Trojan Generic3.GII Problem(s)

VundoFix V6.3.16

Checking Java version...

Java version is 1.5.0.11

Scan started at 10:02:42 PM 3/14/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\bhkabhk.dll
C:\WINDOWS\SYSTEM32\bhkabhk.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\bhkabhk.dll
C:\WINDOWS\SYSTEM32\bhkabhk.dll Could not be deleted.

Performing Repairs to the registry.
Done!

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ !AVG Anti-Spyware AVG Anti-Spyware (Not verified) Anti-Malware Development a.s. c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe
+ AVG7_CC AVG Control Center (Not verified) GRISOFT, s.r.o. c:\program files\grisoft\avg7\avgcc.exe
+ ConMgr.exe Connection Manager COM Server (Not verified) EarthLink, Inc. c:\program files\earthlink 5.0\conmgr.exe
+ PCMService PowerCinema Resident Program for Dell (Not verified) CyberLink Corp. c:\program files\dell\media experience\pcmservice.exe
+ SunJavaUpdateSched Java(TM) 2 Platform Standard Edition binary (Verified) Sun Microsystems, Inc. c:\program files\java\jre1.5.0_11\bin\jusched.exe
+ WinPatrol WinPatrol System Monitor (Verified) BillP Studios c:\program files\billp studios\winpatrol\winpatrol.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
+ EarthLink ToolBar 5.0.lnk AccessBar component (Not verified) EarthLink, Inc. c:\program files\earthlink 5.0\etoolbar.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup
+ SpywareGuard.lnk SpywareGuard c:\program files\spywareguard\sgmain.exe
HKLM\SOFTWARE\Classes\Protocols\Handler
+ ms-itss Microsoft® InfoTech Storage System Library (Not verified) Microsoft Corporation c:\program files\common files\microsoft shared\information retrieval\msitss.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
+ WebCheck File not found: CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
+ AVG Anti-Spyware 7.5 AVG Anti-Spyware shellexecutehook (Not verified) Anti-Malware Development a.s. c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
+ sasseh.dll ShellExecuteHook (Not verified) SuperAdBlocker.com c:\program files\superantispyware\sasseh.dll
+ spywareguard.dll SpywareGuard Protection c:\program files\spywareguard\spywareguard.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ AVG7 Find Extension AVG Shell Extension (Not verified) GRISOFT, s.r.o. c:\program files\grisoft\avg7\avgse.dll
+ AVG7 Shell Extension AVG Shell Extension (Not verified) GRISOFT, s.r.o. c:\program files\grisoft\avg7\avgse.dll
+ Display Panning CPL Extension File not found: deskpan.dll
+ DriveLetterAccess Drive Letter Access Component (Not verified) Sonic Solutions c:\windows\system32\dla\tfswshx.dll
+ Previous Versions File not found: C:\WINDOWS\System32\twext.dll
+ Previous Versions Property Page File not found: C:\WINDOWS\System32\twext.dll
+ spywareguard.dll SpywareGuard Protection c:\program files\spywareguard\spywareguard.dll
+ Webroot Spy Sweeper Context Menu Integration Spy Sweeper Client Executable (Verified) Webroot Software, Inc. c:\program files\webroot\spy sweeper\ssctxmnu.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
+ Google Toolbar Helper Google IE Client Toolbar (Verified) Google Inc c:\program files\google\googletoolbar2.dll
+ SpywareGuardDLBLOCK.CBrowserHelper SpywareGuard Download Protection c:\program files\spywareguard\dlprotect.dll
+ SSVHelper Class Java(TM) 2 Platform Standard Edition binary (Verified) Sun Microsystems, Inc. c:\program files\java\jre1.5.0_11\bin\ssv.dll
HKLM\Software\Microsoft\Internet Explorer\Toolbar
+ googletoolbar2.dll Google IE Client Toolbar (Verified) Google Inc c:\program files\google\googletoolbar2.dll
Task Scheduler
