Registry Issue? HJT Log

Comments

• chiaz

  May 2006 edited May 2006

  Hi, I will be helping you.
  
  Download and run CWShredder from its own folder:
  http://cwshredder.net/bin/CWShredder.exe
  Click Fix and then Next, let it fix everything it asks about.
  
  Then download
  AboutBuster.
  Credits go to RubbeR DuckY aka Marcin Kleczynski.

  • Double click the AboutBuster folder, then double click the
    AboutBuster.exe inside.
  • Click "Extract all" in the box that pops up, then "Next"
  • Choose the location you would like to install AboutBuster, such as
    My Documents.
  • Make sure "Show extracted files" is checked, then click "Finish".
  • Reboot to safe mode by continually tapping the F8 key as the
    computer begins to boot.
  • Open AboutBuster and click the "Begin Removal" button. AboutBuster will finish and open a new page. Follow the instructions for protection on that page. It will shut down all Explorer windows (if open) while it works.
  • It will begin to check your computer for malicious files. If it
    asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log and save it to somewhere convenient. If your problem is not fixed, a Malware Removal Expert might need to see this log.
  • Reboot your computer into safe mode again
  • Run about:buster again following the same instructions as above,
    this time without the restart at the end

  Note: If you receive any error messages please open the readme file in the AboutBuster folder and follow the directions provided for correcting that error.
  
  
  Next download the attached zip file and unzip it to your desktop.
  http://www.mvps.org/winhelp2002/DelDomains.inf
  Right-click on the deldomains.inf file and select 'Install'.
  
  
  Then restart your computer again. Rescan with HijackThis and post the fresh log in your next reply.

  0
• sect

  May 2006 edited May 2006

  Did all that you asked, and here is the HJT log.
  
  Aboutbuster removed something, whereas CWShredder didn't find what it was looking for.
  
  Search and Destroy still picks up the Hotsyik or whatever it is named.
  
  Logfile of HijackThis v1.99.1
  Scan saved at 11:12:42 a.m., on 17/05/2006
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\System32\Ati2evxx.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
  C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
  C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
  C:\WINDOWS\system32\pctspk.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\Ati2evxx.exe
  C:\WINDOWS\system32\userinit.exe
  C:\WINDOWS\Explorer.EXE
  C:\WINDOWS\system32\sstray.exe
  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
  C:\Program Files\QuickTime\qttask.exe
  C:\WINDOWS\system32\GSICON.EXE
  C:\WINDOWS\system32\DSLAGENT.EXE
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
  C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\Documents and Settings\Starlyte\Desktop\Nic\HijackThis.exe
  C:\WINDOWS\system32\wuauclt.exe
  
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = res://C:\WINDOWS\System32\shdoclc.dll/dnserror.htm
  R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Xtra
  O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
  O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
  O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
  O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE PCI
  O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
  O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk181YYUS
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
  O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
  O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
  O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
  O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
  O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
  O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
  O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
  
  AboutBuster 6.01
  Scan started on [17/05/2006] at [10:35:45 a.m.]

