[BArkat]

First of all, WOW, what a site. Looks like a very well run place to get very good and detailed answers. I just hope you can help me. I did some reading on here about this antivermin thing going around. Sounds pretty common and a real pain in the butt to get rid of. I have all the same things that everybody else seems to have: blue and white question mark icon in the tool bar, links to this antivermin site, nothing else seems to get rid of it, ect.

Every thread I've read on here always starts out with the hijack this post, so I was going to do that. But I am pretty new to this kind of stuff, and wanted to start at step one and not get ahead of my self. So where do we start?

 

[JSntgRvr]

Hi, BArkat.

Welcome to TSG.

Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

 

[BArkat]

Logfile of HijackThis v1.99.1
Scan saved at 10:22:10 AM, on 1/7/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Opera8\Opera.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=...36ag2lBuXLNQOB8C5mZsvwg4BULDlA/Rjq59Rje+Xxn30
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video ActiveX Object\isaddon.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - C:\Program Files\Video ActiveX Object\iesplugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic Professional 6\delay.exe
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://terileann1721aquarius.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.0/installer.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O21 - SSODL: buprestidae - {b59f3ba4-98da-4b5f-8a2d-7b56fb11140b} - C:\WINNT\system32\cthkpcv.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

 

[JSntgRvr]

Hi, BArkat.

Please download SmitfraudFix (by S!Ri) to your Desktop.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• 
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
3. On the main screen select the icon "Update" then select the "Update now" link.
   • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
6. Under "Reports"
   • Select "Automatically generate report after every scan"
   • Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly

Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

Boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Perform the following steps in safe mode:

1. 
   IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
2. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
4. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
   Once the scan is complete do the following:
5. If you have any infections you will prompted, then select "Apply all actions"
6. Next select the "Reports" icon at the top.
7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
8. Close AVG Anti-Spyware .

While in Safe Mode, double-click on SmitfraudFix.exe

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

* Go to Control Panel > Internet Options. Click on the Programs tab, then click the "Reset Web Settings" button. Click Apply then OK.

* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" Delete everything except for "My Current Home Page". Click OK then Apply and OK.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post a fresh Hijackthis log along with the AVG Anti-spyware report, ActiveScan report and contents of C:\rapport.txt produced by Smitfraudfix.

 

[BArkat]

I have no idea what just happened! I was being VERY careful to follow your instructions to the letter. I got all the stuff down loaded and made it to the safe mode part.I was running the AVG Anti spyware, and it came up with 32 infections. I selected "Apply all actions". Then I hit the "reports" button. This is the strange part, there were no reports! Even the "save reports as" button was all grey, so you couldnt hit it. Also I couldnt find out how to exit out of the program, there wae no exit button, no "X" in the corner, nothing. What I finally did was hit the alt, ctrl, delete buttons. When the computer fired back up, in normal mode, the blinking "system alert" icon is gone. So now Im lost! Is it fixed? Should I run another Hijack this report? Or just smack it with a hammer? Any ideas?

 

[JSntgRvr]

Hi, BArkat

I have no idea what just happened! I was being VERY careful to follow your instructions to the letter. I got all the stuff down loaded and made it to the safe mode part.I was running the AVG Anti spyware, and it came up with 32 infections. I selected "Apply all actions". Then I hit the "reports" button. This is the strange part, there were no reports! Even the "save reports as" button was all grey, so you couldnt hit it. Also I couldnt find out how to exit out of the program, there wae no exit button, no "X" in the corner, nothing. What I finally did was hit the alt, ctrl, delete buttons. When the computer fired back up, in normal mode, the blinking "system alert" icon is gone. So now Im lost! Is it fixed? Should I run another Hijack this report? Or just smack it with a hammer? Any ideas?

To be sure, you will need to repeat the processes above and post back the reports. Do not disturb any of these processes as the results may be adverse.