+ wrSpySweeperTrialSweep.job Spy Sweeper Client Executable (Verified) Webroot Software, Inc. c:\program files\webroot\spy sweeper\spysweeperui.exe
HKLM\System\CurrentControlSet\Services
+ AOL ACS AOL Connectivity Service (Not verified) America Online, Inc. c:\program files\common files\aol\acs\acsd.exe
+ AVG Anti-Spyware Guard AVG Anti-Spyware guard (Not verified) Anti-Malware Development a.s. c:\program files\grisoft\avg anti-spyware 7.5\guard.exe
+ Avg7Alrt AVG Alert Manager (Not verified) GRISOFT, s.r.o. c:\program files\grisoft\avg7\avgamsvr.exe
+ Avg7UpdSvc AVG Update Service (Not verified) GRISOFT, s.r.o. c:\program files\grisoft\avg7\avgupsvc.exe
+ AVGEMS AVG E-Mail Scanner (Not verified) GRISOFT, s.r.o. c:\program files\grisoft\avg7\avgemc.exe
+ WANMiniportService Wan Miniport (ATW) Service (Not verified) America Online, Inc. c:\windows\wanmpsvc.exe
+ WebrootSpySweeperService Provides core functionality to Webroot Spy Sweeper. This service must be enabled and started for Spy Sweeper to function. (Verified) Webroot Software, Inc. c:\program files\webroot\spy sweeper\spysweeper.exe
HKLM\System\CurrentControlSet\Services
+ AVG Anti-Spyware Driver c:\program files\grisoft\avg anti-spyware 7.5\guard.sys
+ Avg7Core AVG Scanning Engine (Not verified) GRISOFT, s.r.o. c:\windows\system32\drivers\avg7core.sys
+ Avg7RsW AVG Resident Shield Unload Helper (Not verified) GRISOFT, s.r.o. c:\windows\system32\drivers\avg7rsw.sys
+ Avg7RsXP AVG Resident Anti-Virus Shield (Not verified) GRISOFT, s.r.o. c:\windows\system32\drivers\avg7rsxp.sys
+ AvgAsCln AVG7 Clean Driver (Not verified) GRISOFT, s.r.o. c:\windows\system32\drivers\avgascln.sys
+ AvgClean AVG7 Clean Driver (Not verified) GRISOFT, s.r.o. c:\windows\system32\drivers\avgclean.sys
+ AvgTdi AVG Network connection watcher (Not verified) GRISOFT, s.r.o. c:\windows\system32\drivers\avgtdi.sys
+ drvmcdb Device Driver (Not verified) Sonic Solutions c:\windows\system32\drivers\drvmcdb.sys
+ OMCI OMCI Device Driver (Not verified) Dell Computer Corporation c:\windows\system32\drivers\omci.sys
+ SASDIFSV SASDIFSV c:\program files\superantispyware\sasdifsv.sys
+ SASENUM SuperAntiSpyware (Not verified) SuperAdBlocker, Inc. c:\program files\superantispyware\sasenum.sys
+ SASKUTIL SASKUTIL.SYS c:\program files\superantispyware\saskutil.sys
+ SSFS0509 Spy Sweeper FileSystem Filter Driver (Verified) Webroot Software, Inc. c:\windows\system32\drivers\ssfs0509.sys
+ SSHRMD Spy Sweeper Mini Driver (Verified) Webroot Software, Inc. c:\windows\system32\drivers\sshrmd.sys
+ SSIDRV Spy Sweeper Interdiction Driver (Verified) Webroot Software, Inc. c:\windows\system32\drivers\ssidrv.sys
+ SSKBFD Spy Sweeper Keyboard Filter Driver (Verified) Webroot Software, Inc. c:\windows\system32\drivers\sskbfd.sys
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
+ autocheck autochk * Auto Check Utility (Not verified) Microsoft Corporation c:\windows\system32\autochk.exe
HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
+ advapi32 Advanced Windows 32 Base API (Not verified) Microsoft Corporation c:\windows\system32\advapi32.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ !SASWinLogon SUPERAntiSpyware WinLogon Processor (Not verified) SUPERAntiSpyware.com c:\program files\superantispyware\saswinlo.dll
+ igmzfjhr File not found: bhkabhk.dll
+ WRNotifier Spy Sweeper Engine (Verified) Webroot Software, Inc. c:\windows\system32\wrlogonntf.dll
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
+ 730 Series Port Printer Communication System (Not verified) c:\windows\system32\lxcflmpm.dll
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
+ RDPNP Microsoft Terminal Services (Not verified) Microsoft Corporation c:\windows\system32\drprov.dll

