whataboutarabit how to rid it

[imc]

this keeps poping up whataboutarabit how do I get rid of it?

[imc]

can anyone help me?

[koala]

Hi imc, welcome to TSF

What does the popup say and what program are you using when it appears?

EDIT: from what I've read, a whataboutarabit popup might be caused by trojan.Zonebac

[imc]

yes that is what is happened. I saw that you were able to help someone else

[imc]

whataboutarabit.com listed as a safe zone. I removed it and put it into my restricted zones, but upon restarting the computer it was back to being listed as a safe zone! What is causing this, and how do I get rid of it???

[tetonbob]

I recommend you do this:

Please follow MicroBell's 5 Step process outlined here:

http://www.techsupportforum.com/secu...tml#post342651

After running through all the steps, please post the requested logs.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the forum is extremely busy, and it may take some time to get a reply.

[imc]

I did as instructed but did not restart the computer after updating windows and in step 2? the one you have to unzip the file, I think all of that went to a temporary file. I can not figure out how to attach the extra.txt notepad so I pasted it (it maybe pasted 2 times) at the end of the main.txt notepad. Sorry I'm not sure what I 'm doing.

Deckard's System Scanner v20070826.66
Run by Administrator on 2007-08-29 16:14:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Administrator.exe) ---------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-08-29 16:16:22
Platform: Windows 2000 Service Pack 4 (5.00.2195)
MSIE: Internet Explorer (6.00.2800.1106)

Running processes:
C:\WINNT\system32\SMSS.EXE
C:\WINNT\system32\WINLOGON.EXE
C:\WINNT\system32\SERVICES.EXE
C:\WINNT\system32\LSASS.EXE
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\mstask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINNT\system32\wbem\WinMgmt.exe
C:\WINNT\explorer.exe
C:\WINNT\twain_32\D66U\D066UUTY.EXE
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINNT\twain_32\D66U\bak\D066UUTY.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O96RS9IZ\dss[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
F0 - win.ini: load=C:\WINNT\taskmgr.exe,
F3 - REG:win.ini: Load=C:\WINNT\system32\userinit.exe,
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKEY_LOCAL_MACHINE\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKEY_LOCAL_MACHINE\..\Run: [D066UUtility] C:\WINNT\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKEY_LOCAL_MACHINE\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Regscan] C:\WINNT\system32\regscan.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZUxdm080YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra 'Tools' menuitem: (no name) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\RELATED.HTM
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\RELATED.HTM
O15 - Trusted Zone: *.whataboutadog.com (HKCU)
O15 - Trusted Zone: *.whataboutarabit.com (HKCU)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188424300850
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe



-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Teefer (Teefer for NT) - c:\winnt\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 wpsdrvnt - c:\winnt\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2007-07-29 and 2007-08-29 -----------------------------

2007-08-29 15:53:27 0 d-------- C:\WINNT\SoftwareDistribution
2007-08-29 15:34:48 0 d-------- C:\ie-spyad_zo
2007-08-29 15:02:35 0 d-------- C:\Program Files\SpywareBlaster
2007-08-29 13:05:33 0 d-------- C:\WINNT\system32\ActiveScan
2007-08-25 22:10:22 60496 --a------ C:\WINNT\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
2007-08-25 22:10:21 21075 --a------ C:\WINNT\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
2007-08-25 22:10:15 0 d-------- C:\Program Files\Sygate
2007-08-25 21:26:29 0 dr-h----- C:\$VAULT$.AVG
2007-08-25 20:24:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-08-25 20:24:50 0 d-------- C:\Documents and Settings\Default User\Application Data\AVG7
2007-08-25 20:24:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-08-25 20:24:30 0 d-a------ C:\Documents and Settings\All Users\Application Data\avg7
2007-08-24 19:55:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-21 20:56:53 0 d-------- C:\WINNT\system32\bak
2007-08-03 11:20:17 0 d-------- C:\Program Files\Search Party


-- Find3M Report ---------------------------------------------------------------

2007-08-29 13:29:38 0 d-------- C:\Program Files\AIM
2007-08-26 13:59:19 0 d-------- C:\Program Files\Common Files\Peach
2007-08-25 20:15:01 0 d-a------ C:\Program Files\Common Files
2007-08-25 20:14:24 0 d-------- C:\Program Files\ZipCD
2007-08-22 15:37:32 0 d-------- C:\Program Files\Microsoft IntelliPoint
2007-08-22 15:35:20 24080 --a------ C:\WINNT\system32\regscan.exe
2007-08-22 15:35:20 24080 --a------ C:\WINNT\system32\NeroCheck.exe
2007-06-29 09:39:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\Canon


