Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HiJackthis log and adaware log and startup list

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

suspicouse files i found

Unread postby duely » September 15th, 2006, 3:22 pm

I am doing the above that you requested right now.. But..

I could not delete Services.exe, but the rest were deleted.

I found the following to be very suspicous.
There are many Hidden Files in my Direct X folder..
I'll list them because they may be important:



Hidden Files:
BugSlayerUtil.dll
cygcrypt-0.dll
cygwin1.dll
javacypts.dll
libeay32.dll
ntauth.dll
services.exe
ServUAdmin.ini
ServUCert.crt
ServUCert.key
ServUDaemon.ini
ServUPerfCount.dll
ssleay32.dll

AND Non hidden files...
Dinput
__delete_on_reboot__n_c_._e_x_e_
add.reg
countrys.sys
countrys.sys~
fix.reg
ServUStartUpLog.txt
STDOLES2.TLB
STDOLES2.TLB~
stitcpl.cpl
verif.reg
vgas.dll
duely
Regular Member
 
Posts: 27
Joined: August 2nd, 2006, 4:12 pm
Advertisement
Register to Remove

ok well

Unread postby duely » September 15th, 2006, 3:50 pm

Ok well I deleted services.exe in safe mode and I also deleted javacypts.dll because it is direcly related teo services.exe


Here is the WinPFIND LOG

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 9/15/2006 3:38:14 PM
WinPFind v1.5.0 Folder = C:\Documents and Settings\PickelsAREtasty\Desktop\WinPFind\WinPFind\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
\\Search Page - http://www.microsoft.com/isapi/redir.dl ... r=iesearch
\\Default_Page_URL - http://www.msn.com
\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dl ... r=iesearch
\\Local Page - C:\WINDOWS\SYSTEM32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.google.com/
\\Search Page - http://www.microsoft.com/isapi/redir.dl ... r=iesearch
\\Local Page - C:\WINDOWS\SYSTEM32\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
\{C333CF63-767F-4831-94AC-E683D962C63C} - CoTGT_BHO Class = C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll ()

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{32683183-48a0-441b-a342-7c2a440a9478} - = ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - 8192 =
\\NEXTID - 8197
\\{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8194 = Windows Messenger
\\{44226DFF-747E-4edc-B30C-78752E50CD0C} - 8195 =
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8196 = Sun Java Console

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc.)
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)(HKCU CLSID)
\{44226DFF-747E-4edc-B30C-78752E50CD0C} - ButtonText: ATI TV =
\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - ButtonText: AIM = C:\Program Files\AIM\aim.exe (America Online, Inc.)
\{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc.)
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()
\\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()
\\{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = C:\Program Files\WinRAR\rarext.dll ()
\\{FED7043D-346A-414D-ACD7-550D052499A7} - dBpowerAMP Music Converter 1 = C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll ()
\\{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5} - dBpowerAMP Music Converter = C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll ()
\\{7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5} - Context Menu Shell Extension = C:\PROGRA~1\TAGREN~1\TRshell.dll (Softpointer Inc)
\\{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} - iTunes = C:\Program Files\iTunes\iTunesMiniPlayer.dll (Apple Computer, Inc.)
\\{6EE51AA0-77A0-11D7-B4E1-000347126E46} - Window Washer Shredding Utility = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL (Webroot Software)
\\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\Real\RealPlayer\rpshell.dll (RealNetworks, Inc.)
\\{acb4a560-3606-11d3-aef4-00104bd0f92d} - KodakShellExtension = C:\Program Files\Common Files\Kodak\ifscore\KodakShX.dll (Eastman Kodak Company)
\\{1CE2AA40-1317-11D3-9922-00104B0AD431} - CA_AntiVirus = C:\WINDOWS\avshlext.dll (Computer Associates International, Inc.)
\\ - = ()
\\{32020A01-506E-484D-A2A8-BE3CF17601C3} - AlcoholShellEx = C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll (Alcohol Soft Development Team)
\\DSShellExtension - {2C537739-793D-4214-9CF6-1371C4F1B1EB} = ()
\\{C55C499D-3518-44a1-998E-796AC5FC989D} - NetworkMagic = C:\Program Files\Pure Networks\Network Magic\nmspce.dll (Pure Networks, Inc.)
\\{33F85093-44BB-4587-B25B-FFD05D5B9916} - NetworkMagic = C:\Program Files\Pure Networks\Network Magic\nmspce.dll (Pure Networks, Inc.)
\\{5E2121EE-0300-11D4-8D3B-444553540000} - Catalyst Context Menu extension = C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll ()
\\{79BC0345-1015-11D2-A299-006008312725} - blue.shell = C:\Program Files\Pinnacle\Studio 10\programs\BlueShellExt.dll ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\CA_AntiVirus - {1CE2AA40-1317-11D3-9922-00104B0AD431} = C:\WINDOWS\avshlext.dll (Computer Associates International, Inc.)
\ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s.)
\TagRename_ContextMenu - {7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5} = C:\PROGRA~1\TAGREN~1\TRshell.dll (Softpointer Inc)
\Washer - {6EE51AA0-77A0-11D7-B4E1-000347126E46} = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL (Webroot Software)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s.)
\Washer - {6EE51AA0-77A0-11D7-B4E1-000347126E46} = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL (Webroot Software)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
\{33F85093-44BB-4587-B25B-FFD05D5B9916} - = C:\Program Files\Pure Networks\Network Magic\nmspce.dll (Pure Networks, Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]
\ACE - {5E2121EE-0300-11D4-8D3B-444553540000} = C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll ()
\{33F85093-44BB-4587-B25B-FFD05D5B9916} - = C:\Program Files\Pure Networks\Network Magic\nmspce.dll (Pure Networks, Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\CA_AntiVirus - {1CE2AA40-1317-11D3-9922-00104B0AD431} = C:\WINDOWS\avshlext.dll (Computer Associates International, Inc.)
\Library - {54F51408-DD44-4a12-82EF-519AD2A80DE9} = C:\Program Files\ATI Multimedia\mlibrary\MLShell.dll (ATI Technologies Inc.)
\TagRename_ContextMenu - {7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5} = C:\PROGRA~1\TAGREN~1\TRshell.dll (Softpointer Inc)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
\{33F85093-44BB-4587-B25B-FFD05D5B9916} - = C:\Program Files\Pure Networks\Network Magic\nmspce.dll (Pure Networks, Inc.)

