Ayudame, por favor! HJT Log and more...

Comments

• tehmada Fayetteville

  December 2005 edited December 2005

  just to add another teensy problem; a while back when i was running spybot, i think i deleted winsync. now every time i restart i get this funky little diddy:
  
  Spybot-Search & Destroy has detected an important registry entry that has been changed.
  
  Category: System startup global entry
  Change: Value deleted
  
  Entry: winsync
  
  Old data: C:\WINDOWS\system32\ppioiy.exe reg_run (thats all i can see)
  New data:
  
  any way i can fixerup?
  tanks you

  0
• Trogan London, UK

  December 2005 edited December 2005

  Hi, Welcome to Short-Media
  
  Please follow the steps below
  --
  
  Step 1
  Please move HJT from your Desktop to its own folder on your C: so backups can be created. Do this before continuing.
  
  
  Step 2
  We need to DISABLE SpyBots TeaTimer as it may interfere with the fix.
  
  1) Run Spybot-S&D
  2) Go to the Mode menu, and make sure "Advanced Mode" is selected
  3) On the left hand side, choose Tools -> Resident
  4) Uncheck "Resident TeaTimer" and OK any prompts
  5) Exit SpyBot
  
  
  Step 3
  Run HiJackThis then:
  
  1. Click "Open the Misc Tools Section"
  2. Click "Open Process manager"
  
  -
  
  Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:
  
  C:\WINDOWS\system32\ppioiy.exe
  
  Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.
  
  
  Step 4
  Check the following in HJT and click 'Fix Checked' - Close ALL open Browsers first
  
  R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
  
  O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
  
  O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
  
  O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ppioiy.exe reg_run
  
  O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
  
  
  Step 5
  View hidden files and folders - explained here
  
  
  Step 6
  Find and Delete the following - if present:
  
  C:\WINDOWS\system32\ppioiy.exe << this file
  
  
  Step 7
  Reboot your computer
  
  Don't forget to Enable SpyBots TeaTimer!!!
  
  
  
  Read the following
  
  You are missing one important program on your computer: An Anti-Virus.
  You need to install an Anti-Virus program as soon as you can and run a complete scan of the computer.
  I suggest one of these (both have relatively small demands on the computer):
  
  Nod32 : http://www.nod32.com/home/home.htm
  or
  AVG Anti-Virus (Free version available) http://free.grisoft.com/doc/1
  
  Choose one, install it, and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.
  
  
  It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
  Your log doesn't show a firewall running. If you have disabled it, please re-enable it.
  If you do not have a firewall installed, please download and instal one of these excellent (and free) products: Zone Alarm or Sygate
  It is important to note that you should only have one firewall installed at a time, but you can download both to your Desktop and install each in turn to see which one you prefer.

  0
• tehmada Fayetteville

  December 2005 edited December 2005

  alright.
  
  I:
  
  moved HJT to its own folder
  
  disabled teatimer
  
  ran HJT process manager, and couldnt find ppioiy.exe
  
  deleted the other 5 entries you said to delete
  
  "viewed" or enabled viewing of hiddin files and folders
  
  still couldnt locate ppioiy.exe
  
  rebooted
  
  no resident thingy popped up, but there are some weird semi-opaque (like they've been cut) icons on my desktop.
  4 jpegs: AlbumArt_{EEB8E463-E016-4D8E-B8B8-5AEA3D658DFC}_Large
  AlbumArt_{EEB8E463-E016-4D8E-B8B8-5AEA3D658DFC}_Small
  AlbumArtSmall
  and Folder
  
  they are all albumarts of some guy and they say "tonex/o2"??
  
  there is also a semi opaque "configuration settings" file named desktop that reads:
  
  [.ShellClassInfo]
  FolderType=MusicAlbum
  MusicBuyUrl=http://windowsmedia.com/redir/buynow9.asp?providerName=AMG&amp;albumID=EEB8E463-E016-4D8E-B8B8-5AEA3D658DFC&amp;a_id=R 585090&amp;album=O2&amp;artistID=F24E5261-D242-4A6B-9607-9A6DC36B10EE&amp;p_id=P 416882&amp;artist=Tonéx&amp;locale=409&amp;geoid=f4&amp;version=10.0.0.3646&amp;userlocale=409
  
  if i try to delete any of these files, it says that they are system files. should i just delete them anyway?
  
  after that junk, i d/led AVG and Zone Alarm,
  
  installed both
  
  ran AVG scan, which found nothing
  
  set up the firewall
  
  re-enabled teatimer, which in turn made the resident thingy about ppioiy.exe pop up again, and also one about "O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)"
  
  and now i'm here.
  thank you so far.
  