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 01:05p C:\WINNT\system32\mobsync.exe]
"D066UUtility"="C:\WINNT\TWAIN_32\D66U\D066UUTY.EXE" [08/22/07 03:35p]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [08/22/07 03:35p]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe" [08/22/07 03:35p]
"NovaBackup 7 Tray Control"="C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe" [08/22/07 03:35p]
"NeroCheck"="C:\WINNT\system32\NeroCheck.exe" [08/22/07 03:35p]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [08/22/07 03:35p]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [08/22/07 03:35p]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08/25/07 08:24p]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [10/15/04 07:40p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [08/22/07 03:35p]
"Regscan"="C:\WINNT\system32\regscan.exe" [08/22/07 03:35p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [7/27/2005 1:07:39 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2007-08-29 16:17:50 ------------

extra.txt notepad

Deckard's System Scanner v20070826.66
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 69%
Physical Memory (total/avail): 383.53 MiB / 116.23 MiB
Pagefile Memory (total/avail): 921.89 MiB / 645.23 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1985.08 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 16 GiB total, 8.92 GiB free.
D: is Fixed (NTFS) - 95.78 GiB total, 95.69 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Fixed (NTFS) - 8.03 GiB total, 1.72 GiB free.

\\.\PHYSICALDRIVE0 - ST3120026A - 111.79 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 16 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 95.78 GiB - D:

\\.\PHYSICALDRIVE1 - ST38420A - 8.03 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 8.03 GiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is not configured.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SPCA-SSQ0IEP17A
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\SPCA-SSQ0IEP17A
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\Program Files\Internet Explorer;;C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 3.5 Suite Deluxe;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Common Files\Ulead Systems\DVD
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=SPCA-SSQ0IEP17A
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINNT\IsUninst.exe -fC:\WINNT\system32\UninstIPP.isu
Adobe Acrobat 4.0 --> C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINNT\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Photoshop 7.0 --> C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Shockwave Player --> C:\WINNT\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINNT\system32\Macromed\SHOCKW~1\Install.log
Ahead Nero Burning ROM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
AOL Instant Messenger --> C:\PROGRA~1\AIM\uninstll.exe -LOG= C:\PROGRA~1\AIM\install.log -OEM=
ArcSoft PhotoStudio 2000 --> C:\WINNT\IsUninst.exe -f"C:\Program Files\ArcSoft\PhotoStudio 2000\Uninst.isu"
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Canon Camera Support Core Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91F1A0D6-23AD-49FE-8D4E-379485652214} /l1033
Canon Camera TWAIN Driver 6.5 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{C91B97B4-8F2C-444F-BA07-B5EF5DBE4897} /l1033
Canon Camera Window DS for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91203BD3-6C3E-472F-ADBD-F60FDC7C4010}
Canon Camera Window DVC for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4C96958A-6562-4143-B820-FF4890D3B734}
Canon Camera Window for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{C7281207-4AA4-425E-B57A-0E9EF8445635}
Canon EOS Kiss REBEL 300D TWAIN Driver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{4F9EF11C-A91A-42D0-BDAC-BB9695237075}
Canon MovieEdit Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{8AF1E098-1A5C-4336-BBE2-D047ABB401ED}
Canon MP Drivers 6.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FF3DD04-F386-46B0-97FC-B86238B65487}\Setup.exe" -l0x9 -Uninstall
Canon MP Navigator 1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{109AB81D-9732-40B3-9C1F-113A86CE6F93}\setup.exe" /SUUninstall
Canon PhotoRecord --> MsiExec.exe /X{0878E100-C0BB-41E8-B4C6-C486B61FDA7B}
Canon RAW Image Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{45EF4EE3-F591-4B74-A477-0CAE12934CE7}
Canon RemoteCapture Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{28291BD5-92D2-4685-82DC-CCA925C53CCA}
Canon Utilities Easy-PhotoPrint --> C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe C:\Program Files\Canon\Easy-PhotoPrint\uninst.ini
Canon Utilities File Viewer Utility 1.3 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2D1C2321-8FDB-49B8-A66B-4008DC0B6B5D}
Canon Utilities PhotoStitch 3.1 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{218BBBE3-FE63-4BB2-81A8-7435575A84FA}
Canon Utilities RemoteCapture 2.7 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{14220DB1-DD96-4BCD-B3D5-03A4EA6631C4}
Canon ZoomBrowser EX --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
Combined Community Codec Pack 2007-02-22 --> "C:\Program Files\Combined Community Codec Pack\unins000.exe"
DesignPro 5.0 Limited Edition --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{97AE00A8-1336-410F-B467-1C6623127BD6}
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 1.99.1 --> C:\Program Files\HijackThis\HijackThis.exe /uninstall
Iomega ZipCD Support Files --> C:\WINNT\UNINST.EXE -f"C:\Program Files\ZipCD\DeIsL1.isu" -c"C:\Program Files\ZipCD\uninst.dll"
Java 2 Runtime Environment, SE v1.4.2_04 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142040}
Microsoft Data Access Components KB870669 --> C:\WINNT\muninst.exe C:\WINNT\INF\KB870669.inf
Microsoft Internet Explorer 6 SP1 --> rundll32 C:\WINNT\system32\setupwbv.dll,IE6Maintenance C:\Program Files\Internet Explorer\IE Uninstall\W2KEXCP.EXE /u
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
NovaBACKUP --> MsiExec.exe /I{A14F19F4-2E19-4CA5-83AB-FC9EE3FEA1E0}
OmniPage SE 2.0 --> MsiExec.exe /I{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}
Outlook Express Q823353 --> C:\WINNT\oeuninst.exe C:\WINNT\INF\Q823353.inf
Panda ActiveScan --> C:\WINNT\system32\ASUninst.exe Panda ActiveScan
Peachtree Accounting --> C:\WINNT\IsUninst.exe -fC:\Peachw\DeisPT.isu
Roy C. Ketcham High School 2006 Alumni Directory --> MsiExec.exe /X{CD6B4A96-39F3-4CF4-A264-1E399CBF7BB6}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Sygate Personal Firewall --> MsiExec.exe /I{F34D9A5F-484A-4E31-A9D3-908CB265B289}
Turbo Lister 2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{69640730-B830-4C24-BB5C-222DA1260548}
Ulead DVD MovieFactory 3.5 Suite Deluxe --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C7D89BBE-D4B3-49E8-B185-7966B5345866}\setup.exe" -l0x9
Ulead Photo Explorer 8.5 SE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{025C3792-E9C6-432A-92C1-661F99D021CA}\setup.exe" -l0x9
Ulead VideoStudio 8.0 SE DVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F1DA6BF-3614-48A1-9970-9E90F646789E}\setup.exe" -l0x9
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
ViewSonic Monitor Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B4FEA924-630D-11D4-B78E-005004566E4D}\Setup.exe" -l0x9
Walgreens PhotoShow Express --> "C:\Program Files\Walgreens\Walgreens PhotoShow\data\Xtras\Uninstall.exe"
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Player system update (9 Series) --> C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1345 / Error
Event Submitted/Written: 08/25/2007 10:12:09 PM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

Event Record #/Type1341 / Error
Event Submitted/Written: 08/25/2007 10:00:15 PM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

Event Record #/Type1337 / Error
Event Submitted/Written: 08/25/2007 09:40:45 PM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

Event Record #/Type1334 / Error
Event Submitted/Written: 08/25/2007 08:19:25 PM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

Event Record #/Type1333 / Error
Event Submitted/Written: 08/25/2007 08:04:08 PM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2875 / Error
Event Submitted/Written: 08/25/2007 10:11:42 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1058

Event Record #/Type2871 / Error
Event Submitted/Written: 08/25/2007 09:59:44 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1058

Event Record #/Type2868 / Error
Event Submitted/Written: 08/25/2007 09:40:12 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1058

Event Record #/Type2867 / Error
Event Submitted/Written: 08/25/2007 09:40:06 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Sygate Personal Firewall service failed to start due to the following error:
%%1053

Event Record #/Type2864 / Error
Event Submitted/Written: 08/25/2007 09:40:06 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Sygate Personal Firewall service to connect.



-- End of Deckard's System Scanner: finished at 2007-08-29 16:17:50 ------------

[tetonbob]

I've moved your thread into the proper forum.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

It appears you're running DSS from a temp folder. The executable should be placed on your desktop.

---------------------------------------------------------------------------------------------


If you've just done some Windows Updates, and it wanted you to restart your machine afterward, please do so before continuing.



---------------------------------------------------------------------------------------------


The version of HijackThis you have is out of date. Please delete it, and do this:


Please download HijackThis to your desktop

Alternate link

Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.


---------------------------------------------------------------------------------------------

[imc]

It appears you're running DSS from a temp folder. The executable should be placed on your desktop.

How do I get it on my desktop?

[tetonbob]

Well, using this link:

http://www.techsupportforum.com/sect...eckard/dss.exe

right-click and Save Link as in Firefox, or Save Target as in Internet Explorer, instead of choosing Run. You perhaps chose Run last time when you clicked on the link.

Using the explorer window which opens, direct the download to your desktop. Desktop should appear as a clickable button on the left of that window. Then click on Save.

[imc]

ok now what do I need to do?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:35:22 PM, on 8/29/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\TWAIN_32\D66U\D066UUTY.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\TWAIN_32\D66U\bak\D066UUTY.EXE
C:\WINNT\system32\wuauclt.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F3 - REG:win.ini: load=C:\WINNT\taskmgr.exe,
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [D066UUtility] C:\WINNT\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Regscan] C:\WINNT\system32\regscan.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZUxdm080YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188424300850
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 5041 bytes

[tetonbob]

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

F3 - REG:win.ini: load=C:\WINNT\taskmgr.exe,
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com

Close HijackThis now.

---------------------------------------------------------------------------------------------

Using Windows Explorer, locate this file, and delete it if it exists.

C:\WINNT\taskmgr.exe<<<from this location only!

---------------------------------------------------------------------------------------------

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Post that log in your next reply.

---------------------------------------------------------------------------------------------


Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please post back the results from:

SDFix (C:\SDFix\report.txt)
new HijackThis log.

[imc]

OK now what?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:07 PM, on 8/29/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Microsoft IntelliPoint\bak\point32.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [D066UUtility] C:\WINNT\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZUxdm080YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.whataboutarabit.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188424300850
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 4958 bytes

SDFix: Version 1.100

Run by Administrator on Wed 08/29/2007 at 7:27p

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\abc123.pid - Deleted
C:\WINNT\system32\regscan.exe - Deleted



Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Documents and Settings\Administrator\NetHood\home.houston.rr.com\Desktop.ini
C:\Program Files\Walgreens\Walgreens PhotoShow\data\Walgreens PhotoShow Express.exe
C:\Deckard\System Scanner\20070829183156\backup\WINNT\temp\OLD72.tmp
C:\Deckard\System Scanner\20070829183156\backup\WINNT\temp\OLD73.tmp
C:\Documents and Settings\Administrator\My Documents\ZDL19409.TMP

Finished

[tetonbob]

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

[tetonbob]

Also, please do this:

Please download FindAWF to your Desktop.

• Double-click FindAWF.exe to start the tool.
• Select option #1 - Scan for bak folders by typing 1 and press 'Enter'
• When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.

**Do not run any other option unless directed to do so.**

[imc]

OK now what?

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Wed 08/29/2007
The current time is: 20:09:22.96


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MICROS~4\BAK

05/15/2003 05:41p 163,840 point32.exe
1 File(s) 163,840 bytes

Directory of C:\WINNT\SYSTEM32\BAK

07/09/2001 03:50a 155,648 NeroCheck.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\NOVASTOR\NOVABA~1\BAK

07/02/2004 09:52a 204,943 NbkCtrl.exe
1 File(s) 204,943 bytes

Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK

05/08/2003 12:00p 49,152 OpwareSE2.exe
1 File(s) 49,152 bytes

Directory of C:\WINNT\TWAIN_32\D66U\BAK

07/06/2000 09:11p 32,768 D066UUTY.EXE
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\COMMON~1\ULEADS~1\AUTODE~1\BAK

06/28/2004 08:12p 81,920 Monitor.exe
1 File(s) 81,920 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

02/22/2004 10:44p 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\PROGRA~1\WALGRE~1\WALGRE~1\DATA\XTRAS\BAK

05/19/2005 03:59p 176,128 mssysmgr.exe
1 File(s) 176,128 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