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
\{F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Column Info = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc.)

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
PRONoMgr.exe - C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe (Intel(R) Corporation)
WheelMouse - C:\PROGRA~1\Mouse\Amoumain.exe ()
CaAvTray - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe (Computer Associates International, Inc.)
CAVRID - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe (Computer Associates International, Inc.)
Zone Labs Client - C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe (Computer Associates)
ioloDelayModule - C:\Program Files\iolo\System Mechanic Professional 6\delay.exe ()
eTrustPPAP - C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe (Computer Associates)
PCLEPCI - C:\PROGRA~1\Pinnacle\PPE\PPE.EXE (Pinnacle Systems GmbH)
PinnacleDriverCheck - C:\WINDOWS\system32\PSDrvCheck.exe ()
ATICCC - C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe ()
CloneCDTray - C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe (SlySoft, Inc.)
TkBellExe - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
!ewido - C:\Program Files\ewido anti-spyware 4.0\ewido.exe (Anti-Malware Development a.s.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SMSystemAnalyzer - C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe ()
STYLEXP - C:\Program Files\TGTSoft\StyleXP\StyleXP.exe ()
ATI Launchpad - C:\Program Files\ATI Multimedia\main\launchpd.exe (ATI Technologies Inc.)
ATI DeviceDetect - C:\Program Files\ATI Multimedia\main\ATIDtct.EXE (ATI Technologies Inc.)
ATI Remote Control - C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe (ATI Technologies Inc.)
AIM - C:\Program Files\AIM\aim.exe -cnetwait.odl ()
AnyDVD - C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe (SlySoft, Inc.)
eMuleAutoStart - C:\Program Files\eMule\emule.exe (http://www.emule-project.net)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Co.)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\PickelsAREtasty\Start Menu\Programs\Startup\desktop.ini ()

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE
item Adobe Reader Speed Launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item
hkey HKCU
command
inimapping 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\!ewido
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ewido
hkey HKLM
command "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe Photo Downloader
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item apdproxy
hkey HKLM
command "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AIM
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command C:\Program Files\AIM\aim.exe -cnetwait.odl
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\eMuleAutoStart
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item emule
hkey HKCU
command C:\Program Files\eMule\emule.exe -AutoStart
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\H2O
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item cledx
hkey HKLM
command C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command "C:\Program Files\iTunes\iTunesHelper.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MoveSearch
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item zsearch
hkey HKLM
command C:\Program Files\HuaCi\huaci\zsearch.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NeroCheck
hkey HKLM
command C:\WINDOWS\system32\NeroCheck.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\nmapp
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item nmapp
hkey HKLM
command "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PeerGuardian
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item pg2
hkey HKCU
command C:\Program Files\PeerGuardian2\pg2.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PinnacleDriverCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PSDrvCheck
hkey HKLM
command C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinampAgent
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winampa
hkey HKLM
command C:\Program Files\Winamp\winampa.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 2
services 0
startup 2