  EDIT:btw, reinstalled itunes and it still only makes it to the user license agreement before it decides its had enough.
  also, when i started opera today, zone alarm said that ppioiy.exe was trying to access the internet.
  thanks~

  0
• Trogan London, UK

  December 2005 edited December 2005

  Can you post a new HJT log please. Take a screen shot of th file your are talking about

  0
• tehmada Fayetteville

  December 2005 edited December 2005

  Here tis':
  
  Logfile of HijackThis v1.99.1
  Scan saved at 4:16:34 PM, on 12/14/2005
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\Ati2evxx.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\WINDOWS\Explorer.EXE
  C:\WINDOWS\ehome\ehtray.exe
  C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
  C:\WINDOWS\stsystra.exe
  C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
  C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
  C:\WINDOWS\system32\DeltTray.exe
  C:\Program Files\Common Files\Real\Update_OB\realsched.exe
  C:\WINDOWS\system32\dla\tfswctrl.exe
  C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  C:\Program Files\Winamp\winampa.exe
  C:\Program Files\QuickTime\qttask.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
  C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  C:\Program Files\Folding@Home\winFAH.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
  C:\WINDOWS\eHome\ehRecvr.exe
  C:\WINDOWS\eHome\ehSched.exe
  C:\Program Files\ewido\security suite\ewidoctrl.exe
  C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
  C:\WINDOWS\system32\HPZipm12.exe
  C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  C:\Program Files\Folding@Home\FahCore_78.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
  C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
  C:\WINDOWS\system32\dllhost.exe
  C:\WINDOWS\eHome\ehmsas.exe
  C:\Program Files\iPod\bin\iPodService.exe
  C:\Program Files\iTunes\iTunesHelper.exe
  C:\Program Files\Opera\Opera.exe
  C:\Program Files\HJT\HijackThis.exe
  
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
  O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
  O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
  O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
  O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
  O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
  O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
  O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
  O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
  O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
  O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
  O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
  O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ppioiy.exe reg_run
  O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
  O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
  O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
  O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
  O4 - Startup: Folding@Home 5.03.lnk = ?
  O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
  O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
  O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
  O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
  O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
  O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  
  
  
  umm... do you mean the pics of the albumarts?
  and if so... (call me a n00b, this is my first forum), how do i upload it to a reply?

  0
• Trogan London, UK

  December 2005 edited December 2005

  No problem...
  
  
  Take a screen shot of the "Semi opaque" files you where talking about on your desktop and any other funny looking files, lol...
  
  Click on New Reply or Go Advanced and then go to Manage Attachments. Find your pic and upload it.

  0
• tehmada Fayetteville

  December 2005 edited December 2005

  gracias. okay these are the files:
  
  http://www.short-media.com/forum/attachment.php?attachmentid=18509&stc=1
  
  this is the albumart (the rest are just different sizes):
  
  http://www.short-media.com/forum/attachment.php?attachmentid=18507&stc=1
  
  and this is what it says when i try to delete it:
  
  http://www.short-media.com/forum/attachment.php?attachmentid=18506&stc=1
  
  btw, was that "no problem" directed at the hjt log? or my noobness? lol

  trytodeleteit.JPG 137.2K

  tonexdude.JPG 39.9K

  desktoppic.JPG 138.9K

  0
• Trogan London, UK

  December 2005 edited December 2005

  Never seen that before...i'l have to get more info on those
  --
  
  
  Check the following in HJT and click 'Fix Checked' - Close ALL open Browsers first
  
  O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
  --
  
  
  Download Killbox from here.
  
  
  Open killbox and paste in C:\WINDOWS\system32\ppioiy.exe
  
  With the full path to the file name in the topmost textbox, click the option *Delete on Reboot*
  
  Click the Red X ...and for the confirmation message that will ask you to reboot now, click YES.
  --
  
  
  Reboot and post a new HJT log....i'l get back to you about those files on your desktop

  0
• tehmada Fayetteville

  December 2005 edited December 2005

  did it all, sb resident still came up on startup about the ppioiy.exe and the other one ( "O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)")
  
  Logfile of HijackThis v1.99.1
  Scan saved at 5:58:26 PM, on 12/14/2005
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\Ati2evxx.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\WINDOWS\Explorer.EXE
  C:\WINDOWS\ehome\ehtray.exe
  C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
  C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
  C:\WINDOWS\stsystra.exe
  C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
  C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
  C:\WINDOWS\system32\DeltTray.exe
  C:\Program Files\Common Files\Real\Update_OB\realsched.exe
  C:\WINDOWS\system32\dla\tfswctrl.exe
  C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  C:\Program Files\Winamp\winampa.exe
  C:\Program Files\QuickTime\qttask.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
  C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  C:\Program Files\Folding@Home\winFAH.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  C:\Program Files\Folding@Home\FahCore_78.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
  C:\WINDOWS\eHome\ehRecvr.exe
  C:\WINDOWS\eHome\ehSched.exe
  C:\Program Files\ewido\security suite\ewidoctrl.exe
  C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
  C:\WINDOWS\system32\HPZipm12.exe
  C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
  C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
  C:\Program Files\Opera\Opera.exe
  C:\WINDOWS\system32\dllhost.exe
  C:\WINDOWS\eHome\ehmsas.exe
  C:\WINDOWS\system32\wuauclt.exe
  C:\Program Files\HJT\HijackThis.exe
  
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
  O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
  O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
  O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
  O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
  O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
  O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
  O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
  O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
  O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
  O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
  O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
  O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ppioiy.exe reg_run
  O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
  O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
  O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
  O4 - Startup: Folding@Home 5.03.lnk = ?
  O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
  O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
  O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
  O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
  O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
  O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

  0
• Trogan London, UK

  December 2005 edited December 2005

  Disable SpyBots TeaTimer and then do the same as before:
  
  To Dsable SpyBots TeaTimer
  
  1) Run Spybot-S&D
  2) Go to the Mode menu, and make sure "Advanced Mode" is selected
  3) On the left hand side, choose Tools -> Resident
  4) Uncheck "Resident TeaTimer" and OK any prompts
  5) Exit SpyBot
  --
  
  
  Hide Files and Folders
  

  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not Show hidden files and folders.
  • Check the Hide protected operating system files (recommended) option.
  • Click OK.

