Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Please help me...dang computer is messing up.
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 08-09-2005, 06:31 PM   #1 (permalink)
Registered User
 
Join Date: Aug 2005
Posts: 12
OS: win xp


Please help me...dang computer is messing up.
Below is the hijack this analyzation of my computer. It doesn't however list my security programs. I have System Suite 6, yahoo antivirus, and ad aware SE. Any help would be greatly aprreciated. Whatever is going on will sporadically lock up my computer and cause it to reboot on its own. It also gives me a error message when I start it up that says C:\WINDOWS\cfgmgr52.dll

Please help. Thanks!

-Kyle





====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 7:20:32 PM, on 8/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\WINDOWS\etb\pokapoka62.exe
C:\WINDOWS\system32\rlnamj.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\DOCUMENTS AND SETTINGS\KYLE\DESKTOP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50027
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50027
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50027
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [SystemService] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rlnamj.exe reg_run
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [boeline] C:\WINDOWS\boeline.exe
O4 - HKCU\..\Run: [advdis] C:\WINDOWS\system32\advdis.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Global Startup: Crescentec PNP Monitor.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O14 - IERESET.INF: SearchAssistant=
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe


End of KRC HijackThis Analyzer Log.
====================================================================
gold00mustang is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 08-10-2005, 12:00 AM   #2 (permalink)
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
 
MicroBell's Avatar
 
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7


Send a message via ICQ to MicroBell Send a message via MSN to MicroBell
Hi and Welcome to TSF

Please print these instructions out so you can follow along.

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.
Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point

Please download LQfix batch here:
http://www.downloads.subratam.org/LQfix.zip
Unzip it to the desktop but do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, please run LQfix.bat. When finished, restart your computer in normal mode and proceed below.

Download and install CleanUp! but do not run it yet.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download, install, and update Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido


Reboot back into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remove WeatherBug

Go to Start->Run and type Services.msc then hit Ok

Scroll down and find the service called: WebSeach Toolbar support NT service (TBPSSvc)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows


Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one IF they are still listed (they shouldn't be but make sure)

C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINDOWS\etb\pokapoka62.exe
C:\WINDOWS\system32\rlnamj.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50027
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50027
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50027
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [SystemService] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rlnamj.exe reg_run
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [boeline] C:\WINDOWS\boeline.exe
O4 - HKCU\..\Run: [advdis] C:\WINDOWS\system32\advdis.exe
O14 - IERESET.INF: SearchAssistant=
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe

Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directory’s ect enabled if it apply’s to your OS)

C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINDOWS\etb\pokapoka62.exe
C:\WINDOWS\system32\rlnamj.exe
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\ttupt.exe
C:\Program Files\sf\sf.exe
C:\WINDOWS\boeline.exe
C:\WINDOWS\system32\advdis.exe

Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
  • Once finished, click the [Save report] button
  • Save the report to your desktop
Close Ewido

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted

ONce back to normal mode....

Please run an online scan at http://www.pandasoftware.com/actives..._principal.htm
Select the “Autofix/Clean” option and save the activescan log. Then post that log in your next post along with another hijackthis and Ewido log.

So I need...

Hijackthis
Ewido scan log
Panda scan log
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!





Spyware/Adware Removal Tools
Hijackthis
Ad-aware SE
Spybot Search&Destroy
SpywareBlaster
CWShredder
MicroBell is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-10-2005, 11:13 PM   #3 (permalink)
Registered User
 
Join Date: Aug 2005
Posts: 12
OS: win xp


Is everything ok now?
OK, here is the Hijackthis log...

Logfile of HijackThis v1.99.1
Scan saved at 1232 AM, on 8/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\rlnamj.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Crescentec DC1000\CresMonitor.exe
C:\Program Files\Microsoft Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\OSA.EXE
C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Documents and Settings\Kyle\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rlnamj.exe reg_run
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: Simply Transparent.lnk = C:\Program Files\JonathanGrimes\Simply Transparent\SimplyTransparent.exe
O4 - Global Startup: Crescentec PNP Monitor.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: SearchAssistant=
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE



And now the ewido log...

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:42:46 PM, 8/10/2005
+ Report-Checksum: 4617D9E2

+ Scan result:

C:\Documents and Settings\Kyle\Application Data\VCOM\SystemSuite\Quarantine\A0037533.exe -> TrojanDropper.Agent.lu : Cleaned with backup
C:\Documents and Settings\Kyle\Application Data\VCOM\SystemSuite\Quarantine\A0038142.exe -> TrojanDownloader.Apropo.ae : Cleaned with backup
C:\Documents and Settings\Kyle\Application Data\VCOM\SystemSuite\Quarantine\A0044468.exe -> TrojanDropper.Agent.lu : Cleaned with backup
C:\Documents and Settings\Kyle\Application Data\VCOM\SystemSuite\Quarantine\A0056347.exe -> TrojanDropper.Agent.lu : Cleaned with backup
C:\Documents and Settings\Kyle\Application Data\VCOM\SystemSuite\Quarantine\A0056348.exe -> TrojanDropper.Agent.lu : Cleaned with backup
C:\Documents and Settings\Kyle\Application Data\VCOM\SystemSuite\Quarantine\A0056349.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\Kyle\Application Data\VCOM\SystemSuite\Quarantine\A0056350.exe -> TrojanDownloader.Apropo.ae : Cleaned with backup
C:\Documents and Settings\Kyle\Local Settings\Temp\VVSNInst.exe -> Adware.SaveNow : Cleaned with backup
C:\Documents and Settings\Lyndsey\Cookies\lyndsey@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Lyndsey\Cookies\lyndsey@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Lyndsey\Local Settings\Temporary Internet Files\Content.IE5\AVYHY7OH\newmajorse2[1].cab/newmajorse2.txt -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\Lyndsey\Local Settings\Temporary Internet Files\Content.IE5\AVYHY7OH\tb3[1].cab/toolbar.dll -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\Lyndsey\Local Settings\Temporary Internet Files\Content.IE5\UX0B83AJ\TBPSSvc[1].cab/TBPSSvc.exe -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\Lyndsey\nsvsvc\nsv.ocx -> Spyware.Delfin : Cleaned with backup
C:\Documents and Settings\Lyndsey\nsvsvc\nsvs.dll -> Spyware.Delfin : Cleaned with backup
C:\Documents and Settings\Lyndsey\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.Delfin : Cleaned with backup
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2P4FKZMH\!update-2224[1].0000 -> TrojanDownloader.PurityScan.y : Cleaned with backup
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Y7GNWLYX\!update-2154[1].0000 -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Y7GNWLYX\!update-2274[1].0000 -> Spyware.MediaTickets : Cleaned with backup
:mozilla.6:C:\Documents and Settings\New Kyle\Application Data\Mozilla\Firefox\Profiles\l1dpwsel.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.7:C:\Documents and Settings\New Kyle\Application Data\Mozilla\Firefox\Profiles\l1dpwsel.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.10:C:\Documents and Settings\New Kyle\Application Data\Mozilla\Firefox\Profiles\l1dpwsel.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.11:C:\Documents and Settings\New Kyle\Application Data\Mozilla\Firefox\Profiles\l1dpwsel.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.12:C:\Documents and Settings\New Kyle\Application Data\Mozilla\Firefox\Profiles\l1dpwsel.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.17:C:\Documents and Settings\New Kyle\Application Data\Mozilla\Firefox\Profiles\l1dpwsel.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.21:C:\Documents and Settings\New Kyle\Application Data\Mozilla\Firefox\Profiles\l1dpwsel.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.22:C:\Documents and Settings\New Kyle\Application Data\Mozilla\Firefox\Profiles\l1dpwsel.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.23:C:\Documents and Settings\New Kyle\Application Data\Mozilla\Firefox\Profiles\l1dpwsel.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\New Kyle\Cookies\new kyle@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\New Kyle\Cookies\new kyle@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\New Kyle\Cookies\new kyle@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\New Kyle\Local Settings\Temp\12255590_2300_3768_5352_62.41.tmp -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\New Kyle\Local Settings\Temp\13631950_2300_3768_5400_62.41.tmp -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\New Kyle\Local Settings\Temp\13959782_2300_3768_4360_62.41.tmp -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\New Kyle\Local Settings\Temp\18678284_2300_3768_5732_62.41.tmp -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\New Kyle\Local Settings\Temp\21758598_2300_3768_5036_62.41.tmp -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\New Kyle\Local Settings\Temp\655984_2300_3768_5260_62.41.tmp -> Spyware.EliteBar : Cleaned with backup
C:\Program Files\BearShare\Installer\saveinstwm.exe -> Adware.SaveNow : Cleaned with backup
C:\Program Files\Toolbar\gykhxlmu.rmr -> Spyware.IBIS : Cleaned with backup
C:\Program Files\Toolbar\nzqlihv.wzg -> Spyware.WebSearch : Cleaned with backup
C:\Program Files\Toolbar\xlmurin.wzg -> Spyware.IBIS : Cleaned with backup
C:\Program Files\uasa\altl.exe -> Spyware.MediaTickets : Cleaned with backup
C:\Program Files\VCOM\SystemSuite\VSS9VIB5.00M -> TrojanSpy.VB.eh : Cleaned with backup
C:\Program Files\VCOM\SystemSuite\VSS9VIUT.00O -> TrojanSpy.VB.eh : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050720203235.zip/Program Files/common files/uninstall information/RemoveDisplayUtility.exe -> Spyware.Delfin : Cleaned with backup
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\icont.exe -> Spyware.AdURL : Cleaned with backup
C:\WINDOWS\system32\ca2.dll -> Spyware.SearchIt : Cleaned with backup
C:\WINDOWS\system32\Cache\Installer.exe -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\Cache\ven_d1.exe -> TrojanDownloader.IstBar : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AVYHY7OH\!update-2144[1].0000 -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UX0B83AJ\!update-2114[1].0000 -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UX0B83AJ\!update-2134[1].0000 -> Spyware.PurityScan : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UX0B83AJ\!update-2154[1].0000 -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UX0B83AJ\!update-2164[1].0000 -> Spyware.PurityScan : Cleaned with backup
C:\WINDOWS\system32\conres.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\DrPMon.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\nsmC86.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\Temp\!update.exe -> Spyware.MediaTickets : Cleaned with backup
C:\WINDOWS\Temp\b.com -> TrojanDropper.Agent.pb : Cleaned with backup
C:\WINDOWS\Temp\Cookies\kyle@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6B2JC9U1\kw[1].exe -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\IHMTQBGL\pokapoka62[1].exe -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\Temp\V1UOPJa01348 -> Spyware.AdURL : Cleaned with backup
C:\WINDOWS\tvtwlaqr.exe -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\ukpjdsi.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\wpxifumhnke.exe -> Adware.BetterInternet : Cleaned with backup


::Report End

I couldn't get the panda scan log...I didn't find the autofix/clean option. If you need it, let me now and I will try to find it again. Thanks for all of your help so far. I really appreciate it!
gold00mustang is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-11-2005, 08:21 AM   #4 (permalink)
Moderator, Microsoft Support
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,482
OS: XP SP2


Please download the following files:

WinPfind.zip - Unzip to Drive C

Tq.zip

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO SAFE MODE
  1. Shut Windows down, and then turn off the computer.
  2. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
  3. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
    Windows Advanced Options menu appears.
  4. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Locate & double-click on WinPFind.exe.
  1. Click Start Scan
  2. Once the Scan is Complete
    1. Go to the WinPFind folder & locate WinPFind.txt
    2. Post the results in your next post!
* This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
REBOOT your computer back to NORMAL MODE .

Locate & double-click on Tq.vbs. Wait a few seconds and a notepad page will pop up, Copy & Paste those results in your next post
* If your Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

=====

In your next post, please include fresh logs from:
  • HiJackThis log
  • WinPfind
  • Tq.vbs
__________________
POADB is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-11-2005, 10:20 AM   #5 (permalink)
Registered User
 
Join Date: Aug 2005
Posts: 12
OS: win xp


Next step?
TQ log is as follows

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"SM1BG"="C:\\WINDOWS\\SM1BG.EXE"
"CaAvTray"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVRID.exe\""
"YOP"="C:\\PROGRA~1\\Yahoo!\\YOP\\yop.exe /autostart"
"YBrowser"="C:\\Program Files\\Yahoo!\\browser\\ybrwicon.exe"
"Fix-It AV"="C:\\PROGRA~1\\VCOM\\SYSTEM~1\\MemCheck.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"KavSvc"="C:\\WINDOWS\\system32\\rlnamj.exe reg_run"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- CA_AntiVirus
{1CE2AA40-1317-11D3-9922-00104B0AD431}
C:\WINDOWS\avshlext.dll

Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- Fix-It Menu
{A50302A0-8E15-11d2-887B-006008C1C087}
C:\Program Files\VCOM\SystemSuite\mxctxmnu.dll

Subkey --- fstyqnqq
{144a1013-ef4c-44a1-bbab-960984be97db}
C:\WINDOWS\system32\ugqkn.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499}


Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Crescentec PNP Monitor.lnk
desktop.ini
Microsoft Find Fast.lnk
nupa.exe
Office Startup.lnk
==============================
C:\Documents and Settings\Kyle\Start Menu\Programs\Startup

Crescentec PNP Monitor.lnk
desktop.ini
Microsoft Find Fast.lnk
nupa.exe
Office Startup.lnk
desktop.ini
Microsoft Works Calendar Reminders.lnk
Simply Transparent.lnk
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
FINDFAST.CPL Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nvtuicpl.cpl NVIDIA Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation

Win PFind is next:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
aspack 9/22/2003 4:00:02 AM 407568 C:\WINDOWS\eFaxview.exe