  ---

  Internet Explorer Instances Terminated!
  HomeSearch Service stopped if present

  ---

  Removed Stream! C:\WINDOWS\bvbkv.txt:anbsgy
  Removed Stream! C:\WINDOWS\bvbkv.txt:moyclv
  Removed Stream! C:\WINDOWS\chgxm.txt:uqiasr
  Removed Stream! C:\WINDOWS\duyoj.txt:wwrndq
  Removed Stream! C:\WINDOWS\eqbhw.txt:owksfa
  Removed Stream! C:\WINDOWS\fcpaa.log:fbnrkp
  Removed Stream! C:\WINDOWS\fcpaa.log:teuirx
  Removed Stream! C:\WINDOWS\fcpaa.log:ucdlo
  Removed Stream! C:\WINDOWS\hfrog.txt:ldcryy
  Removed Stream! C:\WINDOWS\hfrog.txt:lspljo
  Removed Stream! C:\WINDOWS\huglq.log:cwcoun
  Removed Stream! C:\WINDOWS\huglq.log:tkdhtb
  Removed Stream! C:\WINDOWS\iirbc.txt:alxkyf
  Removed Stream! C:\WINDOWS\iirbc.txt:hkadfl
  Removed Stream! C:\WINDOWS\iirbc.txt:lwrwes
  Removed Stream! C:\WINDOWS\iirbc.txt:uecykg
  Removed Stream! C:\WINDOWS\iirbc.txt:zysfuy
  Removed Stream! C:\WINDOWS\lqrxl.log:llxqqe
  Removed Stream! C:\WINDOWS\lqrxl.log:yfudhm
  Removed Stream! C:\WINDOWS\lqrxl.log:zcamld
  Removed Stream! C:\WINDOWS\objkv.log:qiuvzp
  Removed Stream! C:\WINDOWS\objkv.log:tlssqp
  Removed Stream! C:\WINDOWS\qqibr.dat:jflmqw
  Removed Stream! C:\WINDOWS\qqibr.dat:lugtlc
  Removed Stream! C:\WINDOWS\qqibr.dat:nlynos
  Removed Stream! C:\WINDOWS\rtvtl.txt:cmmno
  Removed Stream! C:\WINDOWS\rtvtl.txt:owgem
  Removed Stream! C:\WINDOWS\rtvtl.txt:rddrxr
  Removed Stream! C:\WINDOWS\rtvtl.txt:xpxgvv
  Removed Stream! C:\WINDOWS\SchedLgU.Txt:ilyzdg
  Removed Stream! C:\WINDOWS\SchedLgU.Txt:vgkxdc
  Removed Stream! C:\WINDOWS\Sti_Trace.log:tqgsgn
  Removed Stream! C:\WINDOWS\Sti_Trace.log:usujtg
  Removed Stream! C:\WINDOWS\Sti_Trace.log:wschh
  Removed Stream! C:\WINDOWS\taknp.txt:lrrxax
  Removed Stream! C:\WINDOWS\ujmeu.log:eskcca
  Removed Stream! C:\WINDOWS\uliqr.log:axzdl
  Removed Stream! C:\WINDOWS\uliqr.log:emxrny
  Removed Stream! C:\WINDOWS\uliqr.log:huglqz
  Removed Stream! C:\WINDOWS\uliqr.log:rpbqaq
  Removed Stream! C:\WINDOWS\uliqr.log:wksuoz
  Removed Stream! C:\WINDOWS\uliqr.log:xwgpde
  Removed Stream! C:\WINDOWS\wiaservc.log:gjtxxs
  Removed Stream! C:\WINDOWS\wiaservc.log:yujph
  Removed Stream! C:\WINDOWS\WindowsUpdate.log:nsxoqn
  Removed Stream! C:\WINDOWS\WindowsUpdate.log:qvuhml
  Removed Stream! C:\WINDOWS\winnt.bmp:jpzfvd
  Removed Stream! C:\WINDOWS\winnt256.bmp:fspusx
  Removed Stream! C:\WINDOWS\winnt256.bmp:lybcml
  Removed Stream! C:\WINDOWS\winnt256.bmp:rlhgz
  Removed Stream! C:\WINDOWS\winnt256.bmp:xnzgo
  Removed Stream! C:\WINDOWS\winnt256.bmp:xwkyww
  Removed Stream! C:\WINDOWS\wvoap.txt:culowt
  Removed Stream! C:\WINDOWS\wvoap.txt:hslnbv
  Removed Stream! C:\WINDOWS\wvoap.txt:kvucnc
  Removed Stream! C:\WINDOWS\wvoap.txt:vstlrn
  Removed Stream! C:\WINDOWS\wvoap.txt:xirubc
  Removed Stream! C:\WINDOWS\xnsoy.dat:csjfuw
  Removed Stream! C:\WINDOWS\xnsoy.dat:ghydhz
  Removed Stream! C:\WINDOWS\xnsoy.dat:ooptyq
  Removed Stream! C:\WINDOWS\xnsoy.dat:psmdns
  Removed Stream! C:\WINDOWS\yvcco.dat:asfiqc
  Removed Stream! C:\WINDOWS\yvcco.dat:dtxpmm
  Removed Stream! C:\WINDOWS\yvcco.dat:hoiysa
  Removed Stream! C:\WINDOWS\yvcco.dat:txyzal