 

[BArkat]

While I was waiting for a reply, I did so careful looking around. I did find four program files with "video active X object" and one program file with "cthkpvc.dll" all in the AVG anti virus quarantine. I dont know what they are, but I have seen that they seem to be causeing alot of problems. I figured you would know what to do with them better than I would. Also here is the latest hijack this logfile.
Logfile of HijackThis v1.99.1
Scan saved at 6:14:49 PM, on 1/7/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Opera8\Opera.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=...36ag2lBuXLNQOB8C5mZsvwg4BULDlA/Rjq59Rje+Xxn30
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video ActiveX Object\isaddon.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic Professional 6\delay.exe
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://terileann1721aquarius.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.0/installer.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O21 - SSODL: buprestidae - {b59f3ba4-98da-4b5f-8a2d-7b56fb11140b} - C:\WINNT\system32\cthkpcv.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

 

[JSntgRvr]

Hi, BArkat

The computer still infected. Please follow the instructions on Post #4 and post the reports.

Thanks!

 

[BArkat]

Well, I made it a little bit farther.I did get AVG Anti-Spyware to run and I got the report. When I got to the Smitfraudfix part it would not clean the registry. I got a error message saying "Cannot import cleanup.reg: error assessing the registry" I did try this step three or four times all with the same results. Here are all the reports I got.
SmitFraudFix v2.132

Scan done at 21:06:58.95, Sun 01/07/2007
Run from C:\Documents and Settings\Barry\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{b59f3ba4-98da-4b5f-8a2d-7b56fb11140b}"="buprestidae"

[HKEY_CLASSES_ROOT\CLSID\{b59f3ba4-98da-4b5f-8a2d-7b56fb11140b}\InProcServer32]
@="C:\WINNT\system32\cthkpcv.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b59f3ba4-98da-4b5f-8a2d-7b56fb11140b}\InProcServer32]
@="C:\WINNT\system32\cthkpcv.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

A V G A n t i - S p y w a r e - S c a n R e p o r t

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

+ C r e a t e d a t : 6 : 1 4 : 3 4 P M 1 / 7 / 2 0 0 7

+ S c a n r e s u l t :

N o t h i n g f o u n d .

: : R e p o r t e n d

 

[BArkat]

Just wanted to add that my back ground is now gone. I dont know what is going on here, but it seems to be getting worse! Now Im getting scared.

 

[JSntgRvr]

Hi, BArkat

Download ComboFix from Here or Here. to your Desktop.

Reboot to Safe mode:

Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Perform the following actions in Safe Mode.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

[BArkat]

Logfile of HijackThis v1.99.1
Scan saved at 7:22:58 PM, on 1/8/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic Professional 6\delay.exe
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://terileann1721aquarius.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.0/installer.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

Barry - Mon 01/08/2007 19:15:32.57 Service Pack 4
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Barry\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-08 to 2007-01-08 ))))))))))))))))))))))))))))))))))

2007-01-07 21:07 1,490 --a------ C:\WINNT\system32\tmp.reg
2007-01-07 20:12 79,360 --a------ C:\WINNT\system32\swxcacls.exe
2007-01-07 20:12 53,248 --a------ C:\WINNT\system32\Process.exe
2007-01-07 20:12 51,200 --a------ C:\WINNT\system32\dumphive.exe
2007-01-07 20:12 40,960 --a------ C:\WINNT\system32\swsc.exe
2007-01-07 20:12 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2007-01-07 20:12 135,168 --a------ C:\WINNT\system32\swreg.exe
2007-01-07 12:41 3,968 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2007-01-07 12:40 d-------- C:\Program Files\Grisoft
2007-01-07 10:21 d-------- C:\Program Files\Hijackthis
2007-01-04 17:36 61,584 --a------ C:\WINNT\system32\drivers\klick.sys
2007-01-04 17:36 59,536 --a------ C:\WINNT\system32\drivers\klin.sys
2007-01-04 17:35 41,472 --a------ C:\WINNT\system32\iolobtdfg.exe
2007-01-04 17:35 25,264 --a------ C:\WINNT\system32\smrgdf.exe
2007-01-04 17:35 1,212,416 --a------ C:\WINNT\system32\Incinerator.dll
2007-01-04 17:35 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal
2007-01-04 12:54 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-01-04 11:36 d-------- C:\kav
2007-01-04 10:45 243,824 --a------ C:\WINNT\unicows.dll
2007-01-04 10:45 d-------- C:\Program Files\Common Files\Scanner
2007-01-03 19:56 d-------- C:\WINNT\system32\Kaspersky Lab
2006-12-30 15:11 d-------- C:\Program Files\dizzler
2006-12-28 11:57 d-------- C:\Documents and Settings\All Users\Application Data\Winferno
2006-12-27 18:32 d-------- C:\Program Files\Freeze.com
2006-12-27 18:32 d-------- C:\Program Files\Free Offers from Freeze.com
2006-12-27 10:33 d-------- C:\Program Files\MySpace
2006-12-08 17:25 d-------- C:\Program Files\Incomplete

