Please download and install this disk cleanup utility called Cleanup! http://cleanup.stevengould.org/
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space.
Here is a tutorial which describes its usage:
Run the disk cleanup utility and check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.
Now reboot.
Next download and run the List Installed Programs script from here http://www.billsway.com/vbspage/
Its about half way down the page.
Hi. Thanks for your reply. Unfortunately, I can't find the site you mentioned -- cleanup.stevengould.org, or
www.stevengould.org -- neither IE or Netscape could resolve that URL. Do you have another link to the cleanup utility you mentioned?
THANKS. I did run Cleanup! which removed about 500 MB of files, and I rebooted. Then I ran your Installed Programs script, and the resulting file is pasted below. I suspect many of these programs were installed by guests who visit my house. After my reboot, I am still having problems with the malicious pop-ups. As I said before, the spyware programs I have installed are unable to completely remove the malware/spyware, which continues to re-install itself. THANKS again for your help, I look forward to your reply.
INSTALLED SOFTWARE (123) - DB1VX741 - 7/6/2005 9:11:40 AM
Adobe Download Manager 1.2 (Remove Only)
Adobe Reader 7.0 Ver: 7.0.0 Installed: 5/14/2005
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Instant Messenger
AOL Spyware Protection Ver: 1.0.66
APC PowerChute Personal Edition
Banctec Service Agreement Ver: 1.00.00 Installed: 2/4/2004
Banctec Service Agreement Ver: 1.00.0005 Installed: 2/4/2004
BCM V.92 56K Modem
Broadcom Management Programs Ver: 4.01.0000 Installed: 2/4/2004
Broadcom Management Programs Ver: 4.01.0000 Installed: 2/4/2004
CC_ccStart Ver: 2.1.0.610 Installed: 5/28/2004
ccCommon Ver: 2.1.0.610 Installed: 5/28/2004
CleanUp!
Creative MediaSource
Dell Digital Jukebox Driver
Dell Media Experience
Dell Networking Guide Ver: 1.00.0001 Installed: 2/4/2004
Dell Solution Center Ver: 1.00.0000 Installed: 2/4/2004
Dell Support Ver: 2.1.0.0 Installed: 2/4/2004
DS21Patch Ver: 1.00.0000 Installed: 2/4/2004
Help and Support Customization Ver: 1.00.0000 Installed: 2/4/2004
HijackThis 1.99.1 Ver: 1.99.1
Instant Access
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page Ver: 1.00.03 Installed: 2/4/2004
Jasc Paint Shop Photo Album Ver: 4.0.3 Installed: 2/4/2004
Jasc Paint Shop Pro 8 Dell Edition Ver: 8.10.0000 Installed: 2/4/2004
Java 2 Runtime Environment, SE v1.4.1_02
Java 2 Runtime Environment, SE v1.4.2 Ver: 1.4.2 Installed: 2/4/2004
Java Web Start
K-Lite Codec Pack 2.20 Full Ver: 2.20
Learn2 Player (Uninstall Only)
LimeWire 4.8.1 Ver: 4.8.1
LiveReg (Symantec Corporation) Ver: 2.4.2.2295
LiveUpdate 2.6 (Symantec Corporation) Ver: 2.6.14.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Ver: 1.1.4322 Installed: 2/17/2005
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft AntiSpyware Ver: 1.0 Installed: 6/24/2005
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2004 Ver: 2004 Installed: 2/4/2004
Microsoft Money 2004 Ver: 12.0.50 Installed: 2/4/2004
Microsoft Money 2004 System Pack Ver: 12.0.80 Installed: 2/4/2004
Microsoft Office XP Professional with FrontPage Ver: 10.0.2606.0 Installed: 3/31/2004