Items found in C:\WINDOWS\hosts

web-nex 8/11/2005 10:46:30 AM 4054 C:\WINDOWS\jrhnk.dll

Checking %System% folder...
69.59.186.63 8/2/2005 12:12:48 PM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
209.66.67.134 8/2/2005 12:12:48 PM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
66.63.167.97 8/2/2005 12:12:48 PM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
66.63.167.77 8/2/2005 12:12:48 PM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
web-nex 8/2/2005 12:12:48 PM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
winsync 8/2/2005 12:12:48 PM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
rec2_run 8/2/2005 12:12:48 PM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
PEC2 8/18/2001 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
aspack 9/22/2003 4:00:02 AM 787456 C:\WINDOWS\SYSTEM32\jsdvwsdk.dll
PTech 8/3/2005 10:33:42 AM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 8/4/2005 8:31:38 PM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2005 8:31:38 PM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
UPX! 7/21/2005 2:12:12 AM 223232 C:\WINDOWS\SYSTEM32\Pop2.exe
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
KavSvc 8/2/2005 12:12:48 PM 34816 C:\WINDOWS\SYSTEM32\ryokupu.dll
69.59.186.63 8/2/2005 12:12:48 PM 34816 C:\WINDOWS\SYSTEM32\ryokupu.dll
209.66.67.134 8/2/2005 12:12:48 PM 34816 C:\WINDOWS\SYSTEM32\ryokupu.dll
testpopup 8/2/2005 12:12:48 PM 34816 C:\WINDOWS\SYSTEM32\ryokupu.dll
web-nex 8/2/2005 12:12:48 PM 34816 C:\WINDOWS\SYSTEM32\ryokupu.dll
yourkey 8/2/2005 12:12:48 PM 34816 C:\WINDOWS\SYSTEM32\ryokupu.dll
KavSvc 8/2/2005 12:12:50 PM 16384 C:\WINDOWS\SYSTEM32\ugqkn.dll
69.59.186.63 8/2/2005 12:12:50 PM 16384 C:\WINDOWS\SYSTEM32\ugqkn.dll
209.66.67.134 8/2/2005 12:12:50 PM 16384 C:\WINDOWS\SYSTEM32\ugqkn.dll
web-nex 8/2/2005 12:12:50 PM 16384 C:\WINDOWS\SYSTEM32\ugqkn.dll
yourkey 8/2/2005 12:12:50 PM 16384 C:\WINDOWS\SYSTEM32\ugqkn.dll
winsync 8/18/2001 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder for system and hidden files within the last 60 days...
7/18/2005 5:40:58 PM 0 C:\WINDOWS\inf\oem11.inf
7/18/2005 5:42:20 PM 0 C:\WINDOWS\inf\oem12.inf
8/10/2005 11:58:08 PM 0 C:\WINDOWS\LastGood\INF\oem13.inf
8/10/2005 11:58:08 PM 0 C:\WINDOWS\LastGood\INF\oem13.PNF
7/19/2005 12:15:04 PM 286777 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_6.cab
8/10/2005 9:58:12 PM 1577248 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0ddf58787069154584ea5c1192e998ea\BIT9.tmp
8/11/2005 9:59:46 AM 21252 C:\WINDOWS\system32\FFASTLOG.TXT
8/11/2005 10:51:08 AM 8192 C:\WINDOWS\system32\config\default.LOG
8/11/2005 10:51:34 AM 1024 C:\WINDOWS\system32\config\SAM.LOG
8/11/2005 10:51:18 AM 16384 C:\WINDOWS\system32\config\SECURITY.LOG
8/11/2005 10:53:32 AM 65536 C:\WINDOWS\system32\config\software.LOG
8/11/2005 10:51:36 AM 880640 C:\WINDOWS\system32\config\system.LOG
8/9/2005 10:56:16 PM 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
8/9/2005 10:47:16 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\c303d2bb-c442-4a98-867b-4381635ce1b7
8/9/2005 10:47:16 PM 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
7/1/2005 12:41:00 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\61a0c6b5-6962-4708-9753-460a1fee8baf
7/1/2005 12:41:00 PM 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
8/10/2005 11:53:56 PM 192 C:\WINDOWS\Tasks\RUTASK.job
8/11/2005 10:49:40 AM 6 C:\WINDOWS\Tasks\SA.DAT
7/26/2005 3:41:02 PM 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
7/26/2005 3:41:02 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
1/10/2003 5:44:38 PM 1485 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Crescentec PNP Monitor.lnk
11/1/2003 9:02:12 PM 682 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
8/2/2005 12:12:50 PM 81920 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nupa.exe
11/1/2003 9:02:14 PM 657 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
11/1/2003 9:07:00 PM 726 C:\Documents and Settings\Kyle\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
8/9/2005 10:40:52 PM 1013 C:\Documents and Settings\Kyle\Start Menu\Programs\Startup\Simply Transparent.lnk

Checking files in %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{5D1E95FB-4FAF-4A0C-A303-8E8BBF114C97} = C:\WINDOWS\system32\sqimgvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\CA_AntiVirus
{1CE2AA40-1317-11D3-9922-00104B0AD431} = C:\WINDOWS\avshlext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Fix-It Menu
{A50302A0-8E15-11d2-887B-006008C1C087} = C:\Program Files\VCOM\SystemSuite\mxctxmnu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fstyqnqq
{144a1013-ef4c-44a1-bbab-960984be97db} = C:\WINDOWS\system32\ugqkn.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\CA_AntiVirus
{1CE2AA40-1317-11D3-9922-00104B0AD431} = C:\WINDOWS\avshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Fix-It Menu
{A50302A0-8E15-11d2-887B-006008C1C087} = C:\Program Files\VCOM\SystemSuite\mxctxmnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{339BB23F-A864-48C0-A59F-29EA915965EC} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2499216C-4BA5-11D5-BD9C-000103C116D5}
ButtonText = Yahoo! Login :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{339BB23F-A864-48C0-A59F-29EA915965EC} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{339BB23F-A864-48C0-A59F-29EA915965EC} = :
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
SM1BG C:\WINDOWS\SM1BG.EXE
CaAvTray "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
CAVRID "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
YOP C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
YBrowser C:\Program Files\Yahoo!\browser\ybrwicon.exe
Fix-It AV C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
KavSvc C:\WINDOWS\system32\rlnamj.exe reg_run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Yahoo! Pager "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
advdis C:\WINDOWS\system32\advdis.exe


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.2.9 - Log file written to "WinPFind.Txt" in the WinPFind folder.

And now for the Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 11:12:13 AM, on 8/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common

Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\rlnamj.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Crescentec DC1000\CresMonitor.exe
C:\Program Files\Microsoft Office\FINDFAST.EXE
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Microsoft Office\OSA.EXE
C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
C:\Program Files\JonathanGrimes\Simply

Transparent\SimplyTransparent.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Kyle\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O3 - Toolbar: (no name) -

{339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program

Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program

Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe

/autostart
O4 - HKLM\..\Run: [YBrowser] C:\Program

Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Fix-It AV]

C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [KavSvc]

C:\WINDOWS\system32\rlnamj.exe reg_run
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program

Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN

Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Works Calendar Reminders.lnk =

C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: Simply Transparent.lnk = C:\Program

Files\JonathanGrimes\Simply

Transparent\SimplyTransparent.exe
O4 - Global Startup: Crescentec PNP Monitor.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk =

C:\Program Files\Microsoft Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program

Files\Microsoft Office\OSA.EXE
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Login -

{2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program

Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login -

{2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program

Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O14 - IERESET.INF: SearchAssistant=
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}

(Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

(ActiveScan Installer Class) -

http://www.pandasoftware.com/actives...5free/asinst.c

ab
O23 - Service: CAISafe - Computer Associates

International, Inc. - C:\Program

Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido

networks - C:\Program Files\ewido\security

suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido

networks - C:\Program Files\ewido\security

suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) -

NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital

Networks North America, Inc. -

C:\WINDOWS\System32\RioMSC.exe
O23 - Service: SystemSuite Task Manager - Avanquest

