Screen pixel problem believed to be caused by spyware.

This is a strange problem and maybe I have deleted something important while trying to clean my system of spyware - but I believe that there are a few things I just can't get rid of on my own.

My screen pixel setting is frozen at 640 X 480.

I have already used Ad-aware and Spybot. Spybot found lots of spyware that it promptly deleted but it also found a "Download Accelerator" that it can't remove after multiple attempts. I went through my HJT log and deleted many things I recognized as old junk and some other things that I researched and identified as spyware. (I even found and deleted a file that specifically said "O4 - HKLM\..\RunServices: [V128IITV] Rundll32.exe C:\WINDOWS\SYSTEM\v128iitv.dll,STBTV_SwitchTo640x480 ")

Below is what I am left with. I would appreciate any advice on what still needs to be done. Thanks!

Logfile of HijackThis v1.97.7
Scan saved at 9:08:28 AM, on 6/15/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ANTISPYWARE\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {825A7740-B4A5-11D8-80C2-00D009C2D079} - C:\WINDOWS\SYSTEM\MSRAWTELC.DLL
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\SYSTEM\SZIEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCAGENT.EXE
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [VirusScanMSC] "C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE" /EMBEDDING
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [STOPzilla Service] C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .hlq: C:\PROGRA~1\INTERN~1\PLUGINS\NpHcd32.dll

 

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {825A7740-B4A5-11D8-80C2-00D009C2D079} - C:\WINDOWS\SYSTEM\MSRAWTELC.DLL
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe<<<not needed at startup
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE<<<not needed at startup
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE<<<not needed at startup


Reboot.

Open C:\Program Files\Microsoft Office\Office and delete FINDFAST.EXE.

Scan with RAV and Housecall. Copy/paste a report here along with another HJT log.

Have you tried reloading the video drivers?

What download accelerator? And is it the files, folder, or reg. entries that Spybot can't fix?

 

Might be a good idea to open your control panel and see if Findfast has an icon there. If so, I think you can disable it and get rid of the huge (and useless) index file it created. I don't remember for sure but it may also show up in add/remove just as if it were a stand-alone program (rather than the annoying part of the Office install that it really is). If so, uninstall would be good.

 

Noted Newt! A bit more research on findfast has begun.

 

First of all, thanks for such a quick response! I have been waiting for several days on another site!!

From reading some other threads I had already uninstalled FindFast at the add/remove. I had also gone to msconfig and changed my startup settings on Find Fast and Office so that they were no longer in my HJT log. I notice now that a "Country Selection" is also in that msconfig menu, should I deselect it as well?

I did delete the FINDFAST.exe file in the office folder - should I also delete FINDFAST.cnt and FINDFAST.hlp?

Spybot gives me three entries under "Download Accelerator Plus ads ". 1 is a registry change (which it actually removed this time) and the other two are registry keys.

I actually thought of reloading the video driver but A) I didn't think it would help and B) I'm not sure I know how. (What I had actually thought of was reinstalling my VooDoo3 software, is that the same thing?)

Here is the RAV results:

Scan started at 6/15/04 12:57:39 PM

Scanning memory...
c:\bdl14117.exe - Trojan:Win32/Revop.C -> Infected
c:\70000015.exe - TrojanDownloader:Win32/Small.CT -> Infected
c:\WINDOWS\outlook.pst->Attachment.1283: "ISM letter.doc" - W97M/Marker.DG -> Infected
c:\WINDOWS\Application Data\Microsoft\Outlook Express\Duane.dbx->Message.208: ( "Duane and Mandy" [Re: Investments])->(part0002:ISM letter.doc) - W97M/Marker.DG -> Infected
c:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Sent Items.mbx->[From: "Duane and Mandy" <dlmosier@mindspring.com>] [ "Subject: Finished Business Plan FY 2002"] [ "Date: Sat, 13 Oct 2001 20:32:52 -0400"]->(part0003:Business Plan Title Page and Tex... - W97M/Marker.DG -> Infected
c:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Sent Items.mbx->[From: "Duane and Mandy" <dlmosier@mindspring.com>] [ "Subject: Loisville Status Report 10-12-01"] [ "Date: Mon, 15 Oct 2001 08:03:23 -0400"]->(part0003:Business Plan Title Page and T... - W97M/Marker.DG -> Infected
c:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Sent Items.mbx->[From: "Duane and Mandy" <dlmosier@mindspring.com>] [ "Subject: PA to Regional Vice President"] [ "Date: Wed, 13 Feb 2002 18:20:32 -0500"]->(part0003:Mandy Mosier 2002.doc) - W97M/Marker.DG -> Infected
c:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Sent Items.mbx->[From: "Duane and Mandy" <dlmosier@mindspring.com>] [ "Subject: Re: contact information"] [ "Date: Tue, 26 Feb 2002 19:11:55 -0500"]->(part0002:Mandy Mosier 2002.doc) - W97M/Marker.DG -> Infected
c:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Sent Items.mbx->[From: "Duane and Mandy" <dlmosier@mindspring.com>] [ "Subject: home"] [ "Date: Mon, 4 Mar 2002 17:48:22 -0500"]->(part0003:Mandy Mosier 2002.doc) - W97M/Marker.DG -> Infected
c:\Program Files\IdolAnti\Move.exe - Trojan:Win32/SecondThought.H -> Infected