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-12-07 02:04 2071368 --a------ C:\WINNT\system32\wmvcore.dll
2006-11-27 10:42 -------- d-------- C:\Program Files\Virtools
2006-11-19 10:26 -------- d-------- C:\Program Files\mobile PhoneTools
2006-11-18 12:52 69632 --a------ C:\WINNT\system32\odbcconf.exe
2006-11-18 12:52 126976 --a------ C:\WINNT\system32\odbcconf.dll
2006-11-06 12:47 596480 --a------ C:\WINNT\system32\INETCOMM.DLL
2006-10-23 13:37 348160 --------- C:\WINNT\system32\msvcr71.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"System Mechanic Popup Blocker"="\"C:\\Program Files\\iolo\\System Mechanic Professional 6\\PopupBlocker.exe\""
"Yahoo! Pager"="1"
"SMSystemAnalyzer"="\"C:\\Program Files\\iolo\\System Mechanic Professional 6\\SMSystemAnalyzer.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HotKeysCmds"="C:\\WINNT\\system32\\hkcmd.exe"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"ioloDelayModule"="C:\\Program Files\\iolo\\System Mechanic Professional 6\\delay.exe"
"SystemGuardAlerter"="\"C:\\Program Files\\iolo\\System Mechanic Professional 6\\SystemGuardAlerter.exe\""
"KAVPersonal50"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus Personal\\kav.exe\" /minimize"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Synchronization Manager"="mobsync.exe /logon"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"none"="C:\\Program Files\\Video ActiveX Object\\pmsngr.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\WebReg 20060404113835.job

Completion time: Mon 2007-01-08 19:16:14.90
C:\ComboFix.txt ... 07-01-08 19:16

 

[JSntgRvr]

Hi, BArkat

Download the enclosed file. Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, Regfix.reg . Once extracted, open the folder and double click on the Regfix.reg file and select Yes when prompted to merge it into the registry.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...up1.0.0.15.cab

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

Click here to download WinPFind .

• Right Click the Zip Folder and Select "Extract All"
• Extract it somewhere you will remember like the Desktop
• Dont do anything with it yet!

Reboot into Safe Mode

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

• Double click WinPFind.exe
• Click "Start Scan"
• It will scan the entire System, so please be patient!
• Once the Scan is Complete, restart the computer back in Normal Mode.
• Go to the WinPFind folder
• Locate WinPFind.txt
• Place those results in the next reply!

 

[BArkat]

Well, I tried that, and it froze up. I was running the WinPfind program, screen just froze up, didnt move for over half an hour, light on the computer stop blinking, and wasnt making any noise at all, like I said for about half an hour. I need to go to bed now for work tomorrow. I will try again tomorrow. Just wanted to keep you posted. Also I did notice the the AVG anti spyware icon on the tool bar, has lost all of its color. Now its just grey and black. May not be a big deal, just wanted you to be aware of it in case it was a big deal.

 

[JSntgRvr]

Hi, BArkat

Try also the following:

Download the enclosed folder and extract its contents to the desktop. It is a batch file. Once extracted double click on the batch file. A new document will be produced. Copy and Paste its contents in your next reply.