Publishing USA, Inc. -

C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer

Associates International, Inc. - C:\Program

Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. -

C:\WINDOWS\system32\YPCSER~1.EXE



What else do I need to fix on this now??? Tahnks for all the help!
gold00mustang is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-11-2005, 11:46 AM   #6 (permalink)
Moderator, Microsoft Support
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,482
OS: XP SP2


Unfortunatley, there is no quick way around this. This could take a few passes. Follow my instructions below.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - Choose YES when informs you the file will be deleted on Reboot. Choose NO when it asks if you want to reboot):

C:\WINDOWS\system32\rlnamj.exe
C:\WINDOWS\system32\ugqkn.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nupa.exe
C:\Documents and Settings\Kyle\Start Menu\Programs\Startup\nupa.exe
C:\WINDOWS\jrhnk.dll
C:\WINDOWS\SYSTEM32\datadx.dll
C:\WINDOWS\SYSTEM32\jsdvwsdk.dll
C:\WINDOWS\SYSTEM32\Pop2.exe
C:\WINDOWS\SYSTEM32\ryokupu.dll
C:\WINDOWS\Tasks\RUTASK.job
C:\WINDOWS\system32\sqimgvw.dll
C:\WINDOWS\system32\advdis.exe

Run HJT and fix:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rlnamj.exe reg_run

I have attached a file to this post - regdel.txt
Download it & rename it "regdel.REG" (inclusive of the quotes)
Make sure you do not mistakenly rename it as regdel.reg.txt (double extensions)
Double-click on it & answer YES when prompted to merge into the Registry.

Reboot your computer to Safe Mode and re run WPFind. Bring the results with you in your next post.
Reboot your computer back to Normal Mode and re-run Tq. Bring the results with you in your next post.

We'll also need a new HJT log.
__________________


Last edited by POADB; 01-19-2006 at 01:05 AM.
POADB is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-11-2005, 09:52 PM   #7 (permalink)
Registered User
 
Join Date: Aug 2005
Posts: 12
OS: win xp


OK...done with those steps...
OK, I am done with those steps now, WP find is as follows...

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
aspack 9/22/2003 4:00:02 AM 407568 C:\WINDOWS\eFaxview.exe

Items found in C:\WINDOWS\hosts


Checking %System% folder...
PEC2 8/18/2001 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 8/3/2005 10:33:42 AM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 8/4/2005 8:31:38 PM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2005 8:31:38 PM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/18/2001 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder for system and hidden files within the last 60 days...
7/18/2005 5:40:58 PM 0 C:\WINDOWS\inf\oem11.inf
7/18/2005 5:42:20 PM 0 C:\WINDOWS\inf\oem12.inf
7/19/2005 12:15:04 PM 286777 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_6.cab
8/10/2005 9:58:12 PM 1577248 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0ddf58787069154584ea5c1192e998ea\BIT9.tmp
8/11/2005 10:21:20 PM 21382 C:\WINDOWS\system32\FFASTLOG.TXT
8/11/2005 10:37:08 PM 8192 C:\WINDOWS\system32\config\default.LOG
8/11/2005 10:37:38 PM 1024 C:\WINDOWS\system32\config\SAM.LOG
8/11/2005 10:37:20 PM 16384 C:\WINDOWS\system32\config\SECURITY.LOG
8/11/2005 10:37:36 PM 65536 C:\WINDOWS\system32\config\software.LOG
8/11/2005 10:37:40 PM 884736 C:\WINDOWS\system32\config\system.LOG
8/9/2005 10:56:16 PM 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
8/9/2005 10:47:16 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\c303d2bb-c442-4a98-867b-4381635ce1b7
8/9/2005 10:47:16 PM 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
7/1/2005 12:41:00 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\61a0c6b5-6962-4708-9753-460a1fee8baf
7/1/2005 12:41:00 PM 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
8/11/2005 10:36:10 PM 6 C:\WINDOWS\Tasks\SA.DAT
7/26/2005 3:41:02 PM 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
7/26/2005 3:41:02 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
1/10/2003 5:44:38 PM 1485 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Crescentec PNP Monitor.lnk
11/1/2003 9:02:12 PM 682 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
11/1/2003 9:02:14 PM 657 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
11/1/2003 9:07:00 PM 726 C:\Documents and Settings\Kyle\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
8/9/2005 10:40:52 PM 1013 C:\Documents and Settings\Kyle\Start Menu\Programs\Startup\Simply Transparent.lnk

Checking files in %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{5D1E95FB-4FAF-4A0C-A303-8E8BBF114C97} =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\CA_AntiVirus
{1CE2AA40-1317-11D3-9922-00104B0AD431} = C:\WINDOWS\avshlext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Fix-It Menu
{A50302A0-8E15-11d2-887B-006008C1C087} = C:\Program Files\VCOM\SystemSuite\mxctxmnu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\CA_AntiVirus
{1CE2AA40-1317-11D3-9922-00104B0AD431} = C:\WINDOWS\avshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Fix-It Menu
{A50302A0-8E15-11d2-887B-006008C1C087} = C:\Program Files\VCOM\SystemSuite\mxctxmnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{339BB23F-A864-48C0-A59F-29EA915965EC} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2499216C-4BA5-11D5-BD9C-000103C116D5}
ButtonText = Yahoo! Login :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{339BB23F-A864-48C0-A59F-29EA915965EC} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{339BB23F-A864-48C0-A59F-29EA915965EC} = :
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
SM1BG C:\WINDOWS\SM1BG.EXE
CaAvTray "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
CAVRID "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
YOP C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
YBrowser C:\Program Files\Yahoo!\browser\ybrwicon.exe
Fix-It AV C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
KavSvc C:\WINDOWS\system32\rlnamj.exe reg_run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Yahoo! Pager "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
advdis C:\WINDOWS\system32\advdis.exe


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.2.9 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/11/2005 10:44:17 PM


TQ is as follows...

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"SM1BG"="C:\\WINDOWS\\SM1BG.EXE"
"CaAvTray"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVRID.exe\""
"YOP"="C:\\PROGRA~1\\Yahoo!\\YOP\\yop.exe /autostart"
"YBrowser"="C:\\Program Files\\Yahoo!\\browser\\ybrwicon.exe"
"Fix-It AV"="C:\\PROGRA~1\\VCOM\\SYSTEM~1\\MemCheck.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"KavSvc"="C:\\WINDOWS\\system32\\rlnamj.exe reg_run"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- CA_AntiVirus
{1CE2AA40-1317-11D3-9922-00104B0AD431}
C:\WINDOWS\avshlext.dll

Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- Fix-It Menu
{A50302A0-8E15-11d2-887B-006008C1C087}
C:\Program Files\VCOM\SystemSuite\mxctxmnu.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499}


Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Crescentec PNP Monitor.lnk
desktop.ini
Microsoft Find Fast.lnk
Office Startup.lnk
==============================
C:\Documents and Settings\Kyle\Start Menu\Programs\Startup

Crescentec PNP Monitor.lnk
desktop.ini
Microsoft Find Fast.lnk
Office Startup.lnk
desktop.ini
Microsoft Works Calendar Reminders.lnk
Simply Transparent.lnk
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
FINDFAST.CPL Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nvtuicpl.cpl NVIDIA Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation

HJT is as follows...