  ---

  Removed File! : C:\WINDOWS\bvbkv.txt
  Removed File! : C:\WINDOWS\chgxm.txt
  Removed File! : C:\WINDOWS\duyoj.txt
  Removed File! : C:\WINDOWS\eqbhw.txt
  Removed File! : C:\WINDOWS\fcpaa.log
  Removed File! : C:\WINDOWS\hfrog.txt
  Removed File! : C:\WINDOWS\huglq.log
  Removed File! : C:\WINDOWS\iirbc.txt
  Removed File! : C:\WINDOWS\lqrxl.log
  Removed File! : C:\WINDOWS\objkv.log
  Removed File! : C:\WINDOWS\qqibr.dat
  Removed File! : C:\WINDOWS\rtvtl.txt
  Removed File! : C:\WINDOWS\taknp.txt
  Removed File! : C:\WINDOWS\ujmeu.log
  Removed File! : C:\WINDOWS\uliqr.log
  Removed File! : C:\WINDOWS\wvoap.txt
  Removed File! : C:\WINDOWS\xnsoy.dat
  Removed File! : C:\WINDOWS\yvcco.dat
  Removed File! : C:\WINDOWS\system32\addxz.exe
  Removed File! : C:\WINDOWS\system32\amnke.dat
  Removed File! : C:\WINDOWS\system32\bflvw.dat
  Removed File! : C:\WINDOWS\system32\bjyow.dat
  Removed File! : C:\WINDOWS\system32\bxfbf.dat
  Removed File! : C:\WINDOWS\system32\colwp.log
  Removed File! : C:\WINDOWS\system32\cqkli.log
  Removed File! : C:\WINDOWS\system32\desjx.txt
  Removed File! : C:\WINDOWS\system32\dhbqg.txt
  Removed File! : C:\WINDOWS\system32\dhxfc.dat
  Removed File! : C:\WINDOWS\system32\dvfxq.txt
  Removed File! : C:\WINDOWS\system32\dzhcy.dat
  Removed File! : C:\WINDOWS\system32\eahqs.log
  Removed File! : C:\WINDOWS\system32\eboze.dat
  Removed File! : C:\WINDOWS\system32\elhhx.log
  Removed File! : C:\WINDOWS\system32\ellnf.log
  Removed File! : C:\WINDOWS\system32\ephkf.dat
  Removed File! : C:\WINDOWS\system32\ezgtv.dat
  Removed File! : C:\WINDOWS\system32\ffvkx.log
  Removed File! : C:\WINDOWS\system32\ficgf.dat
  Removed File! : C:\WINDOWS\system32\fyaij.dat
  Removed File! : C:\WINDOWS\system32\fzovz.log
  Removed File! : C:\WINDOWS\system32\gfsqi.txt
  Removed File! : C:\WINDOWS\system32\ghdxw.dat
  Removed File! : C:\WINDOWS\system32\hndfo.log
  Removed File! : C:\WINDOWS\system32\holij.txt
  Removed File! : C:\WINDOWS\system32\hpjgd.log
  Removed File! : C:\WINDOWS\system32\hwnfv.dat
  Removed File! : C:\WINDOWS\system32\ijnai.txt
  Removed File! : C:\WINDOWS\system32\imqxp.txt
  Removed File! : C:\WINDOWS\system32\jctrx.log
  Removed File! : C:\WINDOWS\system32\jhjsy.dat
  Removed File! : C:\WINDOWS\system32\jivyv.dat
  Removed File! : C:\WINDOWS\system32\jxara.txt
  Removed File! : C:\WINDOWS\system32\kanzv.log
  Removed File! : C:\WINDOWS\system32\kuvak.txt
  Removed File! : C:\WINDOWS\system32\letrq.log
  Removed File! : C:\WINDOWS\system32\lpnvf.txt
  Removed File! : C:\WINDOWS\system32\matwl.log
  Removed File! : C:\WINDOWS\system32\mhmbp.log
  Removed File! : C:\WINDOWS\system32\msugx.dat
  Removed File! : C:\WINDOWS\system32\nanhc.dat
  Removed File! : C:\WINDOWS\system32\nbkwq.dat
  Removed File! : C:\WINDOWS\system32\nbuxf.txt
  Removed File! : C:\WINDOWS\system32\netnm.exe
  Removed File! : C:\WINDOWS\system32\nizdf.dat
  Removed File! : C:\WINDOWS\system32\nkxmu.dat
  Removed File! : C:\WINDOWS\system32\ogvcf.txt
  Removed File! : C:\WINDOWS\system32\orsdt.txt
  Removed File! : C:\WINDOWS\system32\otogw.dat
  Removed File! : C:\WINDOWS\system32\pesmu.log
  Removed File! : C:\WINDOWS\system32\qhywi.txt
  Removed File! : C:\WINDOWS\system32\rcwth.txt
  Removed File! : C:\WINDOWS\system32\rhaxp.dat
  Removed File! : C:\WINDOWS\system32\ruwut.dat
  Removed File! : C:\WINDOWS\system32\szziz.dat
  Removed File! : C:\WINDOWS\system32\tfntq.txt
  Removed File! : C:\WINDOWS\system32\timjg.dat
  Removed File! : C:\WINDOWS\system32\tukbk.log
  Removed File! : C:\WINDOWS\system32\tzzvg.txt
  Removed File! : C:\WINDOWS\system32\uyixz.log
  Removed File! : C:\WINDOWS\system32\vsyab.log
  Removed File! : C:\WINDOWS\system32\vwxuk.dat
  Removed File! : C:\WINDOWS\system32\wwjmz.log
  Removed File! : C:\WINDOWS\system32\zaqqg.log
  Removed File! : C:\WINDOWS\system32\zbmbd.log
  Removed File! : C:\WINDOWS\system32\zgkch.txt
  Removed File! : C:\WINDOWS\system32\zlpko.dat
  Removed File! : C:\WINDOWS\system32\zomrc.txt