  
  Check to see if the files have gone from your desktop..
  
  
  Post a new HJT log after

  0
• tehmada Fayetteville

  December 2005 edited December 2005

  they are gone, thanks, but i still wonder what they were and why they're on my desktop...
  
  anyway, a new hjt:
  
  Logfile of HijackThis v1.99.1
  Scan saved at 3:40:49 PM, on 12/15/2005
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\Ati2evxx.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\WINDOWS\Explorer.EXE
  C:\WINDOWS\ehome\ehtray.exe
  C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
  C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
  C:\WINDOWS\stsystra.exe
  C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
  C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
  C:\WINDOWS\system32\DeltTray.exe
  C:\Program Files\Common Files\Real\Update_OB\realsched.exe
  C:\WINDOWS\system32\dla\tfswctrl.exe
  C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  C:\Program Files\Winamp\winampa.exe
  C:\Program Files\QuickTime\qttask.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
  C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  C:\Program Files\Folding@Home\winFAH.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
  C:\WINDOWS\eHome\ehRecvr.exe
  C:\WINDOWS\eHome\ehSched.exe
  C:\Program Files\ewido\security suite\ewidoctrl.exe
  C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
  C:\WINDOWS\system32\HPZipm12.exe
  C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
  C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
  C:\WINDOWS\system32\dllhost.exe
  C:\WINDOWS\eHome\ehmsas.exe
  C:\Program Files\Opera\Opera.exe
  C:\Program Files\Folding@Home\FahCore_78.exe
  C:\Program Files\HJT\HijackThis.exe
  
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
  O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
  O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
  O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
  O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
  O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
  O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
  O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
  O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
  O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
  O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
  O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
  O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ppioiy.exe reg_run
  O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
  O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
  O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - Startup: Folding@Home 5.03.lnk = ?
  O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
  O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
  O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
  O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
  O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
  O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

  0
• Trogan London, UK

  December 2005 edited December 2005

  Not sure what they were doing on your desktop but good they are gone...
  --
  
  
  We need to DISABLE SpyBots TeaTimer as it may interfere with the fix.
  
  1) Run Spybot-S&D
  2) Go to the Mode menu, and make sure "Advanced Mode" is selected
  3) On the left hand side, choose Tools -> Resident
  4) Uncheck "Resident TeaTimer" and OK any prompts
  5) Exit SpyBot
  --
  
  
  Check the following in HJT and click 'Fix Checked' - Close ALL open Browsers first
  
  O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
  --
  
  Open killbox and paste in C:\WINDOWS\system32\ppioiy.exe
  
  With the full path to the file name in the topmost textbox, click the option *Delete on Reboot*
  
  Click the Red X ...and for the confirmation message that will ask you to reboot now, click YES.
  --
  
  
  Post a new HJT log please

  0
• tehmada Fayetteville

  December 2005 edited December 2005

  alright i think the (no name) fixed the one sb resident, but the attached one still showed up when i enabled tea-timer (and why are my buttons like that?)
  
  Logfile of HijackThis v1.99.1
  Scan saved at 4:49:28 PM, on 12/15/2005
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\Ati2evxx.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\WINDOWS\Explorer.EXE
  C:\WINDOWS\ehome\ehtray.exe
  C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
  C:\WINDOWS\stsystra.exe
  C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
  C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
  C:\WINDOWS\system32\DeltTray.exe
  C:\Program Files\Common Files\Real\Update_OB\realsched.exe
  C:\WINDOWS\system32\dla\tfswctrl.exe
  C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  C:\Program Files\Winamp\winampa.exe
  C:\Program Files\QuickTime\qttask.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
  C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
  C:\Program Files\Folding@Home\winFAH.exe
  C:\WINDOWS\eHome\ehRecvr.exe
  C:\WINDOWS\eHome\ehSched.exe
  C:\Program Files\ewido\security suite\ewidoctrl.exe
  C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
  C:\WINDOWS\system32\HPZipm12.exe
  C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  C:\Program Files\Folding@Home\FahCore_78.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
  C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
  C:\WINDOWS\system32\dllhost.exe
  C:\WINDOWS\eHome\ehmsas.exe
  C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
  C:\WINDOWS\system32\svchost.exe
  C:\Program Files\Opera\Opera.exe
  C:\Program Files\HJT\HijackThis.exe
  