Scanned
============================
Objects: 10881
Directories: 933
Archives: 533
Size(Kb): 1776866
Infected files: 10

Found
============================
Viruses found: 4
Suspicious files: 0
Disinfected files: 0
Mail files: 1472


I couldn't figure out how to cut and paste the Housecall results. However, it only found the same two trojans as RAV and marked them "uncleanable ".
c:\bdl14117.exe - Trojan:Win32/Revop.C -> Infected
c:\70000015.exe - TrojanDownloader:Win32/Small.CT -> Infected

Here is the new HJT log.
Looks like it all just came right back!

Logfile of HijackThis v1.97.7
Scan saved at 1:44:37 PM, on 6/15/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ANTISPYWARE\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\SYSTEM\SZIEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCAGENT.EXE
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [VirusScanMSC] "C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE" /EMBEDDING
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [STOPzilla Service] C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .hlq: C:\PROGRA~1\INTERN~1\PLUGINS\NpHcd32.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

 

You have some stored emails to get rid of. Most of them in the sent folder, meaning a copy of what you sent someone else. Probably should let the recipients know.

1. Outlook Express\Duane.dbx[Re: Investments](part0002:ISM letter.doc)
2. Outlook Express\Mail\Sent [ "Subject: Finished Business Plan FY 2002](part0003:Business Plan Title Page and Tex...
3. Outlook Express\Mail\Sent [ "Subject: Loisville Status Report 10-12-01"](part0003:Business Plan Title Page and T...
4. Outlook Express\Mail\Sent [ "Subject: PA to Regional Vice President"](part0003:Mandy Mosier 2002.doc)
5. Outlook Express\Mail\Sent [ "Subject: Re: contact information"] (part0002:Mandy Mosier 2002.doc)
6. Outlook Express\Mail\Sent [ "Subject: home"](part0003:Mandy Mosier 2002.doc)


Ctrl+Alt+Del and verify the executables below are not running then delete the 2 files and 1 folder.

c:\bdl14117.exe
c:\70000015.exe
c:\Program Files\IdolAnti\Move.exe

Empty the recycle bin.
Scan with RAV again.

Don't worry about the other findfast files. Yes you can uncheck Country Selection. Other than the office entries you mentioned, have you unchecked anything else in msconfig?

RegSeeker has a 'find in registry' option that could be used to locate and delete any DAP, Download Accelerator Plus entries. It can also search for files.

Might wait for someone else to respond on this, but here's what I would do.
Remove the video card from device manager and reboot. New hardware wizard will start. Insert your disc and point to it for the driver files. Verify they loaded in device manager, driver tab, details button. Try resetting the resolution again. You could also check the VooDoo website for updated drivers.

 

Dave,
Thanks for the RegSeeker link! I think I am finally purged of Download Accelerator! I deleted all of my old email files - should have done that a long time ago - those infected emails were years old!

In the msconfig I also un-checked:
SchedulingAgent
Task Monitor
and now
Country Selection

I tried re-installing VooDoo3 but I am still unable to change my pixel setting.
Any more ideas???

At this point SpyBot repeatedly finds one entry - it will clean it, but it comes back every time. See below:

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

 

DSO Exploit finding is a bug. See here for details. Post #15

The unchecked items are fine. Since you turned off taskmon, open C:\Windows\Applog, select all and delete.

You did remove the video card in device manager? Then reload drivers? (just checking )Did you check to see that the drivers were loaded? Did you check VooDoo website for updates?What happens when you try to select a different resolution? Is there another option? Can you choose another and apply but doesn't hold? Maybe a couple of runs with RegSeeker in the cleaning mode will clear out an invalid reference left by the nasty. I have alway deleted everything found by RegSeeker without any problems. Just make sure the backup box is checked. Won't hurt to look at what it finds before deleting either.

So what does the RAV scan show? All clean?

 

Dave,

1. Thanks for the info on the DSO bug. I will research that more this afternoon and see if I can fix it.

2. In regards to the C:\Windows\Applog... I don't have that file... Is that bad?

3. Finally RAV is coming up clean!

4. I did use RegSeeker in Clean mode this morning - deleted everything and it didn't seem to cause any problems.

5. To clarify the original problem: At the Settings tab of the Display options in the Control Panel. There is a slider to change your screen pixel count. It is on the lowest setting and when I click on it, it will not slide. Sort of the equivalent of being "grayed out ".