  ---

  Removed Temp Files
  Internet Explorer Settings Reset!

  ---

  Scan was COMPLETED SUCCESSFULLY at 10:53:47 a.m.
  
  
  AboutBuster 6.01
  Scan started on [17/05/2006] at [10:56:48 a.m.]

  ---

  Internet Explorer Instances Terminated!
  HomeSearch Service stopped if present

  ---

  No Ads Found!

  ---

  No Files Found!

  ---

  Scan was COMPLETED SUCCESSFULLY at 10:58:51 a.m.

  0
• chiaz

  May 2006 edited May 2006

  Please launch HijackThis and check the following entries:
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = res://C:\WINDOWS\System32\shdoclc.dll/dnserror.htm
  
  
  Close all other windows except HijackThis and press "Fix Checked". Then close HijackThis and restart the computer.
  
  Now rescan with Spybot Search and Destroy. I believe it produces a logfile, if possible, please post it here for me to have a look.

  0
• sect

  May 2006 edited May 2006

  S & D still finds the problem.
  
  Holistyc: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-21-1123561945-1275210071-839522115-1004\Software\Local AppWizard-Generated Applications\holi4529796
  
  Holistyc: User settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-21-1123561945-1275210071-839522115-1004\Software\Local AppWizard-Generated Applications\holi3109562
  
  
  --- Spybot - Search && Destroy version: 1.3 ---
  2006-05-19 Includes\Cookies.sbi
  2006-05-19 Includes\Dialer.sbi
  2006-05-19 Includes\Hijackers.sbi
  2006-05-19 Includes\Keyloggers.sbi
  2004-11-29 Includes\LSP.sbi
  2006-05-19 Includes\Malware.sbi
  2006-05-19 Includes\PUPS.sbi
  2006-05-19 Includes\Revision.sbi
  2006-05-19 Includes\Security.sbi
  2006-05-19 Includes\Spybots.sbi
  2005-02-17 Includes\Tracks.uti
  2006-05-19 Includes\Trojans.sbi
  
  
  
  Logfile of HijackThis v1.99.1
  Scan saved at 8:54:35 p.m., on 20/05/2006
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\System32\Ati2evxx.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\WINDOWS\system32\Ati2evxx.exe
  C:\WINDOWS\Explorer.EXE
  C:\WINDOWS\system32\sstray.exe
  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
  C:\Program Files\QuickTime\qttask.exe
  C:\WINDOWS\system32\GSICON.EXE
  C:\WINDOWS\system32\DSLAGENT.EXE
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
  C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
  C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
  C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
  C:\Program Files\Internet Explorer\iexplore.exe
  C:\WINDOWS\system32\pctspk.exe
  C:\WINDOWS\System32\svchost.exe
  C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
  C:\Program Files\Internet Explorer\iexplore.exe
  C:\WINDOWS\system32\NOTEPAD.EXE
  C:\Documents and Settings\Starlyte\Desktop\Nic\HijackThis.exe
  
  R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Xtra
  O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
  O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
  O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
  O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE PCI
  O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
  O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
  O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk181YYUS
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
  O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
  O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
  O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
  O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
  O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
  O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
  O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
  O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

  0
• chiaz

  May 2006 edited May 2006

  Please run Notepad and paste the following text into a new file:

  REGEDIT4
  
  [-HKEY_USERS\S-1-5-21-1123561945-1275210071-839522115-1004\Software\Local AppWizard-Generated Applications\holi4529796]
  
  [-HKEY_USERS\S-1-5-21-1123561945-1275210071-839522115-1004\Software\Local AppWizard-Generated Applications\holi3109562]

  Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.
  