 

Hi,

Looks like you nailed it
How is the system running?
Any trouble deleting those other files?

Do you still have those files I asked for?
If you had trouble getting to the other site can you try here please:

http://www.bleepingcomputer.com/submit-malware.php?channel=20

Max file size to upload is 5MB.

Few fixes and then Couple more logs please.

Start Hijackthis
Run system scan and check the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {2A904E40-731D-4881-83FB-04EFDEE88C3B} - C:\WINDOWS\system32\bhkabhk.dll (file missing)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - Winlogon Notify: igmzfjhr - bhkabhk.dll (file missing)


If you set the O6 line yourself with Spybot then you can ignore that fix.

Close all open windows except Hijackthis and click "fix checked ", then OK.

If SpySweeper warns you of registry deletions, please allow them.

Exit Hijackthis & reboot.

Download Bobbi Flekman's RegSearch from
http://www.xs4all.nl/~fstaal01/downloads/regsearch.zip

Create a folder for RegSearch on the C: drive called C:\RegSearch. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it RegSearch. Extract all the files from the zip archive into that folder.

Open the RegSearch folder and double-click the icon for RegSearch.exe to launch the program.
Copy / Paste the following line into the Search Box:

bhkabhk.dll

On the next line type or copy/paste:

2A904E40-731D-4881-83FB-04EFDEE88C3B

3rd line type:

yaarnvjg

Last line type:

hqisceim.sys

then hit Ok

After completion Notepad will be opened with all the found instances of the string. The resulting file is saved in the same location as RegSearch.exe.

Post contents of RegSearch.txt please along with a new hijackthis log.

You will need to close the log file before exiting RegSearch itself or the program might hang.

Thanks

 

Hi,
Sorry for the delay but I had difficulty posting more info, for some reason the computer hung up on me and had to shut it down but here is what I wanted to add on...

(1) I could not find the following to delete:
- C:\Windows\System32\uttss.bak2
- C:\Windows\System32\uttss.ini2
- C:\Windows\System32\awougykq.exe
- C:\Windows\System32\sxqcpaaa.exe
- C:\Windows\System32\mmsctI32.dll
- C:\Windows\System32\mexvgaaa.exe

(2) I was able to find and delete the following:
- C:\mshiq.exe >deleted
- C:\lorh.exe > deleted
- C:\pyrw.exe > deleted
- C:\sdfionr.exe > deleted
- C:\slbvi.exe > deleted
- C:\utcddpi.exe > deleted
- C:\itacaan.exe > deleted
- C:\enmmwl.exe > deleted

Note: Unable to locate C:\WINDOWS\abc1.bat

(3) Emptied the recycle bin (after the above was done)

(4) Deleted the previous install of Vundofix ? (Could not find it in programs or
add/remove. Removed in thru search of files & folders).

(5) Downloaded fresh install of Vundofix

(6) Command Window instructions were successful

(7) Ran Vundofix & posted results (No infections found)
Note: When I right clicked to add files and typed in the file per your
request, clicked remove vundo, the following popped up:
Error 75 Path/File access error

(8) Ran HijackThis and posted results
Vundofix.txt and posted results
Note: Autoruns results were not posted because I could not figure out
how to copy & paste it.

(9) Unable to figure out how to upload and zip the file and folder info you
requested and I apologize for that but that's why it was not posted
along with the other posting.

I will be able to follow up on your last post and anything you may add late this afternoon...In the mean time I also want to thank you for your great expertise and assitance...

 

Hi,

Thanks for the added info & you're welcome.