 

[BArkat]

This one worked with no problems at all. I am starting to think my computer must VERY mesed up! Just seems to be an awful lot of work and trouble to get rid of one problem. Maybe its in worse shape than I thought? Also, Thank you so much for helping me out with this problem.
! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun REG_DWORD 0x95

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools REG_DWORD 0x0

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\run
none REG_SZ C:\Program Files\Video ActiveX Object\pmsngr.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} REG_DWORD 0x1

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ratings

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system
dontdisplaylastusername REG_DWORD 0x0
legalnoticecaption REG_SZ
legalnoticetext REG_SZ
shutdownwithoutlogon REG_DWORD 0x1

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoRestartShell REG_DWORD 0x1
DefaultDomainName REG_SZ BARKAT
DefaultUserName REG_SZ barry
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PowerdownAfterShutdown REG_SZ 0
ReportBootOk REG_SZ 1
Shell REG_SZ Explorer.exe
ShutdownWithoutLogon REG_SZ 1
System REG_SZ
Userinit REG_SZ C:\WINNT\system32\userinit.exe,
VmApplet REG_SZ rundll32 shell32,Control_RunDLL "sysdm.cpl"
SfcQuota REG_DWORD 0xffffffff
allocatecdroms REG_SZ 0
allocatedasd REG_SZ 0
allocatefloppies REG_SZ 0
cachedlogonscount REG_SZ 10
passwordexpirywarning REG_DWORD 0xe
scremoveoption REG_SZ 0
DebugServerCommand REG_SZ no
SFCDisable REG_DWORD 0x0
AutoAdminLogon REG_SZ 0
ShowLogonOptions REG_DWORD 0x1
AltDefaultUserName REG_SZ barry
AltDefaultDomainName REG_SZ BARKAT
BufferPolicyReads REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}
<NO NAME> REG_SZ Folder Redirection
ProcessGroupPolicy REG_SZ ProcessGroupPolicy
DllName REG_EXPAND_SZ fdeploy.dll
NoMachinePolicy REG_DWORD 0x1
NoSlowLink REG_DWORD 0x1
NoBackgroundPolicy REG_DWORD 0x1
PerUserLocalSettings REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}
Status REG_DWORD 0x0
LastPolicyTime REG_DWORD 0xcfa9fb
PrevSlowLink REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}
<NO NAME> REG_SZ Microsoft Disk Quota
NoMachinePolicy REG_DWORD 0x0
NoUserPolicy REG_DWORD 0x1
NoSlowLink REG_DWORD 0x1
NoBackgroundPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1
PerUserLocalSettings REG_DWORD 0x0
RequiresSuccessfulRegistry REG_DWORD 0x1
EnableAsynchronousProcessing REG_DWORD 0x0
DllName REG_EXPAND_SZ dskquota.dll
ProcessGroupPolicy REG_SZ ProcessGroupPolicy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}
<NO NAME> REG_SZ Scripts
ProcessGroupPolicy REG_SZ ProcessScriptsGroupPolicy
DllName REG_EXPAND_SZ gptext.dll
NoSlowLink REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1
NotifyLinkTransition REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
ProcessGroupPolicy REG_SZ SceProcessSecurityPolicyGPO
DllName REG_EXPAND_SZ scecli.dll
<NO NAME> REG_SZ Security
NoUserPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1
EnableAsynchronousProcessing REG_DWORD 0x1
MaxNoGPOListChangesInterval REG_DWORD 0x3c0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}
ProcessGroupPolicy REG_SZ ProcessGroupPolicy
DllName REG_EXPAND_SZ iedkcs32.dll
<NO NAME> REG_SZ Internet Explorer Branding
NoSlowLink REG_DWORD 0x1
NoBackgroundPolicy REG_DWORD 0x0
NoGPOListChanges REG_DWORD 0x1
NoMachinePolicy REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}
ProcessGroupPolicy REG_SZ SceProcessEFSRecoveryGPO
DllName REG_EXPAND_SZ scecli.dll
<NO NAME> REG_SZ EFS recovery
NoUserPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1
RequireSuccessfulRegistry REG_DWORD 0x1
Status REG_DWORD 0x0
LastPolicyTime REG_DWORD 0xcfa9fb
PrevSlowLink REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}