Logfile of HijackThis v1.99.1
Scan saved at 10:49:33 PM, on 8/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Crescentec DC1000\CresMonitor.exe
C:\Program Files\Microsoft Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\OSA.EXE
C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
C:\Program Files\JonathanGrimes\Simply Transparent\SimplyTransparent.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Notepad.exe
C:\Documents and Settings\Kyle\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rlnamj.exe reg_run
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: Simply Transparent.lnk = C:\Program Files\JonathanGrimes\Simply Transparent\SimplyTransparent.exe
O4 - Global Startup: Crescentec PNP Monitor.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: SearchAssistant=
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Thank you for your help so far...am looking forward to getting this finished so that my computer is mine again...again, thanks for the help so far!!! - Kyle
gold00mustang is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-12-2005, 03:39 AM   #8 (permalink)
Moderator, Microsoft Support
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,482
OS: XP SP2


As before, run KillBox and copy paste all of the below into KillBox, using the optionsas you did before. Kill them and then reboot.

C:\WINDOWS\system32\rlnamj.exe
C:\WINDOWS\system32\advdis.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0ddf58787069154584ea5c1192e998ea\BIT9.tmp
C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\c303d2bb-c442-4a98-867b-4381635ce1b7
C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\61a0c6b5-6962-4708-9753-460a1fee8baf

Run HJT and fix:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rlnamj.exe reg_run

Reboot your computer now.

Re run HJT and post a new log.
__________________
POADB is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-12-2005, 08:56 AM   #9 (permalink)
Registered User
 
Join Date: Aug 2005
Posts: 12
OS: win xp


OK, I did all that...here is the new HJT log...

Logfile of HijackThis v1.99.1
Scan saved at 9:53:18 AM, on 8/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Crescentec DC1000\CresMonitor.exe
C:\Program Files\Microsoft Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\OSA.EXE
C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
C:\Program Files\JonathanGrimes\Simply Transparent\SimplyTransparent.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Documents and Settings\Kyle\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: Simply Transparent.lnk = C:\Program Files\JonathanGrimes\Simply Transparent\SimplyTransparent.exe
O4 - Global Startup: Crescentec PNP Monitor.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: SearchAssistant=
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
gold00mustang is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-12-2005, 11:04 AM   #10 (permalink)
Moderator, Microsoft Support
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,482
OS: XP SP2


Excellent:

Run HJT and fix the following:

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them in your next post.

Please run an online virus scan at Panda ActiveScan. Save the results and bring them with you in your next post.

We're almost there, I'm sure you'll be releived to know
__________________
POADB is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-16-2005, 04:31 AM   #11 (permalink)
Registered User
 
Join Date: Aug 2005
Posts: 12
OS: win xp


OKl sorry about the wait..I was away from my computer all weekend. Here is the Spyware log...

