\Z_Start.lnk
C:\WINDOWS\system32\aaovek.exe
C:\WINDOWS\system32\repairs303169587.dll
C:\WINDOWS\repairs303169587.dll
C:\Program Files\SurfSideKick 3\Ssk.exe

Folders to delete:
C:\Program Files\SurfSideKick 3

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

  • Now, run The Avenger program by double clicking its icon on your Desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script".
  • Paste the text copied to clipboard into this window by pressing Ctrl V keys.
  • Click Done.
  • Now click on the Green Light to begin execution of the script.
  • Answer "Yes" twice when prompted.

The Avenger will automatically do the following:-

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the reboot, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt

Reboot in Safe Mode:-
Restart (or switch ON) the PC. Then, keep tapping the F8 Key. From the menu that will be displayed, out of which choose Safe Mode and press Enter.


Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qjfae.exe
F2 - REG:system.ini: UserInit=userinit.exe,cemeppa.exe
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [{DD-D8-8B-B9-ZN}] c:\windows\system32\prdsregj.exe GID003
O4 - HKLM\..\Run: [luxzgtcA] C:\WINDOWS\luxzgtcA.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard24.exe
O4 - HKLM\..\Run: [newname] C:\\newname24.exe
O4 - HKLM\..\Run: [defender] C:\\defender24.exe
O4 - HKCU\..\Run: [Roct] "C:\DOCUME~1\Linda\APPLIC~1\ICROSO~1.NET\smss.exe" -vt yazr
O4 - HKCU\..\Run: [Iygzjpr] C:\WINDOWS\?ppPatch\d?dplay.exe
O4 - Startup: Zeno.lnk.disabled
O4 - Startup: Z_Start.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - AppInit_DLLs: repairs303169587.dll

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Run Ewido, click on the "Scanner" button in the left menu, then click on the "Settings", here select the option "Scan every file" and click "OK". Next, click "Complete System Scan" button to start scan. If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK. When the scan finishes, click on "Save Report". This will create a text file, save it in a convinient location.


Reboot to Normal Mode. Run HijackThis again, click Do a System scan and save log, and post the fresh log along with the Avenger log and Ewido log.

0

Woo, I think some progress was made.

Here are the logs:

Avenger

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\chkbaepq
*******************
Script file located at: \??\C:\yapfpnqa.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:

File C:\\WINDOWSsystem32dmonwv.dll not found!
Deletion of file C:\\WINDOWSsystem32dmonwv.dll failed!
Could not process line:
C:\\WINDOWSsystem32dmonwv.dll
Status: 0xc0000034

File C:\\WINDOWSxload.exe not found!
Deletion of file C:\\WINDOWSxload.exe failed!
Could not process line:
C:\\WINDOWSxload.exe
Status: 0xc0000034

File C:\\keyboard24.exe not found!
Deletion of file C:\\keyboard24.exe failed!
Could not process line:
C:\\keyboard24.exe
Status: 0xc0000034

File C:\\newname24.exe not found!
Deletion of file C:\\newname24.exe failed!
Could not process line:
C:\\newname24.exe
Status: 0xc0000034

File c:\\windowssystem32prdsregj.exe not found!
Deletion of file c:\\windowssystem32prdsregj.exe failed!
Could not process line:
c:\\windowssystem32prdsregj.exe
Status: 0xc0000034

File C:\\WINDOWSluxzgtcA.exe not found!
Deletion of file C:\\WINDOWSluxzgtcA.exe failed!
Could not process line:
C:\\WINDOWSluxzgtcA.exe
Status: 0xc0000034

File C:\\defender24.exe not found!
Deletion of file C:\\defender24.exe failed!
Could not process line:
C:\\defender24.exe
Status: 0xc0000034

File C:\\Documents and Settings\All Users\Start Menu\Programs\Startup\shbwl.exe not found!
Deletion of file C:\\Documents and Settings\All Users\Start Menu\Programs\Startup\shbwl.exe failed!
Could not process line:
C:\\Documents and Settings\All Users\Start Menu\Programs\Startup\shbwl.exe
Status: 0xc0000034

File C:\\WINDOWS\pss\shbwl.exe not found!
Deletion of file C:\\WINDOWS\pss\shbwl.exe failed!
Could not process line:
C:\\WINDOWS\pss\shbwl.exe
Status: 0xc0000034

File C:\\Documents and Settings\Linda\Start Menu\Programs\StartupZeno.lnk not found!
Deletion of file C:\\Documents and Settings\Linda\Start Menu\Programs\StartupZeno.lnk failed!
Could not process line:
C:\\Documents and Settings\Linda\Start Menu\Programs\StartupZeno.lnk
Status: 0xc0000034

File C:\\WINDOWS\pss\Zeno.lnk not found!
Deletion of file C:\\WINDOWS\pss\Zeno.lnk failed!
Could not process line:
C:\\WINDOWS\pss\Zeno.lnk
Status: 0xc0000034