<NO NAME> REG_SZ Application Management
DllName REG_EXPAND_SZ appmgmts.dll
ProcessGroupPolicy REG_SZ ProcessGroupPolicyObjects
NoBackgroundPolicy REG_DWORD 0x1
RequiresSucessfulRegistry REG_DWORD 0x0
NoSlowLink REG_DWORD 0x1
PerUserLocalSettings REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}
<NO NAME> REG_SZ IP Security
ProcessGroupPolicy REG_SZ ProcessIPSECPolicy
DllName REG_EXPAND_SZ gptext.dll
NoUserPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
Asynchronous REG_DWORD 0x0
Impersonate REG_DWORD 0x0
DllName REG_EXPAND_SZ crypt32.dll
Logoff REG_SZ ChainWlxLogoffEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
Asynchronous REG_DWORD 0x0
Impersonate REG_DWORD 0x0
DllName REG_EXPAND_SZ cryptnet.dll
Logoff REG_SZ CryptnetWlxLogoffEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
DLLName REG_SZ cscdll.dll
Logon REG_SZ WinlogonLogonEvent
Logoff REG_SZ WinlogonLogoffEvent
ScreenSaver REG_SZ WinlogonScreenSaverEvent
Startup REG_SZ WinlogonStartupEvent
Shutdown REG_SZ WinlogonShutdownEvent
StartShell REG_SZ WinlogonStartShellEvent
Impersonate REG_DWORD 0x0
Asynchronous REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
<NO NAME> REG_SZ
DLLName REG_SZ igfxsrvc.dll
Asynchronous REG_DWORD 0x1
Impersonate REG_DWORD 0x1
Unlock REG_SZ WinlogonUnlockEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
Logoff REG_SZ WLEventLogoff
Impersonate REG_DWORD 0x0
Asynchronous REG_DWORD 0x1
DllName REG_EXPAND_SZ sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
DLLName REG_SZ WlNotify.dll
Lock REG_SZ SensLockEvent
Logon REG_SZ SensLogonEvent
Logoff REG_SZ SensLogoffEvent
Safe REG_DWORD 0x1
MaxWait REG_DWORD 0x258
StartScreenSaver REG_SZ SensStartScreenSaverEvent
StopScreenSaver REG_SZ SensStopScreenSaverEvent
Startup REG_SZ SensStartupEvent
Shutdown REG_SZ SensShutdownEvent
StartShell REG_SZ SensStartShellEvent
Unlock REG_SZ SensUnlockEvent
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
DLLName REG_SZ wzcdlg.dll
Logon REG_SZ WZCEventLogon
Logoff REG_SZ WZCEventLogoff
Impersonate REG_DWORD 0x0
Asynchronous REG_DWORD 0x0

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components
DeskHtmlVersion REG_DWORD 0x110
DeskHtmlMinorVersion REG_DWORD 0x3
Settings REG_DWORD 0x1
GeneralFlags REG_DWORD 0x0

 

[JSntgRvr]

Hi, BArkat

Please create a Restore point:

1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
2. In the System Restore dialog box, click Create a restore point, and then click Next.
3. Type a description for your restore point, such as "Before VirusScan", then click Create.

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry

1. Go Here and download ERUNT
   (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
   (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
   (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
   (the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

Registry Modifications

Download the enclosed file. Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, Deskfix.reg . Once extracted, open the folder and double click on the Deskfix.reg file and select Yes when prompted to merge it into the registry.

Restart the computer.
Le me know about if that made a difference.

 

[BArkat]

Um, well, we have another problem. There is no "system restore" in the "system tools". there is a "backup". Is that the same thing? May sound like a stupid question, just trying not to mess anything else up.

 

[JSntgRvr]

Sorry, BArkat

Disregard System Restore. It is not a vailable in Windows 2000. Just use ERUNT and backup your registry.

 

[BArkat]

Just to make sure we are on the same page, you want me to go back to post #17 and run ERUNT? Then run the deskfix, also from #17? Or just the ERUNT?