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
  O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
  O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
  O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
  O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
  O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
  O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
  O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
  O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
  O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
  O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
  O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
  O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ppioiy.exe reg_run
  O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
  O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
  O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
  O4 - Startup: Folding@Home 5.03.lnk = ?
  O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
  O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
  O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
  O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
  O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
  O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  
  hmm... O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file) is still there...

  winsynchthingy.JPG 21.4K

  0
• Trogan London, UK

  December 2005 edited December 2005

  Please download the trial version of Ewido Security Suite here:
  http://www.ewido.net/en/download/
  Install it, and update the definitions to the newest files. Do NOT run a scan yet.
  --
  
  
  Go into Safe Mode - explained here
  --
  
  
  When in Safe Mode, DISABLE SpyBots TeaTimer and AVG Temporarly!!!
  --
  
  
  View hidden files and folders - explained here
  --
  
  
  Check the following in HJT and click 'Fix Checked' - Close ALL open Browsers first
  
  O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
  
  O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ppioiy.exe reg_run
  --
  
  
  Find and Delete the following:
  
  C:\WINDOWS\system32\ppioiy.exe << this file
  --
  
  
  Please run Ewido, and do a full scan. During the scan it will prompt you to clean files, click OK.
  
  Save the logfile from the scan. Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

  0
• tehmada Fayetteville

  December 2005 edited December 2005

  okay... in safe mode, i went to delete ppioiy.exe. i found it in the system32 folder. right after i right clicked it to delete it, it disappeared. when i clicked delete, it said access denied...?
  
  HJT
  
  Logfile of HijackThis v1.99.1
  Scan saved at 10:13:25 PM, on 12/15/2005
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\Ati2evxx.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\WINDOWS\Explorer.EXE
  C:\WINDOWS\ehome\ehtray.exe
  C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
  C:\WINDOWS\stsystra.exe
  C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
  C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
  C:\WINDOWS\system32\DeltTray.exe
  C:\Program Files\Common Files\Real\Update_OB\realsched.exe
  C:\WINDOWS\system32\dla\tfswctrl.exe
  C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  C:\Program Files\Winamp\winampa.exe
  C:\Program Files\QuickTime\qttask.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
  C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
  C:\WINDOWS\eHome\ehRecvr.exe
  C:\Program Files\Folding@Home\winFAH.exe
  C:\WINDOWS\eHome\ehSched.exe
  C:\Program Files\ewido\security suite\ewidoctrl.exe
  C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
  C:\WINDOWS\system32\HPZipm12.exe
  C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  C:\Program Files\Folding@Home\FahCore_78.exe
  C:\Program Files\Opera\Opera.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
  C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
  C:\WINDOWS\system32\dllhost.exe
  C:\WINDOWS\eHome\ehmsas.exe
  C:\WINDOWS\system32\wuauclt.exe
  C:\WINDOWS\system32\wuauclt.exe
  C:\Program Files\HJT\HijackThis.exe
  
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
  O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
  O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
  O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
  O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
  O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
  O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
  O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
  O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
  O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
  O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
  O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
  O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
  O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
  O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ppioiy.exe reg_run
  O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
  O4 - Startup: Folding@Home 5.03.lnk = ?
  O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
  O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
  O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
  O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
  O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
  O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  
  
  ewido
  

  ---

  ewido security suite - Scan report

  ---

  
  + Created on: 5:49:18 PM, 12/15/2005
  + Report-Checksum: 6F21652E
  
  + Scan result:
  
  :mozilla.14:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
  :mozilla.20:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
  :mozilla.21:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
  :mozilla.25:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
  :mozilla.26:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
  :mozilla.27:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
  :mozilla.28:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
  :mozilla.29:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
  :mozilla.35:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
  :mozilla.36:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
  :mozilla.37:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
  :mozilla.38:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
  :mozilla.43:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
  :mozilla.44:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
  :mozilla.45:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
  :mozilla.46:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
  :mozilla.47:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
  :mozilla.51:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
  :mozilla.52:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
  :mozilla.53:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
  :mozilla.54:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
  :mozilla.57:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
  :mozilla.64:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
  :mozilla.65:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
  :mozilla.70:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
  :mozilla.71:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
  :mozilla.72:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
  :mozilla.73:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
  :mozilla.74:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
  :mozilla.75:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
  :mozilla.76:C:\Documents and Settings\Goldbond\Adam\Goldbond\Application Data\Mozilla\Firefox\Profiles\c1m8kvxb.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
  C:\Documents and Settings\Goldbond\Adam\Goldbond\Local Settings\Temporary Internet Files\Content.IE5\QUVGOZZ0\mm[2].js -> Spyware.Chitika : Cleaned with backup
  C:\Documents and Settings\Goldbond\Cookies\goldbond@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
  C:\Documents and Settings\Goldbond\Cookies\goldbond@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
  C:\Documents and Settings\Goldbond\Cookies\goldbond@hypertracker[2].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
  
  
  ::Report End

  0
• Trogan London, UK

  December 2005 edited December 2005

  Download Registrar Lite from here:
  http://www.resplendence.com/download/reglite.exe
  
  Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.
  