[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
\\BCD2000 - IEAKBritannica.com
\\SV1 -

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)
\\UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)
\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll (Anti-Malware Development a.s.)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINDOWS\system32\userinit.exe,
\\Shell = Explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\AtiExtEvent - Ati2evxx.dll = (ATI Technologies Inc.)
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\WgaLogon - WgaLogon.dll = (Microsoft Corporation)
\wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{43E32459-10FE-4A18-B81F-8D8BA0788FCC} - (Intel(R) PRO/100 VE Network Connection)
{B62B7BD1-274D-45D7-95C4-E358A3F07432} - ()
{CBC6E6C2-1338-48A1-85F0-770383DA4326} - (1394 Net Adapter)

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000014\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000015\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\cetihpz - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
\ipp - ()
\msdaipp - ()
\pure-go - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll (Pure Networks, Inc.)

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»



Here is the HIJACK log
Logfile of HijackThis v1.99.1
Scan saved at 3:41:26 PM, on 9/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\PickelsAREtasty\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic Professional 6\delay.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] "C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3733973263
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Pure Networks Router Manager (pnrouter) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Router Service\pnroutsv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\System32\wwSecure.exe


I have to go to work. So I'll put the Ewido Scan on later tonite.
duely
Regular Member
 
Posts: 27
Joined: August 2nd, 2006, 4:12 pm

Unread postby Susan528 » September 15th, 2006, 5:25 pm

Thanks for the WinPFind log. In addition to the Ewido, please post another Adaware log.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Ewido

Unread postby duely » September 15th, 2006, 11:23 pm

Here is the Ewido Log

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:19:07 PM 9/15/2006

+ Scan result:



C:\!KillBox\abhcop.sys -> Adware.WSearch : Cleaned with backup (quarantined).
C:\!KillBox\hcalway.sys -> Adware.WSearch : Cleaned with backup (quarantined).
C:\!KillBox\mUin.exe -> Adware.WSearch : Cleaned with backup (quarantined).
C:\Program Files\HuaCi\huaci\Mouse1.dll -> Adware.WSearch : Error during cleaning.
C:\Program Files\HuaCi\huaci\SearchM.dll -> Adware.WSearch : Error during cleaning.
C:\Program Files\HuaCi\huaci\mUin.exe -> Adware.WSearch : Error during cleaning.
C:\Program Files\HuaCi\huaci\zsearch.exe -> Adware.WSearch : Error during cleaning.
C:\Program Files\HuaCi\huaci\zsup.exe -> Adware.WSearch : Error during cleaning.
C:\WINDOWS\system32\drivers\abhcop.sys -> Adware.WSearch : Error during cleaning.
C:\WINDOWS\system32\drivers\hcalway.sys -> Adware.WSearch : Error during cleaning.
C:\WINDOWS\system32\DirectX\__delete_on_reboot__n_c_._e_x_e_ -> Not-A-Virus.RemoteAdmin.Win32.NetCat : Cleaned with backup (quarantined).


::Report end




I did a new anti virus scan and got this..