24080 Aug 22 2007 "C:\Program Files\Microsoft IntelliPoint\point32.exe"
163840 May 15 2003 "C:\Program Files\Microsoft IntelliPoint\bak\point32.exe"
24080 Aug 22 2007 "C:\WINNT\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINNT\system32\bak\NeroCheck.exe"
24080 Aug 22 2007 "C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe"
204943 Jul 2 2004 "C:\Program Files\NovaStor\NovaBACKUP\bak\NbkCtrl.exe"
24080 Aug 22 2007 "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
49152 May 8 2003 "C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe"
32768 Jul 6 2000 "C:\temp\D660U_CSUv582\D066USG\D066UUTY.EXE"
24080 Aug 22 2007 "C:\WINNT\twain_32\D66U\D066UUTY.EXE"
32768 Jul 6 2000 "C:\WINNT\twain_32\D66U\bak\D066UUTY.EXE"
32768 Jul 6 2000 "G:\WINNT\twain_32\D66U\D066UUTY.EXE"
24080 Aug 22 2007 "C:\Program Files\Common Files\Ulead Systems\Autodetector\Monitor.exe"
81920 Jun 28 2004 "C:\Program Files\Common Files\Ulead Systems\Autodetector\bak\Monitor.exe"
24080 Aug 22 2007 "C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe"
32881 Feb 22 2004 "C:\Program Files\Java\j2re1.4.2_04\bin\bak\jusched.exe"
24080 Aug 22 2007 "C:\Program Files\Walgreens\Walgreens PhotoShow\data\Xtras\mssysmgr.exe"
176128 May 19 2005 "C:\Program Files\Walgreens\Walgreens PhotoShow\data\Xtras\bak\mssysmgr.exe"


end of report


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:36 PM, on 8/29/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Microsoft IntelliPoint\bak\point32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [D066UUtility] C:\WINNT\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZUxdm080YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188424300850
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 4989 bytes

[tetonbob]

Double-click FindAWF.exe to start the tool.

• Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
• A text file will open up. Please copy/paste the following bolded text into the text file:

  • "C:\Program Files\Microsoft IntelliPoint\bak\point32.exe"
    "C:\WINNT\system32\bak\NeroCheck.exe"
    "C:\Program Files\NovaStor\NovaBACKUP\bak\NbkCtrl.exe"
    "C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe"
    "C:\WINNT\twain_32\D66U\bak\D066UUTY.EXE"
    "C:\Program Files\Common Files\Ulead Systems\Autodetector\bak\Monitor.exe"
    "C:\Program Files\Java\j2re1.4.2_04\bin\bak\jusched.exe"
    "C:\Program Files\Walgreens\Walgreens PhotoShow\data\Xtras\bak\mssysmgr.exe"

• Close the .txt file and click 'Yes' to save the changes.
• When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.

[imc]

Here you go

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Wed 08/29/2007
The current time is: 20:26:32.22


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MICROS~4\BAK

05/15/2003 05:41p 163,840 point32.exe
1 File(s) 163,840 bytes

Directory of C:\WINNT\SYSTEM32\BAK

07/09/2001 03:50a 155,648 NeroCheck.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\NOVASTOR\NOVABA~1\BAK

07/02/2004 09:52a 204,943 NbkCtrl.exe
1 File(s) 204,943 bytes

Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK

05/08/2003 12:00p 49,152 OpwareSE2.exe
1 File(s) 49,152 bytes

Directory of C:\WINNT\TWAIN_32\D66U\BAK

07/06/2000 09:11p 32,768 D066UUTY.EXE
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\COMMON~1\ULEADS~1\AUTODE~1\BAK

06/28/2004 08:12p 81,920 Monitor.exe
1 File(s) 81,920 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

02/22/2004 10:44p 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\PROGRA~1\WALGRE~1\WALGRE~1\DATA\XTRAS\BAK

05/19/2005 03:59p 176,128 mssysmgr.exe
1 File(s) 176,128 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