  Copy and paste the follow text into the address bar, then hit 'Go':
  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
  
  In the pane on the right are the values associated with that key.
  We want to remove this one >
  {4D25F921-B9FE-4682-BF72-8AB8210D6D75}
  
  Right click on it and select delete.
  If you get a confirmation question, respond OK then close out of the program.
  
  
  Reboot and post a new HJT log

  0
• tehmada Fayetteville

  December 2005 edited December 2005

  this is all i got:

  regmanager.JPG 94.2K

  0
• Trogan London, UK

  December 2005 edited December 2005

  Why does it say \[default] at the end of the Address Bar? Remove that and try again

  0
• tehmada Fayetteville

  December 2005 edited December 2005

  i did, and it gave me the same things. i think i had the (default) one highlighted when i screenshot it. sorry~

  0
• Trogan London, UK

  December 2005 edited December 2005

  Why won't those two entries go?
  
  
  You did Disable SpyBots TeaTimer, AVG and close ALL windows before fixing with HJT?
  
  
  
  I'm going to get more info....will be back soon

  0
• tehmada Fayetteville

  December 2005 edited December 2005

  dunno
  
  yes
  
  and okay.

  0
• Trogan London, UK

  December 2005 edited December 2005

  Download rkfiles.zip
  http://skads.org/special/rkfiles.zip
  Unzip the contents to a permanent folder.
  
  Reboot in Safe mode.
  
  Doubleclick rkfiles.bat
  It will scan for a while, so please be patient.
  Wait till the DOS window closes and reboot back to normal mode.
  
  To save some time, could you please have each of the files that rkfiles finds, uploaded for an online scan here;
  
  http://virusscan.jotti.org/
  
  Post the contents of C:\log.txt in your next reply.

  0
• tehmada Fayetteville

  December 2005 edited December 2005

  the virusscan said it was OK.
  
  C:\Program Files\rkfiles
  
  PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
  Files Found in system Folder............

  ---

  C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
  C:\WINDOWS\system32\DivX.dll: PEC2
  
  Files Found in all users startup Folder............

  ---

  Files Found in all users windows Folder............

  ---

  Finished
  bye

  0
• Crunchie Mandurah. Western Australia. Member

  December 2005 edited December 2005

  Please Download the following tools to assist us in removing this infection!

  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop

  
  Reboot into Safe Mode
  Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
  
  Doubleclick WinPFind.exe

  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
    1. Go to the WinPFind folder
    2. Locate WinPFind.txt
    3. Place those results in the next post!

  
  Reboot back to Normal Mode!
  
  Double Click on "Track qoo.vbs"
  
  Note - If your Antivirus has Script Blocking, you will get a Pop Up Window asking you what to do. Allow this Entire Script to run, its harmless!
  
  Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

  0
• tehmada Fayetteville

  December 2005 edited December 2005

  Trackqoo:
  
  REGEDIT4
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
  "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
  "IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe"
  "SigmatelSysTrayApp"="stsystra.exe"
  "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
  "DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
  "ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
  "ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
  "DeltTray"="DeltTray.exe"
  "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
  "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
  "HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
  "WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
  "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
  "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
  "Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
  "winsync"="C:\\WINDOWS\\system32\\ppioiy.exe reg_run"
  

  ---

  HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
  
  
  Subkey --- AVG7 Shell Extension
  {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
  C:\Program Files\Grisoft\AVG Free\avgse.dll
  
  Subkey --- ewido
  {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
  C:\Program Files\ewido\security suite\context.dll
  
  Subkey --- mmnkngtt
  {eedac17f-b994-413d-91dd-29bfd19dde7d}
  C:\WINDOWS\system32\kkeke.dll
  
  Subkey --- Offline Files
  {750fdf0e-2a26-11d1-a3ea-080036587f03}
  C:\WINDOWS\System32\cscui.dll
  
  Subkey --- Open With
  {09799AFB-AD67-11d1-ABCD-00C04FC30936}
  C:\WINDOWS\system32\SHELL32.dll
  
  Subkey --- Open With EncryptionMenu
  {A470F8CF-A1E8-4f65-8335-227475AA5C46}
  C:\WINDOWS\system32\SHELL32.dll
  
  Subkey --- WinRAR
  {B41DB860-8EE4-11D2-9906-E49FADC173CA}
  C:\Program Files\WinRAR\rarext.dll
  
  Subkey --- Yahoo! Mail
  {5464D816-CF16-4784-B9F3-75C0DB52B499}
  C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
  
  Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
  Start Menu Pin
  C:\WINDOWS\system32\SHELL32.dll
  
  =====================
  
  HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers
  
  
  Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
  C:\WINDOWS\system32\SHELL32.dll
  
  Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
  C:\WINDOWS\system32\SHELL32.dll
  
  Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
  C:\WINDOWS\system32\SHELL32.dll
  
  Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
  C:\WINDOWS\system32\SHELL32.dll
  