  Rescan with Spybot S&D. Does it still detect these two registry keys?

  0
• sect

  May 2006 edited May 2006

  S&D no longer finds anything. I'm in the safe then?

  0
• chiaz

  May 2006 edited May 2006

  Let's have a final check with Panda ActiveScan.

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report, along with a new HijackThis log. Hopefully you should be all cleaned up by now.

  0
• sect

  May 2006 edited May 2006

  Thanks for your help & sorry for the late reply. Panda scan came up sweet.
  
  

  0
• chiaz

  May 2006 edited May 2006

  Sweet! Your computer appears clean now.
  
  Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore. Click to add a check mark beside Turn off System Restore on all Drives, and click Apply. When you are warned that all existing Restore Points will be deleted, click Yes to continue. All system restore points are deleted. Now you should manually create a restore point. Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.
  
  Click Create a Restore Point, and then click Next. Name your restore point. (I use the date as well as a descriptive term such as "Clean system.")
  
  
  
  
  
  Here are a number of recommendations for additional protection to help prevent any malware infections in the future. These few simple steps can stave off the vast majority of spyware problems.
  
  
  
  You may have already taken some of these steps:
  
  1. Watch what you download!
  
  Do not download just anything you see on the web. Some may have spyware bundled into them.
  
  
  
  2. Try not to use peer-to-peer programs.
  
  P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself. If you insist on using a P2P program, please read this article written by Mike Healan of Spywareinfo.com fame. It is an updated and comprehensive article that gives in-depth detail about which P2P programs are "safe" to use.
  
  
  
  3. Visit Windows Update:
  
  Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
  
  Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
  
  We recommend checking for Windows updates monthly.
  
  
  
  4. Adjust your security settings for ActiveX:
  
  Go to Internet Options/Security/Internet, press 'default level', then OK.
  
  Now press "Custom Level."
  
  In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.
  
  
  
  So why is ActiveX so dangerous that you have to increase the security for it?
  
  When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
  
  Would you run just any random file downloaded off a web site without knowing what it is and what it does?
  
  
  
  5. Download and install the following free programs:
  
  a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
  
  b. SpywareGuard: http://www.javacoolsoftware.com/spywareguard.html
  
  Periodically check for updates.
  
  
  
  6. Keep your antivirus software up to date. If you don't have one, I recommend the free AVG.
  
  
  
  7. Use a firewall. If you don't have a firewall, I recommend the free version of ZoneAlarm
  
  A tutorial on understanding and using firewalls may be found here
  
  
  
  8. IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Another good hosts program is mvpshosts. This little program packs a powerful punch as it block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial.
  
  
  
  
  
  9. You might consider installing Mozilla / Firefox, which is much safer than Internet Explorer.
  
  http://www.mozilla.org/
  
  
  
  10. Install spyware detection and removal programs:
  
  Ad-aware: http://www.snapfiles.com/get/adaware.html
  
  Spybot S&D:
  
  http://www.safer-networking.org
  
  Use these programs to regularly scan your system for and remove many forms of spyware/malware.
  
  
  
  11. Microsoft now offers their own anti-spyware product. Windows® Defender (Beta 2) improves Internet browsing safety by guarding over fifty (50) ways spyware can enter your PC. This is a BETA for XP/2000 only.
  
  
  
  12. Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www.spywarewarrior.com/rogue_anti-spyware.htm
  
  If you want to know just how effective your anti-spyware program is, or how well any of the "rogue" programs listed at the above link work, check this for an independent comparison of several anti-spyware programs: http://www.spywarewarrior.com/asw-test-guide.htm
  
  
  
  Let us know if we have not resolved your problem. Otherwise, you are good to go.
  
  Happy and Safe Surfing!

  0