File C:\\WINDOWS\system32\lwinsqez.exe not found!
Deletion of file C:\\WINDOWS\system32\lwinsqez.exe failed!
Could not process line:
C:\\WINDOWS\system32\lwinsqez.exe
Status: 0xc0000034

File C:\\Documents and Settings\Linda\Start Menu\Programs\Startup\Z_Start.lnk not found!
Deletion of file C:\\Documents and Settings\Linda\Start Menu\Programs\Startup\Z_Start.lnk failed!
Could not process line:
C:\\Documents and Settings\Linda\Start Menu\Programs\Startup\Z_Start.lnk
Status: 0xc0000034

File C:\\WINDOWS\pss\Z_Start.lnk not found!
Deletion of file C:\\WINDOWS\pss\Z_Start.lnk failed!
Could not process line:
C:\\WINDOWS\pss\Z_Start.lnk
Status: 0xc0000034

File C:\\WINDOWS\system32\aaovek.exe not found!
Deletion of file C:\\WINDOWS\system32\aaovek.exe failed!
Could not process line:
C:\\WINDOWS\system32\aaovek.exe
Status: 0xc0000034

File C:\\WINDOWS\system32\repairs303169587.dll not found!
Deletion of file C:\\WINDOWS\system32\repairs303169587.dll failed!
Could not process line:
C:\\WINDOWS\system32\repairs303169587.dll
Status: 0xc0000034

File C:\\WINDOWS\repairs303169587.dll not found!
Deletion of file C:\\WINDOWS\repairs303169587.dll failed!
Could not process line:
C:\\WINDOWS\repairs303169587.dll
Status: 0xc0000034

Could not open file C:\\Program Files\SurfSideKick 3\Ssk.exe for deletion
Deletion of file C:\\Program Files\SurfSideKick 3\Ssk.exe failed!
Could not process line:
C:\\Program Files\SurfSideKick 3\Ssk.exe
Status: 0xc000003a

Folder C:\\Program Files\SurfSideKick 3 not found!
Deletion of folder C:\\Program Files\SurfSideKick 3 failed!
Could not process line:
C:\\Program Files\SurfSideKick 3
Status: 0xc0000034
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.
Completed script processing.
*******************
Finished! Terminate.

+ Scan result:
:mozilla.13:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\qcv8shqd.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Linda\Cookies\linda@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Linda\Cookies\linda@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Linda\Cookies\linda@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Linda\Cookies\linda@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\Linda\Cookies\linda@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Linda\Cookies\linda@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 9:56:47 AM, on 6/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\PopUp Killer\popupkiller.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\popupkiller.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Roct] "C:\DOCUME~1\Linda\APPLIC~1\ICROSO~1.NET\smss.exe" -vt yazr
O4 - HKCU\..\Run: [Iygzjpr] C:\WINDOWS\?ppPatch\d?dplay.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://remote.trostel.com/msrdp.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

0

Hi,
Yes, looks like we got rid of SurfSideKick, a nasty malware! Now, to remove the leftovers of another malware, PurityScan! Download CCleaner and install it. Do not run it now!


Please boot the PC into Safe Mode.


Make Windows to show all files:-
Go to Start > My Computer. Go to Tools menu, click Folder Options. Uncheck Hide protected operating system files. Then, click to select the option Show hidden files and folders. Click Apply and then click OK to exit.

Delete these folders:-
C:\Documents and Settings\Linda\Application Data\ICROSO~1.NET <-- Delete this, if found.

C:\Documents and Settings\Linda\Application Data\Μicrosoft.NET <--- This folder contains an empty folder called ICROSO~1.NET, dated Monday, May 29, 2006, 10:34:27 AM.

C:\WINDOWS\?ppPatch <--- It will be displayed as AppPatch, and delete the one which containing file called dvdplay, dated Monday, May 29, 2006, 10:34:41 AM. Legitimate AppPatch folder will have many files (mostly DLL files), do NOT delete legitimate folder.


Now run CCleaner, click the "Options" button in the left pane of CCleaner. Here, click "Settings" and then click "Advanced" button. Here, Uncheck the options "Only delete files in Windows Temp folder older than 48 hours" and "Show prompt to backup registry issues".
After unchecking them, click the "Issues" button in the left pane. Here, click "Scan for issues". It takes some time to scan. Once it finishes the scan, click "Fix selected issues". This opens up a new window, here click "Fix all selected issues" button to remove all the detected issues.
After this, click the "Cleaner" button in the left pane and click "Run Cleaner" to clean the temp files.


Run HijackThis and click Do only a System scan. Then put a check mark infront of below listed entries:-

O4 - HKCU\..\Run: [Roct] "C:\DOCUME~1\Linda\APPLIC~1\ICROSO~1.NET\smss.exe" -vt yazr
O4 - HKCU\..\Run: [Iygzjpr] C:\WINDOWS\?ppPatch\d?dplay.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Reboot to Normal Mode. Perform an online virus scan at Kaspersky Online Scanner (Click the "Kaspersky Online Scanner" button). Save the log it gives after the scan.

Run HijackThis again, click Do a System scan and save log, and post the fresh log along with the Kaspersky log.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.