E:\incoming\(Motorola) V3 Razr(Apps, Games, Themes, Rings) Complete.rar/Moto Razr Complete/Games/NFL 2005 [v3 Razr]/NFL 2005 v3.jar/sheet_btackle.png Suspicious: Exploit.Win32.MS05-009 skipped
E:\incoming\(Motorola) V3 Razr(Apps, Games, Themes, Rings) Complete.rar/Moto Razr Complete/Games/NFL 2005 [v3 Razr]/NFL 2005 v3.jar/sheet_ftackle.png Suspicious: Exploit.Win32.MS05-009 skipped
E:\incoming\(Motorola) V3 Razr(Apps, Games, Themes, Rings) Complete.rar/Moto Razr Complete/Games/NFL 2005 [v3 Razr]/NFL 2005 v3.jar/sheet_lockup.png Suspicious: Exploit.Win32.MS05-009 skipped
E:\incoming\(Motorola) V3 Razr(Apps, Games, Themes, Rings) Complete.rar/Moto Razr Complete/Games/NFL 2005 [v3 Razr]/NFL 2005 v3.jar/sheet_run.png Suspicious: Exploit.Win32.MS05-009 skipped
E:\incoming\(Motorola) V3 Razr(Apps, Games, Themes, Rings) Complete.rar/Moto Razr Complete/Games/NFL 2005 [v3 Razr]/NFL 2005 v3.jar Suspicious: Exploit.Win32.MS05-009 skipped
E:\incoming\(Motorola) V3 Razr(Apps, Games, Themes, Rings) Complete.rar RAR: suspicious - 5 skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Y:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Y:\System Volume Information\_restore{8D8582F3-0F1F-4D5A-B456-02C4569D0644}\RP91\A0032962.exe/WISE0023.BIN Infected: Trojan-Clicker.Win32.Agent.hz skipped
Y:\System Volume Information\_restore{8D8582F3-0F1F-4D5A-B456-02C4569D0644}\RP91\A0032962.exe WiseSFX: infected - 1 skipped

next i will include the adaware scan..
duely
Regular Member
 
Posts: 27
Joined: August 2nd, 2006, 4:12 pm

adaware scan

Unread postby duely » September 16th, 2006, 1:15 am

So I got rid of all the Viruses and such except for..

Y:\System Volume Information\_restore{8D8582F3-0F1F-4D5A-B456-02C4569D0644}\RP91\A0032962.exe/WISE0023.BIN Infected: Trojan-Clicker.Win32.Agent.hz skipped
Y:\System Volume Information\_restore{8D8582F3-0F1F-4D5A-B456-02C4569D0644}\RP91\A0032962.exe WiseSFX: infected - 1 skipped

My System Restore is disabled on all my drives, and I have no idea how to get rid of those 2 viruses..





ADAWARE LOG
ArchiveData(auto-quarantine- 2006-09-16 01-11-45.bckp)
Referencefile : SE1R123 14.09.2006
======================================================

MRU LIST
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=MRU FileReference : C:\Documents and Settings\PickelsAREtasty\recent\antivirus.html.lnk
obj[1]=MRU FileReference : C:\Documents and Settings\PickelsAREtasty\recent\antivirussss.html.lnk
obj[2]=MRU FileReference : C:\Documents and Settings\PickelsAREtasty\recent\DirectX.lnk
obj[3]=MRU FileReference : C:\Documents and Settings\PickelsAREtasty\recent\everquest account key.lnk
obj[4]=MRU FileReference : C:\Documents and Settings\PickelsAREtasty\recent\hijackthisNOW.log.lnk
obj[5]=MRU FileReference : C:\Documents and Settings\PickelsAREtasty\recent\incoming.lnk
obj[6]=MRU FileReference : C:\Documents and Settings\PickelsAREtasty\recent\New Text Document.txt.lnk
obj[7]=MRU FileReference : C:\Documents and Settings\PickelsAREtasty\recent\NOWNOWNOWNOWadware.txt.lnk
obj[8]=MRU FileReference : C:\Documents and Settings\PickelsAREtasty\recent\Razor 1911.nfo.lnk
obj[9]=MRU RegReference : S-1-5-21-1454471165-1979792683-839522115-1003\software\microsoft\search assistant\acmru\5603
obj[10]=MRU RegReference : S-1-5-21-1454471165-1979792683-839522115-1003\software\microsoft\search assistant\acmru\5604
obj[11]=MRU FileReference : C:\Documents and Settings\PickelsAREtasty\recent\ServUStartUpLog.txt.lnk
obj[12]=MRU RegReference : S-1-5-21-1454471165-1979792683-839522115-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru\*
obj[13]=MRU RegReference : S-1-5-21-1454471165-1979792683-839522115-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.html
obj[14]=MRU RegReference : S-1-5-21-1454471165-1979792683-839522115-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.ini
obj[15]=MRU RegReference : S-1-5-21-1454471165-1979792683-839522115-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.log
obj[16]=MRU RegReference : S-1-5-21-1454471165-1979792683-839522115-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.nfo
obj[17]=MRU RegReference : S-1-5-21-1454471165-1979792683-839522115-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.rar
obj[18]=MRU RegReference : S-1-5-21-1454471165-1979792683-839522115-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.txt
obj[19]=MRU RegReference : S-1-5-21-1454471165-1979792683-839522115-1003\software\microsoft\windows\currentversion\explorer\recentdocs\Folder
obj[20]=MRU FileReference : C:\Documents and Settings\PickelsAREtasty\recent\WoW.World.Of.Warcraft.Crack.(BRAND.NEW.KEYGEN.GRANTING.AGAIN.FREE.ACCESS.TO.OFFICIAL.SERVER!!).[Found.via.www.FileDonkey.com].lnk
obj[22]=MRU RegReference : S-1-5-21-1454471165-1979792683-839522115-1003\software\microsoft\windows media\wmsdk\general computername
obj[23]=MRU RegReference : S-1-5-21-1454471165-1979792683-839522115-1003\software\winrar\dialogedithistory\extrpath
obj[24]=MRU RegReference : software\microsoft\directdraw\mostrecentapplication name
obj[25]=MRU RegReference : S-1-5-21-1454471165-1979792683-839522115-1003\software\microsoft\internet explorer\typedurls
obj[26]=MRU RegReference : S-1-5-21-1454471165-1979792683-839522115-1003\software\microsoft\mediaplayer\player\recenturllist
obj[27]=MRU RegReference : S-1-5-21-1454471165-1979792683-839522115-1003\software\microsoft\mediaplayer\preferences lastplaylistindex
obj[28]=MRU RegReference : S-1-5-21-1454471165-1979792683-839522115-1003\software\microsoft\mediaplayer\preferences lastplaylist
obj[29]=MRU RegReference : S-1-5-21-1454471165-1979792683-839522115-1003\software\microsoft\microsoft management console\recent file list
obj[21]=MRU RegReference : S-1-5-21-1454471165-1979792683-839522115-1003\software\microsoft\windows\currentversion\explorer\runmru