Microsoft Train Simulator
Modem Helper
MSRedist Ver: 1.0.0.0 Installed: 5/28/2004
MUSICMATCH® Jukebox
Netscape (7.1)
NOMAD MuVo
Norton AntiVirus Ver: 10.00.10 Installed: 5/28/2004
Norton AntiVirus Parent MSI Ver: 10.0.0 Installed: 5/28/2004
Norton CleanSweep Ver: 1.0.0 Installed: 5/28/2004
Norton GoBack Personal Edition (Symantec Corporation)
Norton SystemWorks 2004 Ver: 7.02.00 Installed: 5/28/2004
Norton SystemWorks 2004 (Symantec Corporation) Ver: 7.02.00
Norton Utilities Ver: 16.0.0 Installed: 5/28/2004
Norton WMI Update Ver: 2005.1.0.111 Installed: 10/21/2004
NSW_DRM_COLLECTION Ver: 1.0.0 Installed: 5/28/2004
NVIDIA Drivers
OLYMPUS CAMEDIA Master 2.5
PartyPoker.net
Pure Networks Port Magic Ver: 1.2.1393.0
QuickBooks 2000
QuickTime
RealOne Player
Security Update for Step By Step Interactive Training (KB898458) Ver: 20050502.101010
Security Update for Windows XP (KB883939) Ver: 1
Security Update for Windows XP (KB890046) Ver: 1
Security Update for Windows XP (KB896358) Ver: 1
Security Update for Windows XP (KB896422) Ver: 1
Security Update for Windows XP (KB896428) Ver: 1
Shockwave
Shockwave Flash
Sid Meier's Pirates! Ver: 1.00.0000 Installed: 3/11/2005
Sid Meier's Pirates! Ver: 1.00.0000 Installed: 3/11/2005
Sonic DLA Ver: 4.50 Installed: 2/4/2004
Sonic RecordNow! Ver: 6.5.0 Installed: 2/4/2004
Sonic Update Manager Ver: 2.80 Installed: 2/4/2004
Spybot - Search & Destroy 1.3 Ver: 1.3
Spyware Doctor 3.2 Ver: 3.2
SpywareBlaster v3.4 Ver: 3.4.0
Symantec Network Drivers Update Ver: 5.5.1.6 Installed: 6/18/2005
Symantec Script Blocking Installer Ver: 1.0.0 Installed: 5/28/2004
SymNet Ver: 4.7.1 Installed: 5/28/2004
The Bridge Line Route
Update for Windows XP (KB894391) Ver: 1
Update for Windows XP (KB898461) Ver: 1
Viewpoint Media Player
wbyazhulp
WebFldrs XP Ver: 9.50.6513 Installed: 9/3/2002
Winamp (remove only)
Windows Installer 3.1 (KB893803) Ver: 3.1
Windows Installer 3.1 (KB893803) Ver: 3.1
Windows XP Hotfix - KB834707 Ver: 20040929.110854
Windows XP Hotfix - KB867282 Ver: 20050127.090417
Windows XP Hotfix - KB873333 Ver: 20050114.005213
Windows XP Hotfix - KB873339 Ver: 20041117.092459
Windows XP Hotfix - KB885250 Ver: 20050118.202711
Windows XP Hotfix - KB885835 Ver: 20041027.181713
Windows XP Hotfix - KB885836 Ver: 20041028.173203
Windows XP Hotfix - KB885884 Ver: 20040924.025457
Windows XP Hotfix - KB886185 Ver: 20041021.090540
Windows XP Hotfix - KB887472 Ver: 20041014.162858
Windows XP Hotfix - KB887742 Ver: 20041103.095002
Windows XP Hotfix - KB888113 Ver: 20041116.131036
Windows XP Hotfix - KB888240 Ver: 20041025.162401
Windows XP Hotfix - KB888302 Ver: 20041207.111426
Windows XP Hotfix - KB890047 Ver: 20041221.124506
Windows XP Hotfix - KB890175 Ver: 20041201.233338
Windows XP Hotfix - KB890859 Ver: 1
Windows XP Hotfix - KB890923 Ver: 1
Windows XP Hotfix - KB891781 Ver: 20050110.165439
Windows XP Hotfix - KB893066 Ver: 1
Windows XP Hotfix - KB893086 Ver: 1
Windows XP Service Pack 2 Ver: 20040803.231319
WordPerfect Office 11 Ver: 11.0 Installed: 2/4/2004
World Series of Poker Deluxe Casion Pak
XoftSpy
Step 1
Download and install
Reglite It is an easy to use Registry editor and we will use it later on in the fix..