  ==============================
  C:\Documents and Settings\All Users\Start Menu\Programs\Startup
  
  desktop.ini
  HP Digital Imaging Monitor.lnk
  HP Image Zone Fast Start.lnk
  oohq.exe
  QuickBooks Update Agent.lnk
  ==============================
  C:\Documents and Settings\Goldbond\Start Menu\Programs\Startup
  
  desktop.ini
  HP Digital Imaging Monitor.lnk
  HP Image Zone Fast Start.lnk
  oohq.exe
  QuickBooks Update Agent.lnk
  desktop.ini
  Folding@Home 5.03.lnk
  ==============================
  C:\WINDOWS\system32 cpl files
  
  
  access.cpl Microsoft Corporation
  appwiz.cpl Microsoft Corporation
  bdeadmin.cpl Borland Software Corporation
  bthprops.cpl Microsoft Corporation
  DeltaCPL.cpl Doug Fetter Software Wizardry
  desk.cpl Microsoft Corporation
  firewall.cpl Microsoft Corporation
  hdwwiz.cpl Microsoft Corporation
  inetcpl.cpl Microsoft Corporation
  intl.cpl Microsoft Corporation
  irprops.cpl Microsoft Corporation
  ISUSPM.cpl InstallShield Software Corporation
  joy.cpl Microsoft Corporation
  jpicpl32.cpl Sun Microsystems, Inc.
  main.cpl Microsoft Corporation
  mmsys.cpl Microsoft Corporation
  ncpa.cpl Microsoft Corporation
  netsetup.cpl Microsoft Corporation
  nusrmgr.cpl Microsoft Corporation
  nwc.cpl Microsoft Corporation
  odbccp32.cpl Microsoft Corporation
  powercfg.cpl Microsoft Corporation
  speech.cpl Microsoft
  stac97.cpl Sigmatel, Inc.
  sysdm.cpl Microsoft Corporation
  telephon.cpl Microsoft Corporation
  timedate.cpl Microsoft Corporation
  wscui.cpl Microsoft Corporation
  wuaucpl.cpl Microsoft Corporation
  
  
  
  
  and
  
  WinPFind
  
  WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.
  
  If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.
  
  »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
  Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
  Internet Explorer Version: 6.0.2900.2180
  
  »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
  
  Checking %SystemDrive% folder...
  winsync 11/19/2005 12:25:58 PM 5780 C:\hijackthis.log
  PEC2 12/16/2005 9:48:26 PM 610 C:\log.txt
  PEC2 12/16/2005 9:17:16 PM 610 C:\logrkfiles.txt
  PEC2 12/16/2005 9:44:56 PM 144 C:\win.txt
  
  Checking %ProgramFilesDir% folder...
  
  Checking %WinDir% folder...
  
  Checking %System% folder...
  PEC2 8/10/2004 4:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
  PEC2 6/9/2005 2:32:28 PM 692736 C:\WINDOWS\SYSTEM32\DivX.dll
  PECompact2 6/9/2005 2:32:28 PM 692736 C:\WINDOWS\SYSTEM32\DivX.dll
  PECompact2 12/8/2005 6:20:26 PM 2714976 C:\WINDOWS\SYSTEM32\MRT.exe
  aspack 12/8/2005 6:20:26 PM 2714976 C:\WINDOWS\SYSTEM32\MRT.exe
  aspack 8/10/2004 4:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
  Umonitor 8/10/2004 4:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
  winsync 8/10/2004 4:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
  
  Checking %System%\Drivers folder and sub-folders...
  UPX! 12/13/2005 9:26:02 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
  FSG! 12/13/2005 9:26:02 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
  PEC2 12/13/2005 9:26:02 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
  aspack 12/13/2005 9:26:02 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
  
  Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
  
  
  Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
  12/17/2005 5:22:24 PM S 2048 C:\WINDOWS\bootstat.dat
  12/17/2005 3:45:44 PM H 35870 C:\WINDOWS\system32\vsconfig.xml
  12/13/2005 10:02:42 PM H 4212 C:\WINDOWS\system32\zllictbl.dat
  11/30/2005 10:17:10 PM S 21633 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
  12/1/2005 6:12:48 PM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
  12/17/2005 5:22:20 PM H 8192 C:\WINDOWS\system32\config\default.LOG
  12/17/2005 5:22:32 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
  12/17/2005 5:22:26 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
  12/17/2005 5:22:32 PM H 65536 C:\WINDOWS\system32\config\software.LOG
  12/17/2005 5:22:28 PM H 1073152 C:\WINDOWS\system32\config\system.LOG
  12/15/2005 10:21:38 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
  10/31/2005 9:37:44 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\c5c5591c-a2a2-4957-9f1e-43204d78a883
  10/31/2005 9:37:44 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
  12/17/2005 5:21:38 PM H 6 C:\WINDOWS\Tasks\SA.DAT
  