5. Honestly.... I don't know how to find the device manager. I'm relatively sure I uninstalled VooDoo3 a while back. If you give me some advice on where to start I will try again.

Thanks for the continued support!!
MandyMo

 

PeteC,

Thanks for the guidance - I would have never found it!

Ok - so, there is only the Standard PCI Graphics Adapter listed.

My husband believes that we lost the video card when we fried the motherboard (and subsequently had it replaced) about two years ago.

Now what?!?!?!?!?

 

It's fixed, It's fixed, It's fixed!!!!!

I did a few Window's updates. One was a driver update, so I am assuming that is what corrected the problem.

Thanks to both Dave and PeteC. I'm glad I did the registry clean and found all of the viruses and spyware. I learned a lot over the past few days!

I'm sure I'll be back again soon!

Thanks again!
MandyMo

 

You're welcome, and congratulations. Glad we could help. Read through the pinned thread at the top of this forum entitled Spyware/Slyware... for tips on better protecting your PC. Ask, if you have questions.

 

Stubborn Files?

Worry not, the problem has not reoccurred.

However, two of the files that I deleted during the "witch hunt" have mysteriously shown up in my startup menu.

Here are the files:

V128llD
Rundll32.exe C:\WINDOWS\SYSTEM\v128iitw.dll,STB_InitTweak

V128llTV Rundll32.exeC:\WINDOWS\SYSTEM\v128iitv.dll,STBTV_SwitchTo640x480

When I uncheck them they duplicate themselves in the menu.
Also looks like WinTools is back! ( WToolsA.exe )

Any thoughts?

 

Yep! Post a log. I didn't know you had battled Wintools already. Nothing was said about it.

Where are you unchecking them? msconfig? Make sure you check anything we haven't already determined to be OK to uncheck in this thread, reboot and then run a HJT scan. Include details of what you did with WinTools and any other file deletion prior to first posting.

 

You want me to remember what I did last week!?!?!?

The WToolsa problem was actually how I found this site. I discovered this thread http://www.windowsbbs.com/showthread.php?p=158706#post158706 when I did a search.
I’m sorry for not mentioning it – I thought I had taken care of it (and was rather proud of myself…)
I followed the instructions that Lonny gave. I downloaded and Ran Spybot and Ad Aware, uninstalled the programs he suggested (PRECISIONTIME.exe) then ran HJT. I found the Wtools.exe file with HJT and got rid of it.

Yes I am unchecking in msconfig. I rechecked and now will reboot and then post the log.

 

HJT Log

Logfile of HijackThis v1.97.7
Scan saved at 9:32:47 AM, on 6/18/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\ANTISPYWARE\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\WINDOWS\TASKMON.EXE
C:\ANTISPYWARE\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\ANTISPYWARE\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCAGENT.EXE
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [VirusScanMSC] "C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE" /EMBEDDING
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\ANTISP~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [debugbind] C:\PROGRA~1\IdolAnti\mapi deaf help.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [V128IID] Rundll32.exe C:\WINDOWS\SYSTEM\v128iitw.dll,STB_InitTweak
O4 - HKLM\..\RunServices: [V128IITV] Rundll32.exe C:\WINDOWS\SYSTEM\v128iitv.dll,STBTV_SwitchTo640x480
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [avast!] C:\Antispyware\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .hlq: C:\PROGRA~1\INTERN~1\PLUGINS\NpHcd32.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

 

Not a good idea to have two antivirus programs running. If you want to keep both, disable one and just keep it updated. When you run a scan with it, disable the other. They will sometimes conflict, and neither one may work properly otherwise.


Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.


O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe


Go to start>run and type msconfig, hit enter. On the General tab click the advanced button. Check the box to 'enable start menu' and OK out. Restart and choose safe mode.

You will need to show hidden files and folders.


Open C:\Temp (if present), select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Program Files and delete the folder WinTools.
Open C:\Program Files\Common Files\Real\Update_OB and rename realsched.exe to realsched.old.
Open RegSeeker. Click 'find in registry and search the entire registry for WinTools and WTools. Delete all.
Open My Computer and right click Local Disk C:, then choose disk cleanup. Check all except compress old files and OK.
Uncheck the box to 'enable start menu' in msconfig and OK out. Reboot.

Back in Windows, run another HijackThis scan and post the log.

Do you/your husband know what this entry is for? If not, include that line to fix and while in safe mode, delete the folder IdolAnti.
O4 - HKLM\..\Run: [debugbind] C:\PROGRA~1\IdolAnti\mapi deaf help.exe