24080 Aug 22 2007 "C:\Program Files\Microsoft IntelliPoint\point32.exe"
163840 May 15 2003 "C:\Program Files\Microsoft IntelliPoint\bak\point32.exe"
155648 Jul 9 2001 "C:\WINNT\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINNT\system32\bak\NeroCheck.exe"
204943 Jul 2 2004 "C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe"
204943 Jul 2 2004 "C:\Program Files\NovaStor\NovaBACKUP\bak\NbkCtrl.exe"
49152 May 8 2003 "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
49152 May 8 2003 "C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe"
32768 Jul 6 2000 "C:\temp\D660U_CSUv582\D066USG\D066UUTY.EXE"
32768 Jul 6 2000 "C:\WINNT\twain_32\D66U\D066UUTY.EXE"
32768 Jul 6 2000 "C:\WINNT\twain_32\D66U\bak\D066UUTY.EXE"
32768 Jul 6 2000 "G:\WINNT\twain_32\D66U\D066UUTY.EXE"
81920 Jun 28 2004 "C:\Program Files\Common Files\Ulead Systems\Autodetector\Monitor.exe"
81920 Jun 28 2004 "C:\Program Files\Common Files\Ulead Systems\Autodetector\bak\Monitor.exe"
32881 Feb 22 2004 "C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe"
32881 Feb 22 2004 "C:\Program Files\Java\j2re1.4.2_04\bin\bak\jusched.exe"
176128 May 19 2005 "C:\Program Files\Walgreens\Walgreens PhotoShow\data\Xtras\mssysmgr.exe"
176128 May 19 2005 "C:\Program Files\Walgreens\Walgreens PhotoShow\data\Xtras\bak\mssysmgr.exe"


end of report

[tetonbob]

Looks like one stuck around....let's run this again:

Double-click FindAWF.exe to start the tool.

• Select option #2 - Restore files from bak folders bu typing 2 and press 'Enter'
• A text file will open up. Please copy/paste the following bolded text into the text file:

  • "C:\Program Files\Microsoft IntelliPoint\bak\point32.exe"

• Close the .txt file and click 'Yes' to save the changes.
• When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.

[imc]

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Wed 08/29/2007
The current time is: 20:34:19.15


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MICROS~4\BAK

05/15/2003 05:41p 163,840 point32.exe
1 File(s) 163,840 bytes

Directory of C:\WINNT\SYSTEM32\BAK

07/09/2001 03:50a 155,648 NeroCheck.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\NOVASTOR\NOVABA~1\BAK

07/02/2004 09:52a 204,943 NbkCtrl.exe
1 File(s) 204,943 bytes

Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK

05/08/2003 12:00p 49,152 OpwareSE2.exe
1 File(s) 49,152 bytes

Directory of C:\WINNT\TWAIN_32\D66U\BAK

07/06/2000 09:11p 32,768 D066UUTY.EXE
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\COMMON~1\ULEADS~1\AUTODE~1\BAK

06/28/2004 08:12p 81,920 Monitor.exe
1 File(s) 81,920 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

02/22/2004 10:44p 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\PROGRA~1\WALGRE~1\WALGRE~1\DATA\XTRAS\BAK

05/19/2005 03:59p 176,128 mssysmgr.exe
1 File(s) 176,128 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

163840 May 15 2003 "C:\Program Files\Microsoft IntelliPoint\point32.exe"
163840 May 15 2003 "C:\Program Files\Microsoft IntelliPoint\bak\point32.exe"
155648 Jul 9 2001 "C:\WINNT\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINNT\system32\bak\NeroCheck.exe"
204943 Jul 2 2004 "C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe"
204943 Jul 2 2004 "C:\Program Files\NovaStor\NovaBACKUP\bak\NbkCtrl.exe"
49152 May 8 2003 "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
49152 May 8 2003 "C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe"
32768 Jul 6 2000 "C:\temp\D660U_CSUv582\D066USG\D066UUTY.EXE"
32768 Jul 6 2000 "C:\WINNT\twain_32\D66U\D066UUTY.EXE"
32768 Jul 6 2000 "C:\WINNT\twain_32\D66U\bak\D066UUTY.EXE"
32768 Jul 6 2000 "G:\WINNT\twain_32\D66U\D066UUTY.EXE"
81920 Jun 28 2004 "C:\Program Files\Common Files\Ulead Systems\Autodetector\Monitor.exe"
81920 Jun 28 2004 "C:\Program Files\Common Files\Ulead Systems\Autodetector\bak\Monitor.exe"
32881 Feb 22 2004 "C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe"
32881 Feb 22 2004 "C:\Program Files\Java\j2re1.4.2_04\bin\bak\jusched.exe"
176128 May 19 2005 "C:\Program Files\Walgreens\Walgreens PhotoShow\data\Xtras\mssysmgr.exe"
176128 May 19 2005 "C:\Program Files\Walgreens\Walgreens PhotoShow\data\Xtras\bak\mssysmgr.exe"


end of report