ADWARE.HUACISOU
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[17]=Regkey : system\controlset001\services\abhcop
obj[18]=RegValue : system\controlset001\services\abhcop "Start"
obj[19]=RegValue : system\controlset001\services\abhcop "ErrorControl"
obj[20]=RegValue : system\controlset001\services\abhcop "ImagePath"
obj[21]=RegValue : system\controlset001\services\abhcop "DisplayName"
obj[22]=RegValue : system\controlset001\services\abhcop "Group"
obj[23]=Regkey : system\controlset001\services\hcalway
obj[24]=RegValue : system\controlset001\services\hcalway "Start"
obj[25]=RegValue : system\controlset001\services\hcalway "ErrorControl"
obj[26]=RegValue : system\controlset001\services\hcalway "Tag"
obj[27]=RegValue : system\controlset001\services\hcalway "ImagePath"
obj[28]=RegValue : system\controlset001\services\hcalway "DisplayName"
obj[29]=RegValue : system\controlset001\services\hcalway "Group"
obj[30]=RegValue : system\controlset001\services\hcalway "Description"
obj[31]=RegValue : system\controlset001\services\hcalway "MaxRecords"
obj[32]=RegValue : system\controlset001\services\hcalway "MaxNames"
obj[33]=RegValue : system\controlset001\services\hcalway "DebugFlags"
obj[34]=RegValue : system\controlset001\services\hcalway "AttachMode"
obj[35]=Regkey : system\currentcontrolset\services\abhcop
obj[36]=RegValue : system\currentcontrolset\services\abhcop "Start"
obj[37]=RegValue : system\currentcontrolset\services\abhcop "ErrorControl"
obj[38]=RegValue : system\currentcontrolset\services\abhcop "ImagePath"
obj[39]=RegValue : system\currentcontrolset\services\abhcop "DisplayName"
obj[40]=RegValue : system\currentcontrolset\services\abhcop "Group"
obj[41]=Regkey : system\currentcontrolset\services\hcalway
obj[42]=RegValue : system\currentcontrolset\services\hcalway "Start"
obj[43]=RegValue : system\currentcontrolset\services\hcalway "ErrorControl"
obj[44]=RegValue : system\currentcontrolset\services\hcalway "Tag"
obj[45]=RegValue : system\currentcontrolset\services\hcalway "ImagePath"
obj[46]=RegValue : system\currentcontrolset\services\hcalway "DisplayName"
obj[47]=RegValue : system\currentcontrolset\services\hcalway "Group"
obj[48]=RegValue : system\currentcontrolset\services\hcalway "Description"
obj[49]=RegValue : system\currentcontrolset\services\hcalway "MaxRecords"
obj[50]=RegValue : system\currentcontrolset\services\hcalway "MaxNames"
obj[51]=RegValue : system\currentcontrolset\services\hcalway "DebugFlags"
obj[52]=RegValue : system\currentcontrolset\services\hcalway "AttachMode"
obj[53]=Folder : C:\Program Files\HuaCi
obj[54]=File : C:\Program Files\HuaCi\huaci\Mouse1.dll
obj[55]=File : C:\Program Files\HuaCi\huaci\SearchM.dll
obj[56]=File : C:\Program Files\HuaCi\huaci\zsearch.exe
obj[57]=File : C:\Program Files\HuaCi\huaci\zsup.exe
obj[58]=File : C:\WINDOWS\system32\drivers\abhcop.sys
obj[59]=File : C:\WINDOWS\system32\drivers\hcalway.sys
duely
Regular Member
 