  Checking for CPL files...
  Microsoft Corporation 8/10/2004 4:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
  Microsoft Corporation 8/10/2004 4:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
  Borland Software Corporation 10/7/2003 1:39:00 PM 184320 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
  Microsoft Corporation 8/10/2004 4:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
  Doug Fetter Software Wizardry 7/18/2001 8:11:36 AM R 14336 C:\WINDOWS\SYSTEM32\DeltaCPL.cpl
  Microsoft Corporation 8/10/2004 4:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
  Microsoft Corporation 8/10/2004 4:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
  Microsoft Corporation 8/10/2004 4:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
  Microsoft Corporation 8/10/2004 4:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
  Microsoft Corporation 8/10/2004 4:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
  Microsoft Corporation 8/10/2004 4:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
  InstallShield Software Corporation7/27/2004 3:50:48 PM 73728 C:\WINDOWS\SYSTEM32\ISUSPM.cpl
  Microsoft Corporation 8/10/2004 4:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
  Sun Microsystems, Inc. 6/3/2005 2:52:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
  Microsoft Corporation 8/10/2004 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
  Microsoft Corporation 8/10/2004 4:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
  Microsoft Corporation 8/10/2004 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
  Microsoft Corporation 8/10/2004 4:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
  Microsoft Corporation 8/10/2004 4:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
  Microsoft Corporation 8/10/2004 4:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
  Microsoft Corporation 8/10/2004 4:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
  Microsoft Corporation 8/10/2004 4:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
  Microsoft 3/2/1999 4:10:02 PM 49152 C:\WINDOWS\SYSTEM32\speech.cpl
  Sigmatel, Inc. 3/22/2005 3:22:44 AM 143441 C:\WINDOWS\SYSTEM32\stac97.cpl
  Microsoft Corporation 8/10/2004 4:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
  Microsoft Corporation 8/10/2004 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
  Microsoft Corporation 8/10/2004 4:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
  Microsoft Corporation 8/10/2004 4:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
  Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
  Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
  
  »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
  
  Checking files in %ALLUSERSPROFILE%\Startup folder...
  8/19/2004 3:07:20 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
  10/29/2005 4:46:22 PM 1808 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
  10/29/2005 4:47:10 PM 798 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
  12/17/2005 3:44:24 PM 228352 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\oohq.exe
  7/29/2005 9:21:40 AM 2109 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
  
  Checking files in %ALLUSERSPROFILE%\Application Data folder...
  8/19/2004 2:57:38 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
  10/29/2005 4:47:56 PM 852 C:\Documents and Settings\All Users\Application Data\hpzinstall.log
  10/25/2005 3:22:14 PM 4333 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
  
  Checking files in %USERPROFILE%\Startup folder...
  8/19/2004 3:07:20 PM HS 84 C:\Documents and Settings\Goldbond\Start Menu\Programs\Startup\desktop.ini
  12/6/2005 8:21:20 PM 573 C:\Documents and Settings\Goldbond\Start Menu\Programs\Startup\Folding@Home 5.03.lnk
  
  Checking files in %USERPROFILE%\Application Data folder...
  11/29/2005 5:20:56 PM 12358 C:\Documents and Settings\Goldbond\Application Data\PFP120JCM.{PB
  11/29/2005 5:20:56 PM 61678 C:\Documents and Settings\Goldbond\Application Data\PFP120JPR.{PB
  11/22/2005 5:32:34 PM 1024 C:\Documents and Settings\Goldbond\Application Data\WavCodec.wff
  
  »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
  SV1 =
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
  
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
  
  [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
  HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
  {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
  HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
  {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
  HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mmnkngtt
  {eedac17f-b994-413d-91dd-29bfd19dde7d} = C:\WINDOWS\system32\kkeke.dll
  HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
  {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
  HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
  {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
  HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
  {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
  HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
  {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
  HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
  {5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
  HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
  Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
  {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
  {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
  {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
  {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
  {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
  {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
  {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
  = %SystemRoot%\system32\SHELL32.dll
  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
  = %SystemRoot%\system32\SHELL32.dll
  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
  = %SystemRoot%\system32\SHELL32.dll
  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
  = %SystemRoot%\system32\SHELL32.dll
  
  [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
  HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
  AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
  HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}
  =
  HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
  = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
  HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}
  DriveLetterAccess = C:\WINDOWS\system32\dla\tfswshx.dll
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
  =
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
  &Tip of the Day = %SystemRoot%\system32\shdocvw.dll
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
  =
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
  MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
  ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe
  
  [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
  =
  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
  Explorer Band = %SystemRoot%\system32\shdocvw.dll
  
  [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
  {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
  {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
  {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  ehTray C:\WINDOWS\ehome\ehtray.exe
  SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
  IAAnotif C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
  SigmatelSysTrayApp stsystra.exe
  ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  DVDLauncher "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
  ISUSPM Startup C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
  ISUSScheduler "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
  DeltTray DeltTray.exe
  TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  dla C:\WINDOWS\system32\dla\tfswctrl.exe
  HP Software Update C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  WinampAgent C:\Program Files\Winamp\winampa.exe
  QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
  AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
  Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
  winsync C:\WINDOWS\system32\ppioiy.exe reg_run
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
  
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup
  MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
  Steam
  SpybotSD TeaTimer C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
  
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
  
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
  
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
  
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
  
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
  {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
  {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
  {0DF44EAA-FF21-4412-828E-260A8728E7F1} =
  
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
  dontdisplaylastusername 0
  legalnoticecaption
  legalnoticetext
  shutdownwithoutlogon 1
  undockwithoutlogon 1
  