Please back up your registry, instructions
here It is important to back up your registry before making any changes to it/
Step 2
Download Pocket Killbox from here: http://www.downloads.subratam.org/KillBox.zip
Unzip the files to a folder, then open and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:
c:\windows\system32\wbyazhulp.exe
Check the box to delete on reboot and click the red X to the right. Click OK, then Yes to reboot now.
Allow it to reboot.
While the computer is booting up, tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter'.
Step 3
Open RegLite and copy/paste the following string in the address window at the top then click go.
Right click the
wbyazhulp.exe key in the left pane and delete.
Exit Reglite.
Step 4
Open C:\Windows\Prefetch, select all and delete. (This will cause your computer to boot-up slower for the first few boots. Please do not be alarmed.)
Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\Every username\Local Settings\Temp\
Also delete your Temporary Internet Files (Start > Control Panel > Internet Options > Delete Files), be sure to also select delete all offline content.
Empty the Recycle Bin.
Step 5
Reboot normally and run at least two of the following online virus scans making sure to reboot in between each one. Allow them to fix anything they find.
Scan with HijackThis and post the new log as a reply to this thread. Include anything that can not be fixed by the online scans. Let us know if the popups stop.
Hi. I'm sorry, your link to instructions to backup my registry doesn't work -- it leads to a page no longer available at symantic.com. Can you please provide a working link, or paste instructions on the forum?
1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. Click on My Computer on the right to highlight it.
4. On the File menu, click Export.
5. In the Save in box, select a location where you want to save the Registration Entries (.reg) file, type a file name in the File name box, make sure that the Export Range at the bottom is set to ALL, and then click Save.
I think this was a success -- so far the popups have stopped. I followed your instructions, then scanned my system with several anti-spyware and antivirus programs: Spyware Doctor found and removed "Instant Access", Spybot Search and Destroy removed "eGroup.InstantAccess". Norton Systemworks fixed one registry problem. I also ran Norton AntiVirus and Microsoft Anti-Spyware Beta. Finally, I ran TrendMicro HouseCall and eTrust AntiVirus WebScan, both of which found a "virus" they could not cure, called "JAVA BYTEVER.B" located at: "C:\Documents and Settings\Jon Tower\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-40fc7b4b-28db3aa9.zip *dummy.class*". I tried to start Windows in Safe Mode and delete that file, but I could not find a folder called "Application Data". I'm not sure if that is a serious issue.
Anyway, the problem that was driving me crazy seems to be gone! I have re-booted several times and spent some time online, and "Instant Access" has not re-appeared, and there have been no annoying popups. Below is the final HijackThis log file. Please let me know if you see ANYTHING in the file below that could be a potential problem. Otherwise, I plan to keep my system guarded with anti-spyware and antivirus programs, and also create very restricted user accounts for my friends! THANK YOU SO MUCH. --Jon
Logfile of HijackThis v1.99.1
Scan saved at 7:16:21 AM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
You should disable and active antispyware programs you have running as this will interfere with the below fix. once you have rebooted you can re-enable them.
===============
Run
HiJackThis and click "
Scan", then check(tick) the following, if present:
===============
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
Now, with all windows closed except
HiJackThis, click "
Fix checked".
Logfile of HijackThis v1.99.1 Scan saved at 9:28:39 AM, on 7/7/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
P3-450
35 Posts
0
July 4th, 2005 17:00
Please download and install this disk cleanup utility called Cleanup! http://cleanup.stevengould.org/
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space.
Here is a tutorial which describes its usage:
Run the disk cleanup utility and check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.
Now reboot.
Next download and run the List Installed Programs script from here http://www.billsway.com/vbspage/
Its about half way down the page.
Please run it and post back the log.
:)
jtowerNY
7 Posts
0
July 6th, 2005 11:00
P3-450
35 Posts
0
July 6th, 2005 12:00
Try this one, the download link should be towards the bottom.
Cleanup
jtowerNY
7 Posts
0
July 6th, 2005 13:00
Adobe Reader 7.0 Ver: 7.0.0 Installed: 5/14/2005
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Instant Messenger
AOL Spyware Protection Ver: 1.0.66
APC PowerChute Personal Edition
Banctec Service Agreement Ver: 1.00.00 Installed: 2/4/2004
Banctec Service Agreement Ver: 1.00.0005 Installed: 2/4/2004
BCM V.92 56K Modem
Broadcom Management Programs Ver: 4.01.0000 Installed: 2/4/2004
Broadcom Management Programs Ver: 4.01.0000 Installed: 2/4/2004
CC_ccStart Ver: 2.1.0.610 Installed: 5/28/2004
ccCommon Ver: 2.1.0.610 Installed: 5/28/2004
CleanUp!
Creative MediaSource
Dell Digital Jukebox Driver
Dell Media Experience
Dell Networking Guide Ver: 1.00.0001 Installed: 2/4/2004
Dell Solution Center Ver: 1.00.0000 Installed: 2/4/2004
Dell Support Ver: 2.1.0.0 Installed: 2/4/2004
DS21Patch Ver: 1.00.0000 Installed: 2/4/2004
Help and Support Customization Ver: 1.00.0000 Installed: 2/4/2004
HijackThis 1.99.1 Ver: 1.99.1
Instant Access
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page Ver: 1.00.03 Installed: 2/4/2004
Jasc Paint Shop Photo Album Ver: 4.0.3 Installed: 2/4/2004
Jasc Paint Shop Pro 8 Dell Edition Ver: 8.10.0000 Installed: 2/4/2004
Java 2 Runtime Environment, SE v1.4.1_02
Java 2 Runtime Environment, SE v1.4.2 Ver: 1.4.2 Installed: 2/4/2004
Java Web Start
K-Lite Codec Pack 2.20 Full Ver: 2.20
Learn2 Player (Uninstall Only)
LimeWire 4.8.1 Ver: 4.8.1
LiveReg (Symantec Corporation) Ver: 2.4.2.2295
LiveUpdate 2.6 (Symantec Corporation) Ver: 2.6.14.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Ver: 1.1.4322 Installed: 2/17/2005
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft AntiSpyware Ver: 1.0 Installed: 6/24/2005
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2004 Ver: 2004 Installed: 2/4/2004
Microsoft Money 2004 Ver: 12.0.50 Installed: 2/4/2004
Microsoft Money 2004 System Pack Ver: 12.0.80 Installed: 2/4/2004
Microsoft Office XP Professional with FrontPage Ver: 10.0.2606.0 Installed: 3/31/2004
Microsoft Train Simulator
Modem Helper
MSRedist Ver: 1.0.0.0 Installed: 5/28/2004
MUSICMATCH® Jukebox
Netscape (7.1)
NOMAD MuVo
Norton AntiVirus Ver: 10.00.10 Installed: 5/28/2004
Norton AntiVirus Parent MSI Ver: 10.0.0 Installed: 5/28/2004
Norton CleanSweep Ver: 1.0.0 Installed: 5/28/2004
Norton GoBack Personal Edition (Symantec Corporation)
Norton SystemWorks 2004 Ver: 7.02.00 Installed: 5/28/2004
Norton SystemWorks 2004 (Symantec Corporation) Ver: 7.02.00
Norton Utilities Ver: 16.0.0 Installed: 5/28/2004
Norton WMI Update Ver: 2005.1.0.111 Installed: 10/21/2004
NSW_DRM_COLLECTION Ver: 1.0.0 Installed: 5/28/2004
NVIDIA Drivers
OLYMPUS CAMEDIA Master 2.5
PartyPoker.net
Pure Networks Port Magic Ver: 1.2.1393.0
QuickBooks 2000
QuickTime
RealOne Player
Security Update for Step By Step Interactive Training (KB898458) Ver: 20050502.101010
Security Update for Windows XP (KB883939) Ver: 1
Security Update for Windows XP (KB890046) Ver: 1
Security Update for Windows XP (KB896358) Ver: 1
Security Update for Windows XP (KB896422) Ver: 1
Security Update for Windows XP (KB896428) Ver: 1
Shockwave
Shockwave Flash
Sid Meier's Pirates! Ver: 1.00.0000 Installed: 3/11/2005
Sid Meier's Pirates! Ver: 1.00.0000 Installed: 3/11/2005
Sonic DLA Ver: 4.50 Installed: 2/4/2004
Sonic RecordNow! Ver: 6.5.0 Installed: 2/4/2004
Sonic Update Manager Ver: 2.80 Installed: 2/4/2004
Spybot - Search & Destroy 1.3 Ver: 1.3
Spyware Doctor 3.2 Ver: 3.2
SpywareBlaster v3.4 Ver: 3.4.0
Symantec Network Drivers Update Ver: 5.5.1.6 Installed: 6/18/2005
Symantec Script Blocking Installer Ver: 1.0.0 Installed: 5/28/2004
SymNet Ver: 4.7.1 Installed: 5/28/2004
The Bridge Line Route
Update for Windows XP (KB894391) Ver: 1
Update for Windows XP (KB898461) Ver: 1
Viewpoint Media Player
wbyazhulp
WebFldrs XP Ver: 9.50.6513 Installed: 9/3/2002
Winamp (remove only)
Windows Installer 3.1 (KB893803) Ver: 3.1
Windows Installer 3.1 (KB893803) Ver: 3.1
Windows XP Hotfix - KB834707 Ver: 20040929.110854
Windows XP Hotfix - KB867282 Ver: 20050127.090417
Windows XP Hotfix - KB873333 Ver: 20050114.005213
Windows XP Hotfix - KB873339 Ver: 20041117.092459
Windows XP Hotfix - KB885250 Ver: 20050118.202711
Windows XP Hotfix - KB885835 Ver: 20041027.181713
Windows XP Hotfix - KB885836 Ver: 20041028.173203
Windows XP Hotfix - KB885884 Ver: 20040924.025457
Windows XP Hotfix - KB886185 Ver: 20041021.090540
Windows XP Hotfix - KB887472 Ver: 20041014.162858
Windows XP Hotfix - KB887742 Ver: 20041103.095002
Windows XP Hotfix - KB888113 Ver: 20041116.131036
Windows XP Hotfix - KB888240 Ver: 20041025.162401
Windows XP Hotfix - KB888302 Ver: 20041207.111426
Windows XP Hotfix - KB890047 Ver: 20041221.124506
Windows XP Hotfix - KB890175 Ver: 20041201.233338
Windows XP Hotfix - KB890859 Ver: 1
Windows XP Hotfix - KB890923 Ver: 1
Windows XP Hotfix - KB891781 Ver: 20050110.165439
Windows XP Hotfix - KB893066 Ver: 1
Windows XP Hotfix - KB893086 Ver: 1
Windows XP Service Pack 2 Ver: 20040803.231319
WordPerfect Office 11 Ver: 11.0 Installed: 2/4/2004
World Series of Poker Deluxe Casion Pak
XoftSpy
P3-450
35 Posts
0
July 6th, 2005 13:00
Thanks for the log.
Download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/
start it and paste in wbyazhulp, wait, hit ok.
Then when Wordpad opens, copy that back here please.
jtowerNY
7 Posts
0
July 6th, 2005 16:00
Here ya go (THANKS!):
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "wbyazhulp" 7/6/2005 1:09:39 PM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wbyazhulp"="c:\\windows\\system32\\wbyazhulp.exe -start"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wbyazhulp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wbyazhulp]
"UninstallString"="c:\\windows\\system32\\wbyazhulp.exe -uninstall"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wbyazhulp]
"DisplayName"="wbyazhulp"
[HKEY_USERS\S-1-5-21-770511143-1288594550-4169661211-1007\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\windows\\system32\\wbyazhulp.exe"="wbyazhulp"
P3-450
35 Posts
0
July 6th, 2005 16:00
Step 1
Download and install Reglite It is an easy to use Registry editor and we will use it later on in the fix..
Please back up your registry, instructions here It is important to back up your registry before making any changes to it/
Step 2
Download Pocket Killbox from here: http://www.downloads.subratam.org/KillBox.zip
Unzip the files to a folder, then open and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:
c:\windows\system32\wbyazhulp.exe
Check the box to delete on reboot and click the red X to the right. Click OK, then Yes to reboot now.
Allow it to reboot.
While the computer is booting up, tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter'.
Step 3
Open RegLite and copy/paste the following string in the address window at the top then click go.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Right click the "wbyazhulp"="c:\\windows\\system32\\wbyazhulp.exe -start" value in the right pane and delete.
Then copy/paste the following into the address window and click go.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wbyazhulp.exe
Right click the wbyazhulp.exe key in the left pane and delete.
Exit Reglite.
Step 4
Open C:\Windows\Prefetch, select all and delete. (This will cause your computer to boot-up slower for the first few boots. Please do not be alarmed.)
Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\Every username\Local Settings\Temp\
Also delete your Temporary Internet Files (Start > Control Panel > Internet Options > Delete Files), be sure to also select delete all offline content.
Empty the Recycle Bin.
Step 5
Reboot normally and run at least two of the following online virus scans making sure to reboot in between each one. Allow them to fix anything they find.
TrendMicro HouseCall
eTrust AntiVirus Web Scanner
Panda ActiveScan
Bitdefender
Command on Demand
Write down anything that can not be fixed.
Scan with HijackThis and post the new log as a reply to this thread. Include anything that can not be fixed by the online scans. Let us know if the popups stop.
jtowerNY
7 Posts
0
July 6th, 2005 17:00
Hi. I'm sorry, your link to instructions to backup my registry doesn't work -- it leads to a page no longer available at symantic.com. Can you please provide a working link, or paste instructions on the forum?
THANKS! --Jon
P3-450
35 Posts
0
July 6th, 2005 18:00
To back up the whole of the registry
1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. Click on My Computer on the right to highlight it.
4. On the File menu, click Export.
5. In the Save in box, select a location where you want to save the Registration Entries (.reg) file, type a file name in the File name box, make sure that the Export Range at the bottom is set to ALL, and then click Save.
jtowerNY
7 Posts
0
July 7th, 2005 10:00
Scan saved at 7:16:21 AM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Jon Tower\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=2
N3 - Netscape 7: user_pref("browser.startup.homepage", " www.hotmail.com"); (C:\Documents and Settings\Jon Tower\Application Data\Mozilla\Profiles\default\psmu4j3g.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jon Tower\Application Data\Mozilla\Profiles\default\psmu4j3g.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID {DA9935BA-22F7-44ee-BD12-BD8B87700BEA}
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Sid Registration.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk.disabled
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1604DF98-D1A5-44FE-844A-98D6FD0518D0} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1060_XP.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1CD49DC9-FD88-41FA-B892-47E037267D45} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1059_XP.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {C6760A07-A574-4705-B113-7856315922C3} - http://akamai.downloadv3.com/binaries/IA/sysnetsvc32_EN_XP.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: GBPoll - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
P3-450
35 Posts
0
July 7th, 2005 11:00
Just a little cleanup needed with Hijackthis
You should disable and active antispyware programs you have running as this will interfere with the below fix. once you have rebooted you can re-enable them.
===============
Run HiJackThis and click " Scan", then check(tick) the following, if present:
===============
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
Now, with all windows closed except HiJackThis, click " Fix checked".
Reboot and post back a new log
Message Edited by P3-450 on 07-07-2005 01:42 PM
jtowerNY
7 Posts
0
July 7th, 2005 12:00
THANKS AGAIN. Here is the latest log file:
Logfile of HijackThis v1.99.1
Scan saved at 9:28:39 AM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jon Tower\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=2
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.hotmail.com"); (C:\Documents and Settings\Jon Tower\Application
Data\Mozilla\Profiles\default\psmu4j3g.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%
5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jon Tower\Application
Data\Mozilla\Profiles\default\psmu4j3g.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0
\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1
\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1
\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton
SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID {DA9935BA-
22F7-44ee-BD12-BD8B87700BEA}
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Sid Registration.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk.disabled
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2
\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1
\tools\iesdpb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32
\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program
Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program
Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {1604DF98-D1A5-44FE-844A-98D6FD0518D0} -
http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1060_XP.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1CD49DC9-FD88-41FA-B892-47E037267D45} -
http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1059_XP.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} -
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -
http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-
us/4,0,0,76/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -
http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) -
http://www.napster.com/client/isetup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-
us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {C6760A07-A574-4705-B113-7856315922C3} -
http://akamai.downloadv3.com/binaries/IA/sysnetsvc32_EN_XP.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) -
http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1
\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal
Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: GBPoll - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton
SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1
\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1
\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1
\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-
LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security
Center\SymWSC.exe
P3-450
35 Posts
0
July 7th, 2005 12:00
Congratulations your log is now clean :)
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.