Author Topic: Virtual-IE eating up F: drive memory PLEASE HELP! (Read 1875 times)

skyline · « **on:** October 21, 2005, 11:42:12 PM »

Well all of the sudden my F: drive is out of memory even though i had a bout 4gigs left a few days ago. Webroot didnt detect anything but im not sure so any help would be appreciated.

logfile of HijackThis v1.99.1
Scan saved at 9:37:35 PM, on 10/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
F:\Program Files\winupdates\winupdates.exe
F:\WINDOWS\RUNDLL16.EXE
F:\Program Files\MsMovies\MsMovies.exe
F:\WINDOWS\System32\winlogi.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\Digital Line Detect\DLG.exe
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\WINDOWS\System32\packet.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\wwSecure.exe
F:\Program Files\AIM\aim.exe
C:\firefox.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CD23G56J\hijackthis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {AFEE564B-00AC-7030-0E3C-0C3FC8D51CC8} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "F:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [winupdates] F:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [WebrootDesktopFirewall] F:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
O4 - HKLM\..\Run: [Windows DLL Loader] F:\WINDOWS\RUNDLL16.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MsMovies] F:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [virtual-ie] winlogi.exe
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe
O4 - HKCU\..\Run: [Window Washer] F:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpySweeper] "F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - Startup: LimeWire On Startup.lnk = F:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: Windows Packet Driver (packet) - Unknown owner - F:\WINDOWS\System32\packet.exe
O23 - Service: Webroot Desktop Firewall Data Service (WebrootDesktopFirewallDataService) - Unknown owner - F:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe (file missing)
O23 - Service: Webroot Desktop Firewall (WebrootFirewall) - Unknown owner - F:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe (file missing)
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - F:\WINDOWS\System32\wwSecure.exe

guestolo · « **Reply #1 on:** October 22, 2005, 12:52:45 PM »

Can you do the following please
To your F:drive
==Download and UNZIP to desktop
BFU.zip
So you now have BFU.exe extracted to desktop

Please Download and UNZIP to desktop
p2pnetwork.zip
Make sure you unzip this so you now have p2pnetwork.bfu extracted to desktop

==Download and then Install
Ewido Security Suite

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

Please print this out or save these instructions to notepad for reference

In safe mode

Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to p2pnetwork.bfu on your desktop
Right click p2pnetwork.bfu and choose Select
In Brute Force Uninstaller select Execute
Let it finish then Exit

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Restart back to Normal mode
Download hijackthis from my signature below and save it too a permanent folder on your drive
Only run hijackthis from this new location
Run hijackthis again and post a fresh log, also include the Report from Ewido's

Guest · « **Reply #2 on:** October 22, 2005, 11:25:53 PM »

i try to open all of the files but it seems like they wont open beacuse im completely out of memory. any ideas what to do?

skyline · « **Reply #3 on:** October 22, 2005, 11:27:08 PM »

sorry that was me not logged in above.
I did all u have told me. but in ewido after the scan i had to delete everything manually meaning i had to delte 16000 files all by clicking yes. is there another way to fix the problem? has anyone else have the problem?

Logfile of HijackThis v1.99.1
Scan saved at 11:57:33 PM, on 10/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
F:\WINDOWS\RUNDLL16.EXE
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\wwSecure.exe
F:\Program Files\AIM\aim.exe
F:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ewido\security suite\securitysuite.exe
F:\WINDOWS\System32\wuauclt.exe
F:\Documents and Settings\Owner\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {AFEE564B-00AC-7030-0E3C-0C3FC8D51CC8} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "F:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WebrootDesktopFirewall] F:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
O4 - HKLM\..\Run: [Windows DLL Loader] F:\WINDOWS\RUNDLL16.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Window Washer] F:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpySweeper] "F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - Startup: LimeWire On Startup.lnk = F:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Windows Packet Driver (packet) - Unknown owner - F:\WINDOWS\System32\packet.exe (file missing)
O23 - Service: Webroot Desktop Firewall Data Service (WebrootDesktopFirewallDataService) - Unknown owner - F:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe (file missing)
O23 - Service: Webroot Desktop Firewall (WebrootFirewall) - Unknown owner - F:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe (file missing)
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - F:\WINDOWS\System32\wwSecure.exe

guestolo · « **Reply #4 on:** October 23, 2005, 11:04:27 AM »

Ewido has a new update as of today, can you open Ewido and check for updates
Could you also disable Ewido's guard feature under the main window
then close it, we'll need it later

Follow all instructions closely, if you noticed I mentioned the following

Quote

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

Also, when running Ewido, you did the following

Quote

but in ewido after the scan i had to delete everything manually meaning i had to delte 16000 files all by clicking yes. is there another way to fix the problem?

I asked you to do this

Quote

*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0
Give the link time to load or try it twice, it may be busy
Don't run this yet, we'll need it in a bit

==Download and save WinPFind.zip
UNZIP the contents to your desktop
Don't run it yet

I'm serious,
Please save these instructions to notepad for reference
Start>>run>>type in notepad
Hit OK
Save this too your desktop
I would like you to follow all the next instructions very closely

Please disable SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable SpySweeper:

Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".

==Download the Killbox by Option^Explicit. [color=\"red\"]*In the event you already have Killbox, this is a new version that I need you to download[/color].
* Save it to your desktop or a folder

Run Pocket KillBox.exe

In the killbox program, select the Delete on Reboot option.
Copy the file names below to the clipboard by highlighting them and pressing
Control + C

Killbox files to highlight between dotted lines
===================================================
F:\Program Files\MsConfigs\MsConfigs.exe
F:\WINDOWS\system32\p2pnetwork.exe
F:\WINDOWS\system32\CMD.COM
F:\WINDOWS\system32\netstat.com
F:\WINDOWS\system32\ping.com
F:\WINDOWS\system32\regedit.com
F:\WINDOWS\system32\tasklist.com
F:\WINDOWS\system32\taskkill.com
F:\WINDOWS\system32\taskmgr.com
F:\WINDOWS\system32\tracert.com
F:\WINDOWS\System32\bszip.dll
F:\WINDOWS\RUNDLL16.EXE
F:\Program Files\winupdates\winupdates.exe

===================================================
*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer doesn't restart
Please Restart it now manually into
SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation

In safe mode
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Go to START>>Run>>copy and paste the following lines in bold into the open field, then hit OK
Copy and paste this next line

sc stop packet

Hit OK
and then the next one

sc delete packet
Hit ok

Afterwards
Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to p2pnetwork.bfu on your desktop
Right click p2pnetwork.bfu and choose Select
In Brute Force Uninstaller select Execute
Let it finish then Exit

Find and delete the following files or folders if they exist
Look carefully, don't delete something because it looks similiar
F:\WINDOWS\System32\packet.exe <-this file

F:\Program Files\MsConfigs <-folder
F:\Program Files\winupdates <-folder
F:\Program Files\winupdate <-folder
F:\Program Files\winsupdater <-folder
F:\Program Files\MsUpdate <-folder
F:\Program Files\MsMovies <-folder

Stay in safe mode
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off or Restart when scan is done.

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {AFEE564B-00AC-7030-0E3C-0C3FC8D51CC8} - (no file)

O4 - HKLM\..\Run: [Windows DLL Loader] F:\WINDOWS\RUNDLL16.EXE

O4 - Startup: LimeWire On Startup.lnk = F:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: PowerReg Scheduler V3.exe

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
Click START SCAN
This could take some time as it will scan your drive
Close out after

Restart back to Normal mode
I need to see a few logs
Post the results of the WindPFind.txt located in the WinPFind folder
Also post a fresh hijackthis log
Post the report you saved earlier from Ewido

skyline · « **Reply #5 on:** October 23, 2005, 04:34:23 PM »

Logfile of HijackThis v1.99.1
Scan saved at 12:51:20 PM, on 10/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Documents and Settings\Owner\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {AFEE564B-00AC-7030-0E3C-0C3FC8D51CC8} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "F:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WebrootDesktopFirewall] F:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
O4 - HKLM\..\Run: [Windows DLL Loader] F:\WINDOWS\RUNDLL16.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Window Washer] F:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - Startup: LimeWire On Startup.lnk = F:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Webroot Desktop Firewall Data Service (WebrootDesktopFirewallDataService) - Unknown owner - F:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe (file missing)
O23 - Service: Webroot Desktop Firewall (WebrootFirewall) - Unknown owner - F:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe (file missing)
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - F:\WINDOWS\System32\wwSecure.exe

--------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         1:11:32 PM, 10/23/2005
+ Report-Checksum:      A8F76DD3

+ Scan result:

   F:\WINDOWS\lsass.exe -> Backdoor.SdBot.xd : Cleaned with backup
   F:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backup
   F:\WINDOWS\system32\213vmVnzH.exe -> Spyware.WinFetcher : Cleaned with backup
   F:\WINDOWS\system32\31.exe -> Spyware.WinFetcher : Cleaned with backup
   F:\WINDOWS\system32\7.exe -> Spyware.WinFetcher : Cleaned with backup
   F:\WINDOWS\system32\aim.exe -> Backdoor.SdBot.yn : Cleaned with backup
   F:\WINDOWS\system32\brbOBV6M.exe -> Spyware.WinFetcher : Cleaned with backup
   F:\WINDOWS\system32\CVo.exe -> Spyware.WinFetcher : Cleaned with backup
   F:\WINDOWS\system32\E.exe -> Spyware.WinFetcher : Cleaned with backup
   F:\WINDOWS\system32\fUc6.exe -> Spyware.WinFetcher : Cleaned with backup
   F:\WINDOWS\system32\ib3.exe -> Spyware.WinFetcher : Cleaned with backup
   F:\WINDOWS\system32\J.exe -> Spyware.WinFetcher : Cleaned with backup
   F:\WINDOWS\system32\JFms8.exe -> Spyware.WinFetcher : Cleaned with backup
   F:\WINDOWS\system32\K22lffm.exe -> Spyware.WinFetcher : Cleaned with backup
   F:\WINDOWS\system32\K7ygoCr3.exe -> Spyware.WinFetcher : Cleaned with backup
   F:\WINDOWS\system32\L7.exe -> Spyware.WinFetcher : Cleaned with backup
   F:\WINDOWS\system32\lASkrLeLj.exe -> Spyware.WinFetcher : Cleaned with backup
   F:\WINDOWS\system32\M2FbUOI6f.exe -> Spyware.WinFetcher : Cleaned with backup
   F:\WINDOWS\system32\qOPgLxF.exe -> Spyware.WinFetcher : Cleaned with backup
   F:\WINDOWS\system32\rdriv.sys -> Trojan.Rootkit.k : Cleaned with backup
   F:\WINDOWS\system32\uAbmzn.exe -> Spyware.WinFetcher : Cleaned with backup
   F:\WINDOWS\system32\zBLMJ1Yo.exe -> Spyware.WinFetcher : Cleaned with backup
   F:\WINDOWS\temp.bat -> Trojan.Zapchast : Cleaned with backup

::Report End
the ewido report is from fast scan because in system scan. after scanning all of teh files, an error message pops up for all of the infected files which is about 16000.It says:F/Documents and Settings/Owner/complete...... cannot be removed because it is enbedded in the archive...... Do you want to remove the whole archive? and this is for all of the files inside of complete. I get an error message that says file not found when i run winpfind.exe. thanks for your help so far.

guestolo · « **Reply #6 on:** October 23, 2005, 05:49:42 PM »

Please follow these next instructions closely
We're not going to get you clean unless you do

You posted a Hijackthis log from safe mode
I asked you to reboot to normal mode then run hijackthis again and post the log

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />

Please do the following
Ensure windows is set to show hidden files and folders

Also, You MUST unzip Wpfind.zip
The only way I can match this error message

Quote

I get an error message that says file not found when i run winpfind.exe

Is if I don't unzip the contents
If your unsure how to extract the contents
Use THIS LINK
for instructions

Afterwards
Reboot back to safe mode

Navigate to the following folder
F/Documents and Settings/Owner/complete <-this folder
Delete the Whole contents of the "Complete" folder
then delete the complete folder itself

Afterwards
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off or Restart when scan is done.

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
Click START SCAN
This could take some time as it will scan your drive
Close out after

RESTART BACK TO NORMAL MODE
Then run hijackthis again with the scan and save logfile button
Post the new log back here
Also include the report from Ewidos
Additionally, Post the results of the WindPFind.txt located in the WinPFind folder

skyline · « **Reply #7 on:** October 23, 2005, 08:01:26 PM »

Thank you so much for your help i now have 10 gigs of memory!!
um by the way when i un hid the folders my XP toolbar went back to teh classic one and i cant change it what shalll i do?

Logfile of HijackThis v1.99.1
Scan saved at 5:58:54 PM, on 10/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\wwSecure.exe
F:\WINDOWS\System32\imapi.exe
F:\Documents and Settings\Owner\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "F:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WebrootDesktopFirewall] F:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Window Washer] F:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Webroot Desktop Firewall Data Service (WebrootDesktopFirewallDataService) - Unknown owner - F:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe (file missing)
O23 - Service: Webroot Desktop Firewall (WebrootFirewall) - Unknown owner - F:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe (file missing)
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - F:\WINDOWS\System32\wwSecure.exe

--------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         5:52:51 PM, 10/23/2005
+ Report-Checksum:      A8352EA3

+ Scan result:

   :mozilla.6:F:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m14j8t8q.dsfg\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.8:F:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m14j8t8q.dsfg\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.9:F:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m14j8t8q.dsfg\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.18:F:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m14j8t8q.dsfg\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.19:F:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m14j8t8q.dsfg\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   F:\Program Files\Yahoo!\YPSR\Quarantine\20050615212940.zip/thin-85-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup
   F:\Program Files\Yahoo!\YPSR\Quarantine\20050616175032.zip/thin-85-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup
   F:\Program Files\Yahoo!\YPSR\Quarantine\20050618100547.zip/thin-85-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup
   F:\Program Files\Yahoo!\YPSR\Quarantine\20050618113440.zip/thin-85-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup
   F:\Program Files\Yahoo!\YPSR\Quarantine\20050618124343.zip/thin-85-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup
   F:\Program Files\Yahoo!\YPSR\Quarantine\20050618142625.zip/thin-85-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup
   F:\Program Files\Yahoo!\YPSR\Quarantine\20050618150918.zip/thin-85-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup

::Report End

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 9/3/2002 9:30:40 AM 41397 F:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 6/9/2005 1:32:28 PM 692736 F:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 6/9/2005 1:32:28 PM 692736 F:\WINDOWS\SYSTEM32\DivX.dll
Umonitor 9/3/2002 9:54:44 AM 631808 F:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 9/3/2002 10:10:48 AM 1309184 F:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in F:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/23/2005 3:13:12 PM S 2048 F:\WINDOWS\bootstat.dat
10/16/2005 10:44:54 AM H 54156 F:\WINDOWS\QTFont.qfn
10/23/2005 9:57:04 AM H 0 F:\WINDOWS\inf\oem2.inf
9/10/2005 3:33:50 PM H 65536 F:\WINDOWS\Minidump\Mini091005-01.dmp
9/10/2005 3:36:24 PM H 65536 F:\WINDOWS\Minidump\Mini091005-02.dmp
9/22/2005 6:32:10 PM H 65536 F:\WINDOWS\Minidump\Mini092205-01.dmp
10/18/2005 7:36:52 PM H 65536 F:\WINDOWS\Minidump\Mini101805-01.dmp
10/23/2005 3:45:50 PM H 1024 F:\WINDOWS\system32\config\default.LOG
10/23/2005 3:13:14 PM H 1024 F:\WINDOWS\system32\config\SAM.LOG
10/23/2005 4:13:18 PM H 1024 F:\WINDOWS\system32\config\SECURITY.LOG
10/23/2005 4:11:56 PM H 1024 F:\WINDOWS\system32\config\software.LOG
10/23/2005 4:13:20 PM H 1024 F:\WINDOWS\system32\config\system.LOG
10/7/2005 1:36:12 PM HS 388 F:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\657d97a4-7f06-4ce9-b3ad-633af9e86cfb
10/7/2005 1:36:12 PM HS 24 F:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
10/23/2005 3:13:14 PM H 6 F:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 9/3/2002 9:26:48 AM 66048 F:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 9/3/2002 9:27:24 AM 578560 F:\WINDOWS\SYSTEM32\appwiz.cpl
Broadcom Corporation 9/10/2002 4:07:54 PM 716800 F:\WINDOWS\SYSTEM32\B57exp.cpl
Microsoft Corporation 9/3/2002 9:30:36 AM 129024 F:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 9/3/2002 9:34:00 AM 150016 F:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 1/13/2003 3:01:10 PM 94208 F:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 9/3/2002 9:35:14 AM 292352 F:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 9/3/2002 9:35:24 AM 121856 F:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 9/3/2002 9:37:12 AM 65536 F:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 12/6/2004 10:31:48 PM 49265 F:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 9/3/2002 9:40:02 AM 187904 F:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 9/3/2002 9:42:08 AM 559616 F:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 9/3/2002 9:47:04 AM 35840 F:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 9/3/2002 9:50:26 AM 256000 F:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 9/3/2002 9:50:44 AM 36864 F:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 9/3/2002 9:52:44 AM 109056 F:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 9/23/2004 7:57:40 PM 323072 F:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 9/3/2002 10:05:50 AM 268288 F:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 9/3/2002 10:06:38 AM 28160 F:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 9/3/2002 10:06:48 AM 90112 F:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 F:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 9/3/2002 9:26:48 AM 66048 F:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 9/3/2002 9:27:24 AM 578560 F:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 9/3/2002 9:30:36 AM 129024 F:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 9/3/2002 9:34:00 AM 150016 F:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 9/3/2002 9:35:14 AM 292352 F:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 9/3/2002 9:35:24 AM 121856 F:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 9/3/2002 9:37:12 AM 65536 F:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 9/3/2002 9:40:02 AM 187904 F:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 9/3/2002 9:42:08 AM 559616 F:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 9/3/2002 9:47:04 AM 35840 F:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 9/3/2002 9:50:26 AM 256000 F:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 9/3/2002 9:50:44 AM 36864 F:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 9/3/2002 9:52:44 AM 109056 F:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 9/3/2002 9:57:12 AM 147456 F:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 9/3/2002 10:05:50 AM 268288 F:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 9/3/2002 10:06:38 AM 28160 F:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 9/3/2002 10:06:48 AM 90112 F:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Intel Corporation 1/13/2003 3:01:10 PM 94208 F:\WINDOWS\SYSTEM32\ReinstallBackups\0006\DriverFiles\igfxcpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
2/24/2005 6:34:44 PM 986 F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
1/9/2005 10:07:12 PM 1757 F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
1/9/2005 6:51:08 PM HS 84 F:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
1/9/2005 7:08:26 PM 493 F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
7/9/2005 3:08:00 PM 1730 F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
1/9/2005 10:41:40 AM HS 62 F:\Documents and Settings\All Users\Application Data\desktop.ini
2/15/2005 7:13:10 PM 5 F:\Documents and Settings\All Users\Application Data\DirectCDUserNameE.txt

Checking files in %USERPROFILE%\Startup folder...
1/9/2005 6:51:08 PM HS 84 F:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
1/9/2005 10:06:04 PM 1215 F:\Documents and Settings\Owner\Application Data\AdobeDLM.log
1/9/2005 10:41:40 AM HS 62 F:\Documents and Settings\Owner\Application Data\desktop.ini
1/9/2005 10:06:04 PM 0 F:\Documents and Settings\Owner\Application Data\dm.ini
5/22/2005 2:55:04 PM 65720 F:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
       =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
   {063FDFED-6FD9-407C-8E6A-1EFA75CBCCD5}    =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
   {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}    = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Washer
   {6EE51AA0-77A0-11D7-B4E1-000347126E46}    = F:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = F:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
   {5464D816-CF16-4784-B9F3-75C0DB52B499}    = F:\WINDOWS\Downloaded Program Files\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
   {7C9D5882-CB4A-4090-96C8-430BFE8B795B}    = F:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = F:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
   {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}    = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Washer
   {6EE51AA0-77A0-11D7-B4E1-000347126E46}    = F:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = F:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
    = F:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
   Yahoo! Companion BHO = F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
   {EF99BD32-C1FB-11D2-892F-0090271D4F88}    = Yahoo! Toolbar   : F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
   {8E718888-423F-11D2-876E-00A0C9082467}    = &Radio   : F:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
   ButtonText    = AIM   : F:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
   ButtonText    = Messenger   : F:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
   Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    =
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
   File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
   Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
   History Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
   {EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar   : F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
   {EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar   : F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   AdaptecDirectCD   "F:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
   WebrootDesktopFirewall   F:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
   KernelFaultCheck   %systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
   IMAIL   Installed = 1
   MAPI   Installed = 1
   MSFS   Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   Window Washer   F:\Program Files\Webroot\Washer\wwDisp.exe
   ctfmon.exe   F:\WINDOWS\System32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BJCFD
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   CFD
   hkey   HKLM
   command   F:\Program Files\BroadJump\Client Foundation\CFD.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   CFD
   hkey   HKLM
   command   F:\Program Files\BroadJump\Client Foundation\CFD.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Microsoft Update Service 2005
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   csrsssvc
   hkey   HKLM
   command   csrsssvc.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   csrsssvc
   hkey   HKLM
   command   csrsssvc.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   qttask
   hkey   HKLM
   command   "F:\Program Files\QuickTime\qttask.exe" -atboottime
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   qttask
   hkey   HKLM
   command   "F:\Program Files\QuickTime\qttask.exe" -atboottime
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   jusched
   hkey   HKLM
   command   F:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   jusched
   hkey   HKLM
   command   F:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
   system.ini   0
   win.ini   0
   bootini   0
   services   0
   startup   2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = F:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   undockwithoutlogon   1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   PostBootReminder    {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn    {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
   WebCheck    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
   SysTray     {35CEC8A3-2BE6-11D2-8773-92E220524153} = F:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = F:\WINDOWS\system32\userinit.exe,
   Shell      = Explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/23/2005 4:13:55 PM

guestolo · « **Reply #8 on:** October 23, 2005, 08:57:02 PM »

Your log looks better, but we're not done yet

We still have a bit more cleaning to do
Download and Save to desktop AimFix.exe

Download and UNZIP to your desktop
RdrivRem.zip

Print this out or save to a notepad for reference

Run the Aimfix.exe>>Follow the prompts

Reboot into Safe mode
Run AimFix.exe again

Open the rdrivRem folder you extracted earlier
Please double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder.

Reboot back to normal mode

Access the following link
http://free.grisoft.com/doc/2/lng/us/tpl/v5
Scroll down near the bottom
AVG Free Edition installation files
File Version
avg71free_361a651.exe <-click this link, or similiar
Save the installer to desktop
Double click to Install

After AVG7 is installed, make sure you have Checked for updates and it is right up to date
Run a complete system scan with AVG7, let it fix what it finds

Restart the computer one more time

Back in Windows

Post the contents of the rdriv.txt in the rdrivRem folder.

Could you also
Download: Registry Search Tool from this link
http://billsway.com/vbspage/

Unzip and double-click "RegSrch.vbs"
Note: if your Antivirus or another program prompts about running a ".vbs" file, allow the script to run

In the open field copy and paste the below in bold then hit OK

csrsssvc.exe

Wait for the results and post them back here

skyline · « **Reply #9 on:** October 24, 2005, 08:21:00 AM »

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "csrsssvc.exe" 10/24/2005 6:20:07 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Microsoft Update Service 2005]
"command"="csrsssvc.exe"

[HKEY_USERS\.DEFAULT\Software\Microsoft\OLE]
"Microsoft Update Service 2005"="csrsssvc.exe"

[HKEY_USERS\S-1-5-21-1757981266-1383384898-682003330-1003\Software\Microsoft\OLE]
"Microsoft Update Service 2005"="csrsssvc.exe"

[HKEY_USERS\S-1-5-21-1757981266-1383384898-682003330-1003\Software\Webroot\SpySweeper\Startup\2_Microsoft Update Service 2005]
"path"="csrsssvc.exe"

[HKEY_USERS\S-1-5-21-1757981266-1383384898-682003330-1003\Software\Webroot\SpySweeper\Startup\2_Microsoft Update Service 2005]
"command"="csrsssvc.exe"

[HKEY_USERS\S-1-5-18\Software\Microsoft\OLE]
"Microsoft Update Service 2005"="csrsssvc.exe"

guestolo · « **Reply #10 on:** October 24, 2005, 10:43:28 PM »

Quote

Post the contents of the rdriv.txt in the rdrivRem folder.

skyline · « **Reply #11 on:** October 24, 2005, 11:54:25 PM »

i did

guestolo · « **Reply #12 on:** October 24, 2005, 11:57:31 PM »

Like I said, read everything carefully

Ok, let me tell you what I said again

Quote

Restart the computer one more time

Back in Windows

Post the contents of the rdriv.txt in the rdrivRem folder.

Could you also
Download: Registry Search Tool from this link
http://billsway.com/vbspage/

Unzip and double-click "RegSrch.vbs"
Note: if your Antivirus or another program prompts about running a ".vbs" file, allow the script to run

In the open field copy and paste the below in bold then hit OK

csrsssvc.exe

Wait for the results and post them back here

I see the results from Registry search tool, but I don't see rdriv.txt in the rdrivRem folder

skyline · « **Reply #13 on:** October 25, 2005, 07:51:12 PM »

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "csrsssvc.exe" 10/25/2005 5:50:29 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Microsoft Update Service 2005]
"command"="csrsssvc.exe"

[HKEY_USERS\.DEFAULT\Software\Microsoft\OLE]
"Microsoft Update Service 2005"="csrsssvc.exe"

[HKEY_USERS\S-1-5-21-1757981266-1383384898-682003330-1003\Software\Microsoft\OLE]
"Microsoft Update Service 2005"="csrsssvc.exe"

[HKEY_USERS\S-1-5-21-1757981266-1383384898-682003330-1003\Software\Webroot\SpySweeper\Startup\2_Microsoft Update Service 2005]
"path"="csrsssvc.exe"

[HKEY_USERS\S-1-5-21-1757981266-1383384898-682003330-1003\Software\Webroot\SpySweeper\Startup\2_Microsoft Update Service 2005]
"command"="csrsssvc.exe"

[HKEY_USERS\S-1-5-18\Software\Microsoft\OLE]
"Microsoft Update Service 2005"="csrsssvc.exe"

guestolo · « **Reply #14 on:** October 25, 2005, 08:24:12 PM »

Post the contents of the rdriv.txt in the rdrivRem folder.

I don't want to see the results from the registry search tool right now
I want to see the above I asked for

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />

skyline · « **Reply #15 on:** October 25, 2005, 09:43:56 PM »

~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~

rdriv.sys NOT PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe NOT PRESENT!

guestolo · « **Reply #16 on:** October 25, 2005, 11:05:26 PM »

Can you try this please

Download and UNZIP to desktop Fix.zip from below
so you now have Fix.reg on your desktop

create a new restore point
Start>>all programs>>accessories>>System tools>>System restore
Click Create a new restore point>>Name it and click create

Afterwards, double click on fix.reg and allow to merge to the registry

Reboot your computer

Come back here and post one last hijackthis log, let me know how things are running

skyline · « **Reply #17 on:** October 26, 2005, 12:06:15 AM »

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WebrootDesktopFirewall] F:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Window Washer] F:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~2\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SpySweeper] "F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Webroot Desktop Firewall Data Service (WebrootDesktopFirewallDataService) - Unknown owner - F:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe (file missing)
O23 - Service: Webroot Desktop Firewall (WebrootFirewall) - Unknown owner - F:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe (file missing)
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - F:\WINDOWS\System32\wwSecure.exe

Things are running smoothly but i still have the classic windows toolbar because teh XP option is now non existant!

guestolo · « **Reply #18 on:** October 26, 2005, 11:16:51 AM »

Do the following, read what I have posted below carefully

Can you do a SEARCH on your computer for

Luna.msstyles

Make sure you type that in properly or copy and paste it
Also in Search under the Advanced options ensure the top 3 entries are selected which includes Search Hidden Files and folders

If Luna.msstyles is found
Let me know the exact location and size

Additionally, Download find.zip
and UNZIP the contents too desktop

Double click on Find.bat and post the contents
Do the Same with Find1.bat

skyline · « **Reply #19 on:** October 26, 2005, 07:37:04 PM »

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"WCreatedUser"="1"
"ThemeActive"="0"

Volume in drive F has no label.
Volume Serial Number is DCD8-C4C7

Directory of F:\Documents and Settings\Owner\Desktop

10/26/2005 05:35 PM <DIR> .
10/26/2005 05:35 PM <DIR> ..
06/19/2005 11:43 AM 332 find.bat
10/26/2005 05:35 PM 450 find.zip
05/09/2005 09:51 AM 115 Find1.bat
01/14/2005 08:26 PM 2,429 Microsoft Publisher.lnk
10/25/2005 07:49 PM <DIR> rdrivRem
10/26/2005 06:21 AM 3,704,147 Skyline_GTR_R34.zip
01/09/2005 11:11 PM 739 Spy Sweeper.lnk
6 File(s) 3,708,212 bytes

Directory of F:\Documents and Settings\Owner\Desktop\rdrivRem

10/25/2005 07:49 PM <DIR> .
10/25/2005 07:49 PM <DIR> ..
10/25/2005 05:49 PM 279 rdriv.txt
06/21/2005 10:40 PM 10,378 rdrivRem.bat
12/15/2001 11:27 AM 3,254 RegSrch.vbs
3 File(s) 13,911 bytes

Total Files Listed:
9 File(s) 3,722,123 bytes
5 Dir(s) 9,712,807,936 bytes free

THe program was not found on my computer through search.

News:

Author Topic: Virtual-IE eating up F: drive memory PLEASE HELP! (Read 1875 times)

Guest