  
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
  
  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
  NoDriveTypeAutoRun 145
  
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
  PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
  CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
  WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
  SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
  UserInit = C:\WINDOWS\system32\userinit.exe,
  Shell = Explorer.exe
  System =
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
  = crypt32.dll
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
  = cryptnet.dll
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
  = cscdll.dll
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
  = wlnotify.dll
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
  = wlnotify.dll
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
  = sclgntfy.dll
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
  = WlNotify.dll
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
  = wlnotify.dll
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
  = wlnotify.dll
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
  Debugger = ntsd -d
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
  AppInit_DLLs
  
  
  »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
  WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
  Scan completed on 12/17/2005 5:28:14 PM
  
  
  
  wow. thats long.
  hello, crunchie

  0
• Crunchie Mandurah. Western Australia. Member

  December 2005 edited December 2005

  OK. Let's go .
  
  Download Pocket KillBox from here. There is a Direct Download and a description of what the Program does inside this link.
  
  Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as KillQoo.reg (set Filetype to "All Files") and save it on your Desktop.
  

  REGEDIT4
  
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\mmnkngtt]
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "winsync"=-

  
  *NOTE!! When I have posted the above regfix, the software here will automatically create a space after about the 50th character. You must make sure there are no spaces before saving it and merging with your registry.
  
  Open Pocket Killbox and Copy & Paste the entries below into the "Full Path of File to Delete"
  
  C:\WINDOWS\system32\ppioiy.exe
  C:\WINDOWS\system32\kkeke.dll
  C:\Documents and Settings\All Users\Start Menu\Programs\Startup\oohq.exe
  C:\Documents and Settings\Goldbond\Start Menu\Programs\Startup\oohq.exe
  
  As you Paste each entry into Killbox,place a tick by any of these Selections available
  
  "Delete on Reboot"
  "Unregister .dll before Deleting"
  
  Click the Red Circle with the White X in the Middle to Delete!
  
  Restart in Safe Mode and Run those files through Killbox once more to be sure nothing survived.
  
  This time place a tick by any of these selections available
  
  "Standard File Kill"
  "End Explorer Shell while Killing File"
  "Unregister .dll before Deleting"
  
  Now Locate and DoubleClick KillQoo.reg-> Allow it to merge into the Registry!
  
  Restart back in Normal Mode and Post a fresh HijackThis log!

  0
• tehmada Fayetteville

  December 2005 edited December 2005

  by jove, i think you've killed it!
  
  Logfile of HijackThis v1.99.1
  Scan saved at 1:28:07 PM, on 12/18/2005
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\Ati2evxx.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\WINDOWS\Explorer.EXE
  C:\WINDOWS\ehome\ehtray.exe
  C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
  C:\WINDOWS\stsystra.exe
  C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
  C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
  C:\WINDOWS\system32\DeltTray.exe
  C:\Program Files\Common Files\Real\Update_OB\realsched.exe
  C:\WINDOWS\system32\dla\tfswctrl.exe
  C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  C:\Program Files\Winamp\winampa.exe
  C:\Program Files\QuickTime\qttask.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
  C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  C:\WINDOWS\eHome\ehRecvr.exe
  C:\WINDOWS\eHome\ehSched.exe
  C:\Program Files\ewido\security suite\ewidoctrl.exe
  C:\Program Files\Folding@Home\winFAH.exe
  C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
  C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
  C:\Program Files\HJT\HijackThis.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
  C:\WINDOWS\system32\dllhost.exe
  C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
  C:\WINDOWS\eHome\ehmsas.exe
  
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
  O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
  O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
  O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
  O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
  O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
  O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
  O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
  O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
  O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
  O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
  O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
  O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
  O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
  O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
  O4 - Startup: Folding@Home 5.03.lnk = ?
  O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
  O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
  O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
  O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
  O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
  O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

  0
• tehmada Fayetteville

  December 2005 edited December 2005

  AAAAHHHHHHH!!!!!
  
  ITUNES WORKS!!! :celebrate:
  (and still has my entire library!)
  
  Trogan and Crunchie, you are my heros. thank you guys so much.
  
  :EDIT:
  
  alright, told spybot to accept change on winsync, restarted, and NO RESIDENT MESSAGE!!
  itunes works, ppioiy is gone, and SANTA IS COMING!!
  resolved on this end
  thanks again, guys

  0
• Crunchie Mandurah. Western Australia. Member

  December 2005 edited December 2005

  Can you please do the following.
  
  ===============
  
  We'll need to unload Spybot's Teatimer before we begin. To do this can you start Spybot and go to Tools > Resident and uncheck the box next to Tea-Timer. Make sure that the icon in the system tray is no longer there. If it is, just right click on it and select "Exit". Do not forget to re-enable it when we are done .
  
  ===============
  
  Scan with HiJackThis, click "Scan", then check(tick) the following, if present:
  
  
  O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
  
  O4 - Startup: Folding@Home 5.03.lnk = ?
  
  
  Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
  
  ===============
  
  That should do you .

  0
• tehmada Fayetteville

  December 2005 edited December 2005

  okay... the first one went
  the fah one gave me the attached error

  sberror.JPG 90.2K

  0