Posts: 27
Joined: August 2nd, 2006, 4:12 pm

Unread postby Susan528 » September 16th, 2006, 2:45 pm

Thank you for the logs. I am obtaining help with a fix. I will get back to you.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby Susan528 » September 16th, 2006, 8:27 pm

Please download The Avenger by Swandog46 to the Desktop.
Click on Avenger.zip to open the file
Then, extract avenger.exe to the Desktop

Next, copy all the blue text below to the Clipboard by highlighting it and pressing Ctrl+C:

Files to delete:
C:\WINDOWS\system32\drivers\abhcop.sys
C:\WINDOWS\system32\drivers\hcalway.sys

Folders to delete:
C:\Program Files\HuaCi

Drivers to unload:
abhcop
hcalway

Registy keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MoveSearch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CDSearch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\»®´ÊËÑË÷
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ABHCOP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HCALWAY
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{4E1ACE40-F681-4CC4-A7C0-AD1E6C9AD86F}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{A07E6B9B-BB30-4381-A9D8-FABB0648BCEF}
HKEY_LOCAL_MACHINE\Software\Classes\Typelib\{FD536575-73F7-42A3-9E9F-11688F1A006A}
HKEY_LOCAL_MACHINE\Software\Classes\Typelib\{C5CE084B-31E0-4B34-A33A-82B4EA913CF8}
HKEY_LOCAL_MACHINE\Software\Classes\SearchM.Com
HKEY_LOCAL_MACHINE\Software\Classes\SearchM.Com.1
HKEY_LOCAL_MACHINE\Software\Classes\SearchM.Search
HKEY_LOCAL_MACHINE\Software\Classes\SearchM.Search.1




Start The Avenger program by clicking its icon on the Desktop.
Under: Script file to execute, select: Input Script Manually
Now click on the Magnifying Glass icon
It opens a new window titled: View/edit script
Paste the text copied to clipboard into this window by pressing Ctrl+V.
Click Done

Next, click on the Green Light to begin the execution of the script
Answer Yes twice when prompted.

The Avenger automatically does following:
Restarts the computer.
On reboot, briefly opens a black command window on the Desktop. This is normal.

After the restart, it creates a log that opens with the results of Avenger’s actions.
This log is located at C:\avenger.txt

Please provide C:\avenger.txt in your reply.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Problem

Unread postby duely » September 17th, 2006, 4:12 pm

So I have a little problem..
I used that program the exact way you told me to, and upon restarting, It boots up and then "freezes" at the logon menu and says.."please wait.." This is probably normal, but its been like that for 4 hours..

What should I do?

I can flip the power switch on my computer to restart it and get the log, but I already tried that and it said non of the files existed and non of them could be deleted.. So I repeated the instructions you gave me and now its hung up on the "please wait..." thing again. Should I just wait it out? or restart it and give you the log anyways?
duely
Regular Member
 
Posts: 27
Joined: August 2nd, 2006, 4:12 pm

Unread postby Susan528 » September 17th, 2006, 4:24 pm

Just restart it and give me the logs please.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

the log

Unread postby duely » September 17th, 2006, 5:58 pm

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\parcwgsa

*******************

Script file located at: \??\C:\kpd^tgih.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\drivers\abhcop.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\abhcop.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\abhcop.sys
Status: 0xc0000034



File C:\WINDOWS\system32\drivers\hcalway.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\hcalway.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\hcalway.sys
Status: 0xc0000034



Folder C:\Program Files\HuaCi not found!
Deletion of folder C:\Program Files\HuaCi failed!

Could not process line:
C:\Program Files\HuaCi
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\abhcop not found!
Unload of driver abhcop failed!

Could not process line:
abhcop
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\hcalway not found!
Unload of driver hcalway failed!