Started Scanning
Internet Cookies
Found 'tribalfusion.com' in 'Internet Explorer Cache'
Found 'z1.adserver.com' in 'Internet Explorer Cache'
Found 'belnk.com' in 'Internet Explorer Cache'
Found 'dist.belnk.com' in 'Internet Explorer Cache'
Found 'ads.pointroll.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'Software\BearShare'
Found '' in 'SOFTWARE\Classes\ed2k'
Found '' in 'SOFTWARE\Classes\ed2k\DefaultIcon'
Found '' in 'SOFTWARE\Classes\ed2k\shell\open\command'
Found '' in 'SOFTWARE\Classes\GnucDNA.Core'
Found '' in 'SOFTWARE\Classes\GnucDNA.Core\CLSID'
Found '' in 'AppEvents\EventLabels\BearShareChatNotifyMsg'
Found '' in 'AppEvents\Schemes\Apps\BearShare'
Found '' in 'AppEvents\Schemes\Apps\BearShare\BearShareChatNotifyMsg'
Found '' in 'AppEvents\Schemes\Apps\BearShare\BearShareChatNotifyMsg\.Current'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BearShare'
Found '' in 'SOFTWARE\Magnet'
Found '' in 'SOFTWARE\Classes\magnet'
Found '' in 'SOFTWARE\Classes\magnet\shell\open\command'
Found '' in 'SOFTWARE\Classes\drs.n'
Found 'URL Protocol' in 'SOFTWARE\Classes\magnet'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found '{339BB23F-A864-48C0-A59F-29EA915965EC}' in 'Software\Microsoft\Internet Explorer\Toolbar\WebBrowser'
Found '' in 'Software\Dynamic Toolbar'
Found '' in 'SOFTWARE\Classes\Remove'
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC'
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Found 'Service' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Found 'Legacy' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Found 'DeviceDesc' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Found 'ConfigFlags' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Found 'ClassGUID' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Found 'Class' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Found 'NextInstance' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC'
Found 'PluginLevel' in 'SYSTEM\CurrentControlSet\Control\Session Manager'
Internet URL Shortcuts
Files and Directories
Found '' in 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools'
Found '' in 'C:\Documents and Settings\Kyle\Favorites\Finances & Business'
Found '' in 'C:\Documents and Settings\Kyle\Favorites\Health & Insurance'
Found '' in 'C:\Documents and Settings\Kyle\Favorites\Homelife & Travel'
Found 'License.txt' in 'C:\Documents and Settings\Lyndsey\nsvsvc'
Found '' in 'C:\Program Files\BearShare'
Found 'BSidle.dll' in 'C:\Program Files\BearShare'
Found '' in 'C:\Program Files\BearShare\db'
Found '' in 'C:\Program Files\BearShare\Extras'
Found '' in 'C:\Program Files\BearShare\Installer'
Found '' in 'C:\Program Files\BearShare\Logs'
Found '' in 'C:\Program Files\BearShare\Playlists'
Found '' in 'C:\Program Files\BearShare\sounds'
Found '' in 'C:\Program Files\BearShare\Temp'
Found '' in 'C:\Program Files\BearShare\Webstats'
Found '' in 'C:\Program Files\Dynamic Toolbar'
Found '' in 'C:\Program Files\MyWay'
Found '' in 'C:\Program Files\StreamCast'
Found '' in 'C:\Program Files\StreamCast\Morpheus'
Found '' in 'C:\Program Files\Toolbar'
Found '' in 'C:\Program Files\Toolbar\Cursors'
Found 'biini.inf' in 'C:\WINDOWS\inf'
Found 'kwv2.dat' in 'C:\WINDOWS'
Found 'virushunter4.ico' in 'C:\WINDOWS\system32'
Found 'wintsvsu.exe' in 'C:\WINDOWS\system32'
Finished Scanning
Started Backup
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for restore. [SCANMODS] Error=5.
Unable to backup the item 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools\Frequently Asked Questions.url'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools\Home.url'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools\Privacy Policy.url'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools\Terms of Use.url'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'C:\Program Files\Toolbar\Cursors\cursors.xml'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'C:\Program Files\Toolbar\Cursors\cursors.xml'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Finished Backup
Started Cleaning
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC'. Error=5.
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'. Error=5.
Checking for 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools' in startup areas.
Cleaning 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools'
Checking for 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools\Privacy Policy.url' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools\Privacy Policy.url' in startup areas.
Cleaning 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools\Privacy Policy.url'
Checking for 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools\Terms of Use.url' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools\Terms of Use.url' in startup areas.
Cleaning 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools\Terms of Use.url'
[SCANMODS] WARNING: Deletion of the file 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools' requires a reboot.
Checking for 'C:\Documents and Settings\Kyle\Favorites\Finances & Business' in shortcut areas.
Checking for 'C:\Documents and Settings\Kyle\Favorites\Finances & Business' in startup areas.
Cleaning 'C:\Documents and Settings\Kyle\Favorites\Finances & Business'
Checking for 'C:\Documents and Settings\Kyle\Favorites\Health & Insurance' in shortcut areas.
Checking for 'C:\Documents and Settings\Kyle\Favorites\Health & Insurance' in startup areas.
Cleaning 'C:\Documents and Settings\Kyle\Favorites\Health & Insurance'
Checking for 'C:\Documents and Settings\Kyle\Favorites\Homelife & Travel' in shortcut areas.
Checking for 'C:\Documents and Settings\Kyle\Favorites\Homelife & Travel' in startup areas.
Cleaning 'C:\Documents and Settings\Kyle\Favorites\Homelife & Travel'
Checking for 'C:\Documents and Settings\Lyndsey\nsvsvc\License.txt' in shortcut areas.
Checking for 'C:\Documents and Settings\Lyndsey\nsvsvc\License.txt' in startup areas.
Cleaning 'C:\Documents and Settings\Lyndsey\nsvsvc\License.txt'
Checking for 'C:\Program Files\BearShare' in shortcut areas.
Checking for 'C:\Program Files\BearShare' in startup areas.
Cleaning 'C:\Program Files\BearShare'
Checking for 'C:\Program Files\BearShare\BearShare.dat' in shortcut areas.
Checking for 'C:\Program Files\BearShare\BearShare.dat' in startup areas.
Cleaning 'C:\Program Files\BearShare\BearShare.dat'
Checking for 'C:\Program Files\BearShare\BearShare.exe' in shortcut areas.
Found 'BearShare.lnk' in 'C:\Documents and Settings\All Users\Start Menu\Programs\'
Found 'BearShare.lnk' in 'C:\Documents and Settings\Kyle\Desktop\'
Checking for 'C:\Program Files\BearShare\BearShare.exe' in startup areas.
Cleaning 'C:\Program Files\BearShare\BearShare.exe'
Checking for 'C:\Program Files\BearShare\BSidle.dll' in shortcut areas.
Checking for 'C:\Program Files\BearShare\BSidle.dll' in startup areas.
Cleaning 'C:\Program Files\BearShare\BSidle.dll'
Checking for 'C:\Program Files\BearShare\db\config.bin' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\config.bin' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\config.bin'
Checking for 'C:\Program Files\BearShare\db\connect.txt' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\connect.txt' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\connect.txt'
Checking for 'C:\Program Files\BearShare\db\gnucache.dat' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\gnucache.dat' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\gnucache.dat'
Checking for 'C:\Program Files\BearShare\db\gwebcache.dat' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\gwebcache.dat' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\gwebcache.dat'
Checking for 'C:\Program Files\BearShare\db\hbcache.dat' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\hbcache.dat' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\hbcache.dat'
Checking for 'C:\Program Files\BearShare\db\Hostiles-Chat.txt' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\Hostiles-Chat.txt' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\Hostiles-Chat.txt'
Checking for 'C:\Program Files\BearShare\db\Hostiles.txt' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\Hostiles.txt' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\Hostiles.txt'
Checking for 'C:\Program Files\BearShare\db\library.2.db' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\library.2.db' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\library.2.db'
Checking for 'C:\Program Files\BearShare\db\library.2.db.lastgoodload.bak' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\library.2.db.lastgoodload.bak' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\library.2.db.lastgoodload.bak'
Checking for 'C:\Program Files\BearShare\db\library.dat' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\library.dat' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\library.dat'
Checking for 'C:\Program Files\BearShare\db\library.db' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\library.db' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\library.db'
Checking for 'C:\Program Files\BearShare\db\library.db.lastgoodload.bak' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\library.db.lastgoodload.bak' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\library.db.lastgoodload.bak'
Checking for 'C:\Program Files\BearShare\db\searches.ini' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\searches.ini' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\searches.ini'
Checking for 'C:\Program Files\BearShare\FreePeers.ini' in shortcut areas.
Checking for 'C:\Program Files\BearShare\FreePeers.ini' in startup areas.
Cleaning 'C:\Program Files\BearShare\FreePeers.ini'
Checking for 'C:\Program Files\BearShare\History.txt' in shortcut areas.
Checking for 'C:\Program Files\BearShare\History.txt' in startup areas.
Cleaning 'C:\Program Files\BearShare\History.txt'
Checking for 'C:\Program Files\BearShare\INSTALL.LOG' in shortcut areas.
Checking for 'C:\Program Files\BearShare\INSTALL.LOG' in startup areas.
Cleaning 'C:\Program Files\BearShare\INSTALL.LOG'
Checking for 'C:\Program Files\BearShare\Installer\BSINSTALL.exe' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Installer\BSINSTALL.exe' in startup areas.
Cleaning 'C:\Program Files\BearShare\Installer\BSINSTALL.exe'
Checking for 'C:\Program Files\BearShare\Logs\console.txt' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Logs\console.txt' in startup areas.
Cleaning 'C:\Program Files\BearShare\Logs\console.txt'
Checking for 'C:\Program Files\BearShare\Logs\hosts-state.txt' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Logs\hosts-state.txt' in startup areas.
Cleaning 'C:\Program Files\BearShare\Logs\hosts-state.txt'
Checking for 'C:\Program Files\BearShare\Logs\memory.txt' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Logs\memory.txt' in startup areas.
Cleaning 'C:\Program Files\BearShare\Logs\memory.txt'
Checking for 'C:\Program Files\BearShare\Logs\ordinal.txt' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Logs\ordinal.txt' in startup areas.
Cleaning 'C:\Program Files\BearShare\Logs\ordinal.txt'
Checking for 'C:\Program Files\BearShare\Logs\streams.txt' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Logs\streams.txt' in startup areas.
Cleaning 'C:\Program Files\BearShare\Logs\streams.txt'
Checking for 'C:\Program Files\BearShare\sounds\notify.wav' in shortcut areas.
Checking for 'C:\Program Files\BearShare\sounds\notify.wav' in startup areas.
Cleaning 'C:\Program Files\BearShare\sounds\notify.wav'
Checking for 'C:\Program Files\BearShare\UNWISE.EXE' in shortcut areas.
Checking for 'C:\Program Files\BearShare\UNWISE.EXE' in startup areas.
Cleaning 'C:\Program Files\BearShare\UNWISE.EXE'
Checking for 'C:\Program Files\BearShare\Webstats.bat' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Webstats.bat' in startup areas.
Cleaning 'C:\Program Files\BearShare\Webstats.bat'
Checking for 'C:\Program Files\BearShare\Webstats.ini' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Webstats.ini' in startup areas.
Cleaning 'C:\Program Files\BearShare\Webstats.ini'
Checking for 'C:\Program Files\BearShare\BSidle.dll' in shortcut areas.
Checking for 'C:\Program Files\BearShare\BSidle.dll' in startup areas.
Cleaning 'C:\Program Files\BearShare\BSidle.dll'
[SCANMODS] The file 'C:\Program Files\BearShare\BSidle.dll' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\BearShare\db' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db' in startup areas.
Cleaning 'C:\Program Files\BearShare\db'
[SCANMODS] The file 'C:\Program Files\BearShare\db' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\BearShare\Extras' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Extras' in startup areas.
Cleaning 'C:\Program Files\BearShare\Extras'
[SCANMODS] The file 'C:\Program Files\BearShare\Extras' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\BearShare\Installer' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Installer' in startup areas.
Cleaning 'C:\Program Files\BearShare\Installer'
[SCANMODS] The file 'C:\Program Files\BearShare\Installer' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\BearShare\Logs' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Logs' in startup areas.
Cleaning 'C:\Program Files\BearShare\Logs'
[SCANMODS] The file 'C:\Program Files\BearShare\Logs' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\BearShare\Playlists' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Playlists' in startup areas.
Cleaning 'C:\Program Files\BearShare\Playlists'
[SCANMODS] The file 'C:\Program Files\BearShare\Playlists' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\BearShare\sounds' in shortcut areas.
Checking for 'C:\Program Files\BearShare\sounds' in startup areas.
Cleaning 'C:\Program Files\BearShare\sounds'
[SCANMODS] The file 'C:\Program Files\BearShare\sounds' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\BearShare\Temp' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Temp' in startup areas.
Cleaning 'C:\Program Files\BearShare\Temp'
[SCANMODS] The file 'C:\Program Files\BearShare\Temp' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\BearShare\Webstats' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Webstats' in startup areas.
Cleaning 'C:\Program Files\BearShare\Webstats'
[SCANMODS] The file 'C:\Program Files\BearShare\Webstats' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\Dynamic Toolbar' in shortcut areas.
Checking for 'C:\Program Files\Dynamic Toolbar' in startup areas.
Cleaning 'C:\Program Files\Dynamic Toolbar'
Checking for 'C:\Program Files\Dynamic Toolbar\GSIM\Cache\ErrorLog.txt' in shortcut areas.
Checking for 'C:\Program Files\Dynamic Toolbar\GSIM\Cache\ErrorLog.txt' in startup areas.
Cleaning 'C:\Program Files\Dynamic Toolbar\GSIM\Cache\ErrorLog.txt'
Checking for 'C:\Program Files\Dynamic Toolbar\GSIM\Cache\GSIMTB0200.cfg' in shortcut areas.
Checking for 'C:\Program Files\Dynamic Toolbar\GSIM\Cache\GSIMTB0200.cfg' in startup areas.
Cleaning 'C:\Program Files\Dynamic Toolbar\GSIM\Cache\GSIMTB0200.cfg'
Checking for 'C:\Program Files\MyWay' in shortcut areas.
Checking for 'C:\Program Files\MyWay' in startup areas.
Cleaning 'C:\Program Files\MyWay'
Checking for 'C:\Program Files\MyWay\SrchAstt\1.bin\UNINSTAL.INF' in shortcut areas.
Checking for 'C:\Program Files\MyWay\SrchAstt\1.bin\UNINSTAL.INF' in startup areas.
Cleaning 'C:\Program Files\MyWay\SrchAstt\1.bin\UNINSTAL.INF'
Checking for 'C:\Program Files\StreamCast' in shortcut areas.
Checking for 'C:\Program Files\StreamCast' in startup areas.
Cleaning 'C:\Program Files\StreamCast'
Checking for 'C:\Program Files\StreamCast\Morpheus\CrashDump.xml' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\CrashDump.xml' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\CrashDump.xml'
Checking for 'C:\Program Files\StreamCast\Morpheus\MorphBlocked.net' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\MorphBlocked.net' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\MorphBlocked.net'
Checking for 'C:\Program Files\StreamCast\Morpheus\MorphProxy.net' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\MorphProxy.net' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\MorphProxy.net'
Checking for 'C:\Program Files\StreamCast\Morpheus' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus'
[SCANMODS] The file 'C:\Program Files\StreamCast\Morpheus' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\Toolbar' in shortcut areas.
Checking for 'C:\Program Files\Toolbar' in startup areas.
Cleaning 'C:\Program Files\Toolbar'
Checking for 'C:\Program Files\Toolbar\common.dll' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\common.dll' in startup areas.
Cleaning 'C:\Program Files\Toolbar\common.dll'
Checking for 'C:\Program Files\Toolbar\rw.wzg' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\rw.wzg' in startup areas.
Cleaning 'C:\Program Files\Toolbar\rw.wzg'
Checking for 'C:\Program Files\Toolbar\TBPS.dat' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\TBPS.dat' in startup areas.
Cleaning 'C:\Program Files\Toolbar\TBPS.dat'
Checking for 'C:\Program Files\Toolbar\xzxsv.wzg' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\xzxsv.wzg' in startup areas.
Cleaning 'C:\Program Files\Toolbar\xzxsv.wzg'
Checking for 'C:\Program Files\Toolbar\yildhvi.olt' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\yildhvi.olt' in startup areas.
Cleaning 'C:\Program Files\Toolbar\yildhvi.olt'
Checking for 'C:\Program Files\Toolbar\yywr.wzg' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\yywr.wzg' in startup areas.
Cleaning 'C:\Program Files\Toolbar\yywr.wzg'
Checking for 'C:\Program Files\Toolbar\yywsv.wzg' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\yywsv.wzg' in startup areas.
Cleaning 'C:\Program Files\Toolbar\yywsv.wzg'
Checking for 'C:\Program Files\Toolbar\zwipvbh.wzg' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\zwipvbh.wzg' in startup areas.
Cleaning 'C:\Program Files\Toolbar\zwipvbh.wzg'
[SCANMODS] WARNING: Deletion of the file 'C:\Program Files\Toolbar' requires a reboot.
Checking for 'C:\Program Files\Toolbar\Cursors' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\Cursors' in startup areas.
Cleaning 'C:\Program Files\Toolbar\Cursors'
[SCANMODS] WARNING: Deletion of the file 'C:\Program Files\Toolbar\Cursors' requires a reboot.
Checking for 'C:\WINDOWS\inf\biini.inf' in shortcut areas.
Checking for 'C:\WINDOWS\inf\biini.inf' in startup areas.
Cleaning 'C:\WINDOWS\inf\biini.inf'
Checking for 'C:\WINDOWS\kwv2.dat' in shortcut areas.
Checking for 'C:\WINDOWS\kwv2.dat' in startup areas.
Cleaning 'C:\WINDOWS\kwv2.dat'
Checking for 'C:\WINDOWS\system32\virushunter4.ico' in shortcut areas.
Checking for 'C:\WINDOWS\system32\virushunter4.ico' in startup areas.
Cleaning 'C:\WINDOWS\system32\virushunter4.ico'
Checking for 'C:\WINDOWS\system32\wintsvsu.exe' in shortcut areas.
Checking for 'C:\WINDOWS\system32\wintsvsu.exe' in startup areas.
Cleaning 'C:\WINDOWS\system32\wintsvsu.exe'
Finished Cleaning


and now the panda log...

Incident Status Location

Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM32\stlb2.xml
Adware:adware/portalscan No disinfected C:\WINDOWS\SYSTEM32\winupdt.008
Adware:adware/pacimedia No disinfected C:\DOCUMENTS AND SETTINGS\KYLE\FAVORITES\1111\1111.url
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:adware/searchforit No disinfected C:\PROGRAM FILES\sf
Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/delfinmedia No disinfected C:\WINDOWS\SYSTEM32\nsvsvc
Adware:adware/wintools No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\Web Search Tools
Adware:adware/elitebar No disinfected C:\DOCUMENTS AND SETTINGS\KYLE\FAVORITES\Casino & Carrers
Adware:adware/addestroyer No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AdDestroyer
Adware:adware/virtualbouncer No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\VBouncer
Adware:adware/aurora No disinfected Windows Registry
Adware:Adware/ClkOptimizer No disinfected C:\Program Files\VCOM\SystemSuite\VSS8H5SD.000
Adware:Adware/AdBehavior No disinfected C:\Program Files\VCOM\SystemSuite\VSS9VKS5.00N
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\pgbuv.dat
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\Shex.exe
Adware:Adware/Imibar No disinfected C:\WINDOWS\ttext.dll
OK, here you go...thanks again for the help so far!!!
gold00mustang is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-16-2005, 08:06 AM   #12 (permalink)
Moderator, Microsoft Support
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,482
OS: XP SP2


Run Killbox with the same options applied as before. Copy and paste, one at a time, the locations below:

C:\WINDOWS\SYSTEM32\stlb2.xml
C:\WINDOWS\SYSTEM32\winupdt.008
C:\DOCUMENTS AND SETTINGS\KYLE\FAVORITES\1111\1111.url
C:\WINDOWS\cfgmgr52.ini
C:\Program Files\VCOM\SystemSuite\VSS8H5SD.000
C:\Program Files\VCOM\SystemSuite\VSS9VKS5.00N
C:\WINDOWS\system32\pgbuv.dat
C:\WINDOWS\system32\Shex.exe
C:\WINDOWS\ttext.dll

You should also delete these folders:

C:\PROGRAM FILES\sf
C:\Program Files\Toolbar\
C:\Program Files\BearShare\
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\Web Search Tools
C:\DOCUMENTS AND SETTINGS\KYLE\FAVORITES\Casino & Carrers
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AdDestroyer
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\VBouncer
C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
C:\WINDOWS\SYSTEM32\nsvsvc

Reboot your computer now. Return to Windows and re run Panda and HJT. Bring both results with you in your next post.
__________________
POADB is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-16-2005, 07:19 PM   #13 (permalink)
Registered User
 
Join Date: Aug 2005
Posts: 12
OS: win xp


OK, here is the new panda log...


Incident Status Location

Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/wintools No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\Web Search Tools
Adware:adware/pacimedia No disinfected C:\DOCUMENTS AND SETTINGS\KYLE\FAVORITES\1111
Adware:adware/addestroyer No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AdDestroyer
Adware:adware/delfinmedia No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vidctrl
Adware:adware/aurora No disinfected Windows Registry
and here is the new HJT...

Logfile of HijackThis v1.99.1
Scan saved at 8:18:22 PM, on 8/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Crescentec DC1000\CresMonitor.exe
C:\Program Files\Microsoft Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\OSA.EXE
C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
C:\Program Files\JonathanGrimes\Simply Transparent\SimplyTransparent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Documents and Settings\Kyle\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: Simply Transparent.lnk = C:\Program Files\JonathanGrimes\Simply Transparent\SimplyTransparent.exe
O4 - Global Startup: Crescentec PNP Monitor.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: SearchAssistant=
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
gold00mustang is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-17-2005, 02:39 AM   #14 (permalink)
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
 
MicroBell's Avatar
 
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7


Send a message via ICQ to MicroBell Send a message via MSN to MicroBell
Reboot to safe mode and delete these folders...

C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\Web Search Tools
C:\DOCUMENTS AND SETTINGS\KYLE\FAVORITES\1111
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AdDestroyer
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vidctrl

Run the Cleanup utility and reboot/logoff when prompted.

Then run another Panda scan and post it's log.
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!





Spyware/Adware Removal Tools
Hijackthis
Ad-aware SE
Spybot Search&Destroy
SpywareBlaster
CWShredder
MicroBell is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-17-2005, 08:01 PM   #15 (permalink)
Registered User
 
Join Date: Aug 2005
Posts: 12
OS: win xp


Here is the new Panda scan...



Incident Status Location

Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/addestroyer No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AdDestroyer
Adware:adware/delfinmedia No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vidctrl
Adware:adware/aurora No disinfected Windows Registry


and the new HJT

Logfile of HijackThis v1.99.1
Scan saved at 9:00:37 PM, on 8/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Crescentec DC1000\CresMonitor.exe
C:\Program Files\Microsoft Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\OSA.EXE
C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Kyle\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Global Startup: Crescentec PNP Monitor.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: SearchAssistant=
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
gold00mustang is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-18-2005, 04:42 AM   #16 (permalink)
Moderator, Microsoft Support
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,482
OS: XP SP2


Please - try again at deleeting these folders.

Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/addestroyer No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AdDestroyer
Adware:adware/delfinmedia No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vidctrl
__________________
POADB is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-19-2005, 10:03 AM   #17 (permalink)
Registered User
 
Join Date: Aug 2005
Posts: 12
OS: win xp


OK, I tried to delete them again by using Killbox. I tried it in both safe mode and normal mode. What am I doing wrong? new panda is as follows...


Incident Status Location

Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/addestroyer No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AdDestroyer
Adware:adware/delfinmedia No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vidctrl
Adware:adware/aurora No disinfected Windows Registry
gold00mustang is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-19-2005, 01:06 PM   #18 (permalink)
Moderator, Microsoft Support
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,482
OS: XP SP2


Don't use Killbox. Delete the folders manually.

Go to Start > Programs > Windows Explorer. Navigate tot he follwoing and delete the folders in blue.

C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AdDestroyer
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vidctrl

Let us know how you get on. A new Panda log and a new HJT log will do nicely too - as would an update on how your system is now
__________________
POADB is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-19-2005, 10:29 PM   #19 (permalink)
Registered User
 
Join Date: Aug 2005
Posts: 12
OS: win xp


OK, here is the new HJT followed by the new panda. My computer is running a lot better now. There is no hesistation on load up anymore and things seem to be back in check...almost like new. Do I also need to make an updated system recovery point? I get notifications from time to time from ym antivirus that I have a virus that is hiding in one of my system recovery files....


HJT...

Logfile of HijackThis v1.99.1
Scan saved at 10:53:49 PM, on 8/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Crescentec DC1000\CresMonitor.exe
C:\Program Files\Microsoft Office\FINDFAST.EXE
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Microsoft Office\OSA.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Kyle\Desktop\HijackThis.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Crescentec PNP Monitor.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: SearchAssistant=
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

and new panda...



Incident Status Location

Adware:adware/aurora No disinfected Windows Registry
gold00mustang is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-20-2005, 01:09 AM   #20 (permalink)
Moderator, Microsoft Support
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,482
OS: XP SP2


Good news - we're almost there. Bad news - I need a few moments of your time for a little big of cleaning.

I can see in your log that you have LimeWire installed. Not good - it leaves your computer open to reinfection, and is considered a bad program to keep.

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them in your next post.

Download FindIt's.zip To your computer, unzip it to your desktop. Create a folder if you wish.

Run FindIt's.bat and wait for notepad to open a text file. Please be patient as it requires some time to finish running. Then post the results in your next reply.
__________________
POADB is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 01:58 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85