RE:

1.) I will get another log from you a bit later to verify those files are really gone. Some hide well.

2.) good

3.) Good

4.) VundoFix would not have been found in add/remove so you were right to just delete the file itself.

5.) good

6.) good

7.) Not sure what to think of that error. I did ask the developer of the program. Waiting for his reply.

8.) Unless the file we are trying to remove changed its name I think we got it.
I'll check with another log later to verify this.
I see you got the autoruns log posted OK.

9.) I'll wait till We get the other logs before I ask for files. There may be others I need.
I'll use another program that will help with this.


See you in a bit.

Blender

 

Logfile of HijackThis v1.99.1
Scan saved at 3:19:21 PM, on 3/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EarthLink 5.0\etoolbar.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Killer.exe\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe "
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108584393156
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.2.0

; Results at 3/15/2007 3:28:23 PM for strings:
; 'bhkabhk.dll'
; '2a904e40-731d-4881-83fb-04efdee88c3b'
; 'yaarnvjg'
; 'hqisceim.sys'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Knfjynux\CLSID]
@= "{2A904E40-731D-4881-83FB-04EFDEE88C3B} "

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_YAARNVJG]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_YAARNVJG\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_YAARNVJG\0000]
"Service "= "yaarnvjg "

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_YAARNVJG\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\yaarnvjg]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\yaarnvjg]
"Name "= "\\yaarnvjg "

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_YAARNVJG]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_YAARNVJG\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_YAARNVJG\0000]
"Service "= "yaarnvjg "

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_YAARNVJG\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_YAARNVJG\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\yaarnvjg]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\yaarnvjg]
"Name "= "\\yaarnvjg "

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\yaarnvjg\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\yaarnvjg\Enum]
"0 "= "Root\\LEGACY_YAARNVJG\\0000 "

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_YAARNVJG]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_YAARNVJG\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_YAARNVJG\0000]
"Service "= "yaarnvjg "

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_YAARNVJG\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\yaarnvjg]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\yaarnvjg]
"Name "= "\\yaarnvjg "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_YAARNVJG]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_YAARNVJG\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_YAARNVJG\0000]
"Service "= "yaarnvjg "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_YAARNVJG\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_YAARNVJG\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yaarnvjg]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yaarnvjg]
"Name "= "\\yaarnvjg "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yaarnvjg\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yaarnvjg\Enum]
"0 "= "Root\\LEGACY_YAARNVJG\\0000 "

[HKEY_CURRENT_USER\Software\BillP Studios\Detected\IEHelper]
"C:\\WINDOWS\\system32\\bhkabhk.dll "= "03/06/2007 10:00 PM "

[HKEY_CURRENT_USER\Software\BillP Studios\WinPatrol\IEHelpers]
"bhkabhk.dll "= "900 "

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU]
"007 "= "bhkabhk.dll "

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey "= "My Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{2A904E40-731D-4881-83FB-04EFDEE88C3B} "

; End Of The Log...

 

Hi,
It appears we are on the road to recovery because, for 2 hrs I left the computer on last night and not once did the AVG pop up display the threat detection which was good news for me since for the last three weeks it was a constant and persistent problem...I also ran the following:
(1) Spybot > Found "0 "
(2) AdawareSE > Found "2" (tracking cookies)
(3) AVG > Found "0 "
(4) AVG AntiSpy > Found "7" (6 tracking and 1 trojan which was deleted)

The computer is running very well and no problems browsing on the Internet...For numerous days at bootup the BSOD would be the first thing I would see, could not get into safe mode, the computer would shut down in the middle of downloading any removal programs and the CPU was running at 100%..., etc, etc and now none of that is a problem what-so-ever...Final word on how well everything appears to be, will come from Blender who has been a terrific leader with getting this computer back up & running...Thank U

 

Hi,

Glad to hear things are running well.
You are welcome.

Hijackthis log is clean.
Just some leftovers to remove from registry.

First create a restore point
Start> Programs> accessories> system tools> system restore.
Click "create a restore point "
Call it whatever you like...
Click "create "

It should tell you success.

Exit restore window when done.

Attached is a file called "fix.zip "
Save the file and unzip it.
Should have fix.reg when done.
Do nothing with it yet.

Download: supershell.zip
http://p-nand-q.com/download/tools/supershell.zip

Careful with this tool please. It is quite dangerous if not used properly.

Unzip supershell.zip to it's own folder.

Make sure you are logged in under an Administrator account.
(or are a user with Administrator privledges)
Open the unzipped SuperShell folder.
Double-click (launch) SuperShell.exe.

This will launch a Command Prompt window.
Type regedit and press ENTER to open the registry editor.

Click "file" then import
navigate to where you saved fix.reg
Hilight it and click "open "

When asked if you want to add contents of fix.reg to your registry answer yes.

Should get a success messege.

Click OK.

Exit regedit
Exit the cmd window.

Reboot.

Please run comboscan again and post the comboscan.txt.

What the fix.reg did was remove leftover malware services, removed leftovers pointing to that dll file, and removed some leftover junk in your msconfig pointing to malware you already removed.

I doubt these folders are present but please check and delete if they are:

C:\WINDOWS\etb
C:\Program Files\Media Access
C:\Program Files\ISTsvc
C:\Program Files\Internet Optimizer
C:\Program Files\BullsEye Network
C:\Program Files\Common Files\{1CF6E176-0958-1033-1202-030512200001}

Empty recycle bin.

Let me know if everything is still running OK.

Thanks

 

ComboScan v20070306.20 run by Owner on 2007-03-16 at 12:26:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:26:38 PM, on 3/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EarthLink 5.0\etoolbar.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Owner\Desktop\comboscan.exe
C:\PROGRA~1\Killer.exe\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe "
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108584393156
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


-- Files created between 2007-02-16 and 2007-03-16 -----------------------------

2007-03-15 15:23:20 0 d-------- C:\RegSearch<REGSEA~1>
2007-03-14 22:02:42 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-03-11 20:46:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-03-11 20:45:30 0 d-------- C:\Program Files\Killer.exe
2007-03-11 20:15:02 0 d-------- C:\Documents and Settings\Owner\Application Data\Google
2007-03-11 20:15:01 0 d-------- C:\Program Files\Google
2007-03-11 20:14:10 0 d-------- C:\Program Files\Java
2007-03-11 20:12:25 0 d-------- C:\Program Files\Common Files\Java
2007-03-11 00:37:16 0 d-------- C:\fixwareout<FIXWAR~1>
2007-03-11 00:06:16 0 d-------- C:\SDFix
2007-03-09 21:28:16 0 --a------ C:\WINDOWS\System32\CMMGR32.EXE
2007-03-09 21:20:56 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-03-09 21:20:47 0 d-------- C:\Program Files\SUPERAntiSpyware<SUPERA~1>
2007-03-09 21:20:47 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-03-09 21:20:32 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-03-09 20:52:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-03-09 20:52:35 144960 --a------ C:\WINDOWS\System32\drivers\ssidrv.sys
2007-03-09 20:52:35 20544 --a------ C:\WINDOWS\System32\drivers\SSFS0509.sys
2007-03-09 20:52:34 22080 --a------ C:\WINDOWS\System32\drivers\sshrmd.sys
2007-03-09 20:52:26 0 d-------- C:\Program Files\Webroot
2007-03-09 20:52:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-03-09 20:51:43 0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2007-03-09 20:37:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Simply Super Software<SIMPLY~1>
2007-03-08 22:42:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-03-08 19:55:00 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-03-08 19:51:45 0 d-------- C:\Documents and Settings\Owner\Application Data\Simply Super Software<SIMPLY~1>
2007-03-08 16:08:23 1378 --a------ C:\WINDOWS\System32\tmp.reg
2007-03-06 22:08:19 0 d-------- C:\Program Files\BHODemon 2<BHODEM~1>
2007-03-06 22:00:04 0 d-------- C:\Documents and Settings\Owner\Application Data\WinPatrol<WINPAT~1>
2007-03-06 21:59:53 0 d-------- C:\Program Files\BillP Studios<BILLPS~1>
2007-03-05 22:35:28 3968 --a------ C:\WINDOWS\System32\drivers\AvgAsCln.sys
2007-03-05 20:22:08 1189069 ---hs---- C:\WINDOWS\System32\uttss.bak2<UTTSS~1.BAK>
2007-03-05 20:07:31 0 d-------- C:\!KillBox
2007-02-28 20:44:51 911 ---hs---- C:\WINDOWS\System32\uttss.ini2<UTTSS~1.INI>
2007-02-22 12:50:00 21056 --a------ C:\WINDOWS\System32\drivers\sskbfd.sys
2007-02-22 12:48:47 164 --a------ C:\install.dat
2007-02-21 11:40:55 19392 --a------ C:\WINDOWS\System32\drivers\avgmfx86.sys
2007-02-21 11:40:55 3968 --a------ C:\WINDOWS\System32\drivers\avgclean.sys
2007-02-21 11:40:55 27776 --a------ C:\WINDOWS\System32\drivers\avg7rsxp.sys
2007-02-18 09:15:14 0 d-------- C:\Program Files\Common Files\{1CF6E176-0958-1033-1202-030512200001}<{1CF6E~1>


-- Find3M Report ---------------------------------------------------------------

2007-03-15 19:43:38 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-03-13 20:45:53 0 d-------- C:\Program Files\Common Files\InstallShield<INSTAL~1>
2007-03-08 19:43:08 0 d-------- C:\Program Files\Lx_cats
2007-03-05 22:35:14 0 d-------- C:\Program Files\Grisoft
2007-02-27 15:01:16 0 d-------- C:\Program Files\Sonic
2007-02-21 14:04:06 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2>
2007-02-21 14:02:05 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-02-21 11:39:57 0 d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft<MICROS~1>
2007-02-18 09:17:37 0 d-------- C:\Program Files\EarthLink 5.0<EARTHL~1.0>
2007-02-15 23:48:15 80 --a-s---- C:\WINDOWS\abc1.bat
2007-02-10 01:54:41 91136 --a------ C:\WINDOWS\System32\awougykg.exe
2007-02-10 01:54:14 16384 --a------ C:\WINDOWS\System32\sxqcpaaa.exe
2007-02-10 01:54:14 10240 --a------ C:\WINDOWS\System32\mmsctl32.dll
2007-02-10 01:53:23 93696 --a------ C:\WINDOWS\System32\mexvgaaa.exe
2007-02-07 17:49:35 3800 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray "= "C:\\WINDOWS\\System32\\igfxtray.exe "
"HotKeysCmds "= "C:\\WINDOWS\\System32\\hkcmd.exe "
"PCMService "= "\ "C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\" "
"ConMgr.exe "= "\ "C:\\Program Files\\EarthLink 5.0\\ConMgr.exe\" "
"AVG7_CC "= "\ "C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe\" /STARTUP "
"!AVG Anti-Spyware "= "\ "C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "
"WinPatrol "= "\ "C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe\" "
"SunJavaUpdateSched "= "\ "C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\" "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^BHODemon 2.0.lnk]
"path "= "C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\BHODemon 2.0.lnk "
"backup "= "C:\\WINDOWS\\pss\\BHODemon 2.0.lnkStartup "
"location "= "Startup "
"command "= "C:\\PROGRA~1\\BHODEM~1\\BHODemon.exe "
"item "= "BHODemon 2.0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "tfswctrl "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\system32\\dla\\tfswctrl.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ITUNES]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "itunes "
"hkey "= "HKLM "
"command "= "itunes.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCFCATS]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "LXCFtime "
"hkey "= "HKLM "
"command "= "rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCFtime.dll,_RunDLLEntry@16 "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "mnyexpr "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "MSMSGS "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "powerscan "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Power Scan\\powerscan.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "SpySweeperUI "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe /startintray "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "SUPERAntiSpyware "
"hkey "= "HKCU "
"command "= "C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "Trjscan "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Trojan Remover\\Trjscan.exe "
"inimapping "= "0 "


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "=" "

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=dword:00000000

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0



-- End of ComboScan: finished at 2007-03-16 at 12:27:06 ------------------------

 

Hi Blender,
You deserve a paid vacation to an island of your choice...Anyways, I did the following per your requests:

(1) C:\WINDOWS\etb = unable to find
(2) C:\Program Files\Media Access = unable to find
(3) C:\Program Files\ISTsvc = unable to find
(4) C:\Program Files\BullsEye Network = UNABLE TO FIND
(5) C:\Program Files\Common Files\1CF6E176-0958-1033-1202-030512200001
= was found and deleted.

* Recycle Bin emptied out...
* Computer rebooted and appears to be working fine...

 

Hi Blender,
I hope after the last series of steps you had me do was the final because the owner of the computer is in need of his computer ? The computer is running very well and I can only say that because without your assistance I would not of been...So even though my prayers hope we were done, I wanted to let you know as of this morning I had to return the computer...From the bottom of my heart, thank you for everything espicially your dedicatation to see this thru...I learned alot and that is always priceless...

 

Hi Blender,
For some unknown reason, the owner was unable to pick up his computer from me this morning so I will have it one more day if there's anything else you still wish to do...Sorry for confusion...

 

Hi

Sorry it took me a while to get back. I ended up out on an all night service call.

Glad to hear things went well. I don't see anything nasty running but there are a few leftovers that should be removed if you can get ahold of that computer again? Else you can point them to this post so they can finish off?

Would be good to clean up the tools we used because most are updated too often to keep around.

These are the tools/folders from our fixes that should be removed.

sdfix.exe
fixwareout.exe
vundofix.exe
Killbox.exe
comboscan.exe
silentrunners.vbs
Regsearch.zip
supershell.zip and its folder
fix.reg

C:\sdfix
c:\fixwareout
C:\vundofix backups
C:\!killbox
C:\comboscan
C:\regsearch

Leftover nastie files/folders:

C:\WINDOWS\System32\uttss.bak2
C:\WINDOWS\System32\uttss.ini2
C:\Program Files\Common Files\{1CF6E176-0958-1033-1202-030512200001}
C:\WINDOWS\abc1.bat
C:\WINDOWS\System32\awougykg.exe
C:\WINDOWS\System32\sxqcpaaa.exe
C:\WINDOWS\System32\mmsctl32.dll
C:\WINDOWS\System32\mexvgaaa.exe

If using windows search you will need to use advanced search options to search hidden, system & sub folders.

Once you/they have deleted above system files should be hidden again.

Control panel> folder options.
Under "hidden files and folders" re check:

"hide protected operating system files (recommended) "
"do not show hidden files and folders "

Apply & OK.

---------------

Windows will have backed up junk in system restore. It too should be cleaned up.

Right click "my computer "
Click "properties "
Click "system restore" tab
Checkmark "turn off system restore "
Hit apply> ok> ok.

Reboot

Go back and turn system restore back on by removing the check, hit apply, and OK.

A new restore point is created at this time.
You will not be able to restore computer to any earlier than today.

------------------------------

Addeded/extra protection & security:

--->> System should be updated to SP2 as soon as possible.
Without this important service pack and newer updates the system is very vulnerable to further attacks.

--->> I don't see a firewall running. XP has its own but pre-sp2 installs it is not turned on by default.
Without proper firewall protection the system is wide open to attack.

There are a few good free ones available:

Comodo:

http://www.personalfirewall.comodo.com/

Sunbelt kerio:
http://www.sunbelt-software.com/Kerio.cfm

Understanding and using firewalls:

http://www.bleepingcomputer.com/tutorials/tutorial60.html

Spywareblaster <--this prog blocks known bad active x controls, many tracking cookies and puts nasty sites in restricted zone so these sites are limited in what they can do to your computer.

Install> update> enable all protection.
Updates are about once a month and is free.

--->> Using a hosts file will greatly increase security. Many of those flashy annoying ads on websites will not display and it blocks access to thousands of sites entirely.

Info and how to install:

http://www.mvps.org/winhelp2002/hosts.htm

SpySweeper does have an issue with large hosts files so if they are going to use the above Hosts file and SpySweeper they will need to turn off Hosts Protection within SpySweeper.

--->> Install an alternative browser for day to day surfing.
These 2 are free and have alot less security issues than IE:

Opera Browser

FireFox Browser

--->> Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I
http://boards.cexx.org/index.php?topic=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Keep well & surf safe!

Tammy

 

Great!

If you need more clarification on the above....let me know please.

Thiose nasty files I listed are still there and would like to see em gone.

Hold off a bit before nuking all our tools till we are done.

You can get a firewall installed for them right away though and those other utilities I recommended if they are not installed alrready.

I'll be around for quite a while yet.

 

Hi Blender,
I still have the computer and will post back as soon as I can reconnect it and follow your suggestions... I also fully understand you may have other obligations and as a result it may take some xtra time for us to reconnect not a problem here...

 

Hi Blender,
I removed everything after I read your post and did not see your request to hold off on your next posts (sorry)...Everything was removed via search of files & folders with the exception of: uttss.bak2 and uttss.ini2...Everything else was also done and currently downloading Service Pak2...Will work on the Firewall issues afterwards...Anything else please advise, will also be around for a little bit this morning...

 

Hi Blender,
Not sure how this can be possible but after numerous postings at this forum that I have always had the greatest results with, never left without a problem being solved was wondering how I can increase my skills with removing viruses, trojans, malware and spyware ? I personally have tried speacializing in it for the last 3 years atleast and always looking to raise my level of expertise a little...I would post my personal email address but not sure if that's okay or not...Any recommendations greatly appreciated...

 

Hi,
(1) Service-Pak2 > downloaded successfully
(2) SP2 Updates (28 total) > done
(3) Priority Udates (28 total) > done
(4) Upgraded Internet Explorer to IE7 > done
(5) Windows Firewall > enabled

 

HI,

It's Ok you deleted those tools. Since you got almost all the files deleted I don't think we'll need them anyway.

For these 2:

C:\WINDOWS\System32\uttss.bak2
C:\WINDOWS\System32\uttss.ini2

Try this please:

Copy the following text inside the code box to a new notepad file
Save as file name delete.bat
As file types: All Files
Save it to the desktop.

Code:

@echo off

cd c:\windows\system32
attrib -h -s -r -a uttss.bak2
del uttss.bak2
attrib -h -s -r -a uttss.ini2
del uttss.ini2
pause

Once saved, double click it and let it run.
A "dos" box will flash up...
Note any on screen error messeges please & let me know if any.
Just hit "enter" to close the cmd window.

Hope the sp2 install goes well.
<edit> sounds like it did

Once you install a firewall do make sure the XP one is off.
Service Pack 2 does turn on the XP firewall by default.
XP's firewall settings can ba accesses in the control panel.

Reason I suggested 3rd party firewall is XP one does not monitor OUTgoing traffic well.
Good for incomming but not good for outgoing so trojans, adware, etc can do whatever they like.

Let me know how the installs go.


----------------------
Not a good idea to post your email address in the open forums. "search bots" do pass through and some harvest email addresses for spamming.

Interested in learning to help out in removing malware in the forums?
This what you are asking?


If so...
There are a few schools available where you are trained to identify different malware and learn to use tools available to help find and remove it.
Actually is quite interesting and alot of fun.
Pretty much a "self paced" learning program.
Lots to read & learn.
Lots of friendly people.

**Warning**

It is addicting.

Malware Removal University:

http://forum.malwareremoval.com/viewtopic.php?t=233

GeeksToGo:

http://www.geekstogo.com/forum/Would_you_like_to_learn_to_fight_malware-t4817.html

SpywareInfo:

http://forums.spywareinfo.com/index.php?showtopic=34

Tammy