Could not process line:
hcalway
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\Registy keys to delete: not found!
Unload of driver Registy keys to delete: failed!

Could not process line:
Registy keys to delete:
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MoveSearch not found!
Unload of driver HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MoveSearch failed!

Could not process line:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MoveSearch
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CDSearch not found!
Unload of driver HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CDSearch failed!

Could not process line:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CDSearch
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\»®´ÊËÑË÷ not found!
Unload of driver HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\»®´ÊËÑË÷ failed!

Could not process line:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\»®´ÊËÑË÷
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ABHCOP not found!
Unload of driver HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ABHCOP failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ABHCOP
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HCALWAY not found!
Unload of driver HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HCALWAY failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HCALWAY
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE} not found!
Unload of driver HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE} failed!

Could not process line:
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE}
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\HKEY_LOCAL_MACHINE\Software\Classes\Interface\{4E1ACE40-F681-4CC4-A7C0-AD1E6C9AD86F} not found!
Unload of driver HKEY_LOCAL_MACHINE\Software\Classes\Interface\{4E1ACE40-F681-4CC4-A7C0-AD1E6C9AD86F} failed!

Could not process line:
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{4E1ACE40-F681-4CC4-A7C0-AD1E6C9AD86F}
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\HKEY_LOCAL_MACHINE\Software\Classes\Interface\{A07E6B9B-BB30-4381-A9D8-FABB0648BCEF} not found!
Unload of driver HKEY_LOCAL_MACHINE\Software\Classes\Interface\{A07E6B9B-BB30-4381-A9D8-FABB0648BCEF} failed!

Could not process line:
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{A07E6B9B-BB30-4381-A9D8-FABB0648BCEF}
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\HKEY_LOCAL_MACHINE\Software\Classes\Typelib\{FD536575-73F7-42A3-9E9F-11688F1A006A} not found!
Unload of driver HKEY_LOCAL_MACHINE\Software\Classes\Typelib\{FD536575-73F7-42A3-9E9F-11688F1A006A} failed!

Could not process line:
HKEY_LOCAL_MACHINE\Software\Classes\Typelib\{FD536575-73F7-42A3-9E9F-11688F1A006A}
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\HKEY_LOCAL_MACHINE\Software\Classes\Typelib\{C5CE084B-31E0-4B34-A33A-82B4EA913CF8} not found!
Unload of driver HKEY_LOCAL_MACHINE\Software\Classes\Typelib\{C5CE084B-31E0-4B34-A33A-82B4EA913CF8} failed!

Could not process line:
HKEY_LOCAL_MACHINE\Software\Classes\Typelib\{C5CE084B-31E0-4B34-A33A-82B4EA913CF8}
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\HKEY_LOCAL_MACHINE\Software\Classes\SearchM.Com not found!
Unload of driver HKEY_LOCAL_MACHINE\Software\Classes\SearchM.Com failed!

Could not process line:
HKEY_LOCAL_MACHINE\Software\Classes\SearchM.Com
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\HKEY_LOCAL_MACHINE\Software\Classes\SearchM.Com.1 not found!
Unload of driver HKEY_LOCAL_MACHINE\Software\Classes\SearchM.Com.1 failed!

Could not process line:
HKEY_LOCAL_MACHINE\Software\Classes\SearchM.Com.1
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\HKEY_LOCAL_MACHINE\Software\Classes\SearchM.Search not found!
Unload of driver HKEY_LOCAL_MACHINE\Software\Classes\SearchM.Search failed!

Could not process line:
HKEY_LOCAL_MACHINE\Software\Classes\SearchM.Search
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\HKEY_LOCAL_MACHINE\Software\Classes\SearchM.Search.1 not found!
Unload of driver HKEY_LOCAL_MACHINE\Software\Classes\SearchM.Search.1 failed!

Could not process line:
HKEY_LOCAL_MACHINE\Software\Classes\SearchM.Search.1
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.
duely
Regular Member
 
Posts: 27
Joined: August 2nd, 2006, 4:12 pm

Unread postby Susan528 » September 17th, 2006, 8:55 pm

Hi duely,

Please do the following:

STEP 1.
======
Delete Files with Killbox

Download Pocket Killbox from http://www.downloads.subratam.org/KillBox.zip and unzip it; save it to your Desktop. DO NOT RUN IT YET.
==========
Double-click on KillBox.exe to launch the program. It is the red circle with a large white X in it
- Highlight the files in bold RED below and press the Ctrl key and the C key at the same time to copy them to the clipboard
C:\Program Files\HuaCi\huaci\Mouse1.dll
C:\Program Files\HuaCi\huaci\SearchM.dll
C:\Program Files\HuaCi\huaci\mUin.exe
C:\Program Files\HuaCi\huaci\zsearch.exe
C:\Program Files\HuaCi\huaci\zsup.exe
C:\WINDOWS\system32\drivers\abhcop.sys
C:\WINDOWS\system32\drivers\hcalway.sys


In Killbox click on the File menu and then the Paste from Clipboard item
in the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
(Please note that the tool checks your computer for the presence of the files pasted into the box so if files are not present, it is possible that you might not see all files you pasted into the box.)
  • Click the option to Delete on Reboot
  • Click End Explorer Shell while Killing File
  • Click All Files right of the flashing green "Single files"
  • Click Yes when it asks "Files will be Removed on Reboot, Do you want to reboot now?"

(Note: If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually)

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.

Then please run ewido and post (reply) with the report.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

hey

Unread postby duely » September 17th, 2006, 9:36 pm

The Avenger fixed the problem I don't think I need to use killbox..
There is no longer a Huaci Folder and here is my most recent Ewido scan.
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:29:52 PM 9/17/2006

+ Scan result:



C:\Documents and Settings\PickelsAREtasty\Local Settings\Temp\temp.fr4218\huaci\Mouse1.dll -> Adware.WSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\PickelsAREtasty\Local Settings\Temp\temp.fr4218\huaci\SearchM.dll -> Adware.WSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\PickelsAREtasty\Local Settings\Temp\temp.fr4218\huaci\mUin.exe -> Adware.WSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\PickelsAREtasty\Local Settings\Temp\temp.fr4218\huaci\zsearch.exe -> Adware.WSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\PickelsAREtasty\Local Settings\Temp\temp.fr4218\huaci\zsup.exe -> Adware.WSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\PickelsAREtasty\Local Settings\Temp\temp.fr6197 -> Adware.WSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\PickelsAREtasty\Local Settings\Temp\temp.frFF01 -> Adware.WSearch : Cleaned with backup (quarantined).


::Report end





Thanks for all your help. I have one final question though. How would you recommend removing the following:

Y:\System Volume Information\_restore{8D8582F3-0F1F-4D5A-B456-02C4569D0644}\RP91\A0032962.exe/WISE0023.BIN Infected: Trojan-Clicker.Win32.Agent.hz skipped
Y:\System Volume Information\_restore{8D8582F3-0F1F-4D5A-B456-02C4569D0644}\RP91\A0032962.exe WiseSFX: infected - 1 skipped


I have an antivirus program.. EZ Antivirus.. but it does not detect these viruses and the kaspersky online scan did.
duely
Regular Member
 
Posts: 27
Joined: August 2nd, 2006, 4:12 pm

nvm

Unread postby duely » September 17th, 2006, 9:57 pm

Nevermind. I used killbox to delete Y:\System Volume Information\_restore{8D8582F3-0F1F-4D5A-B456-02C4569D0644}\RP91\A0032962.exe

Everything is clean now. I will include one final log of everything if you'd like, just to make sure everything is clean....

Thank you so much for your time and your help!! I really didn't think it was gonna be possible to remove huaci, because I literally tried everything practically. Once again Thanks!!!
duely
Regular Member
 
Posts: 27
Joined: August 2nd, 2006, 4:12 pm

Unread postby Susan528 » September 17th, 2006, 9:57 pm

Hi duely,

Please do this. I want to check to make sure registry entry was deleted.

STEP 1.
======
Regscan

Please download RegScan.
Within RegScan.zip you will find the file regscan.vbs
You may have to allow this script to run or disable anti-spyware again in order for it to run.
A window will open titled RegFinder.vbs and you will see place to input search terms.
Please enter the search terms:
MoveSearch
After the search has completed a window titled Results.txt will open.
Please copy the results and post(reply) back.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

okay

Unread postby duely » September 17th, 2006, 10:11 pm

I had to open the script with command prompt becasue it would not run.. (it kept opening up as a text file..)

Windows Registry Editor Version 5.00

; Regscan.vbs Version: 1.2 by rand1038

; 9/17/2006 10:10:18 PM
; Search Term(s) Used: "MoveSearch"
; 1 matches were found.
; The search took 3 minutes and 58 seconds.


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MoveSearch]
duely
Regular Member
 
Posts: 27
Joined: August 2nd, 2006, 4:12 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 43 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware