PDA

View Full Version : Rotue Pop-ups computer slowdown



vanvelzor
2006-09-16, 17:24
Hello, I got problems that I don't understand. I have uncontrolable pop-up ads. They start up loading even before my home page loads. I installed Advance Uninstaller Pro 2006 and after running a registry scan I have a program called Rotue that will appear to be removed but upon restart its back. My Earthlink total access toolbar is also missing. I have a firewall running. I run PC-cillin 2000 also. Could someone please help? Here is my HJT Thanks.Logfile of HijackThis v1.99.1
Scan saved at 9:48:33 AM, on 9/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\Yuponv\Rzpyi.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\EarthLink TotalAccess\Accelerator\ElinkAcc.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: (no name) - ~00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - _{44F9B173-041C-4825-A9B9-D914BD9DCBB3} - (no file)
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB002" /M "Stylus CX6400"
O4 - HKLM\..\Run: [Yeqqciuo] C:\Program Files\Yuponv\Rzpyi.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SpywareBot] "C:\Program Files\spywarebot\spywarebot.exe" -boot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: VNIStartup.lnk = C:\WINDOWS\system32\correc16.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZS
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\earthlinkim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .aam: C:\Program Files\Internet Explorer\PLUGINS\np32asw.dll
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/support/pops/mdldetect/VaioInfo.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132808757968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1219FAAA-F934-4758-BFA1-CD49A0ADF032}: NameServer = 207.69.188.187 207.69.188.186
O17 - HKLM\System\CS2\Services\Tcpip\..\{1219FAAA-F934-4758-BFA1-CD49A0ADF032}: NameServer = 207.69.188.187 207.69.188.186
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

vanvelzor
2006-09-16, 17:31
Heres Incident Status Location

Adware:Adware/Dyfuca Not disinfected C:\Program Files\Yuponv\Rzpyi.exe
Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.8.inf
Adware:adware/pacimedia Not disinfected C:\Documents and Settings\Bud Vanvelzor\Desktop\Click to Find and Fix Errors.url
Adware:adware/gator Not disinfected c:\windows\GatorPdpPlugin.log
Adware:adware/dollarrevenue Not disinfected c:\windows\keyboard1.dat
Adware:adware/clocksync Not disinfected c:\program files\ClockSync
Adware:adware/dyfuca Not disinfected Windows Registry
Spyware:spyware/searchcentrix Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Search\
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@2o7[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@ad.yieldmanager[2].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@ads.addynamix[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@as-us.falkag[1].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@banners.searchingbooth[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@burstnet[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@c5.zedo[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@errorsafe[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@i.screensavers[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@realmedia[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@revenue[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@stats1.reliablestats[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@trafficmp[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@www.errorsafe[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@zedo[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink(2)\6(2).0\vanvelzor@earthlink(2).net\Cookies\bud vanvelzor@ehg-dig.hitbox[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink(2)\6(2).0\vanvelzor@earthlink(2).net\Cookies\bud vanvelzor@go[2].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink(2)\6(2).0\vanvelzor@earthlink(2).net\Cookies\bud vanvelzor@linkexchange[2].txt
Spyware:Cookie/Buzztone Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink(2)\6(2).0\vanvelzor@earthlink(2).net\Cookies\bud vanvelzor@www.buzztone[2].txt
Spyware:Cookie/web-stat Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink(2)\6(2).0\vanvelzor@earthlink(2).net\Cookies\bud vanvelzor@www.web-stat[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@2o7[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@2o7[3].txt

vanvelzor
2006-09-16, 17:35
pyware:Cookie/888 Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@ad.yieldmanager[2].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@ads.addynamix[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@as-us.falkag[1].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@banners.searchingbooth[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@burstnet[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@c5.zedo[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@errorsafe[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@i.screensavers[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@realmedia[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@revenue[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@stats1.reliablestats[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@trafficmp[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@www.errorsafe[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@zedo[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink(2)\6(2).0\vanvelzor@earthlink(2).net\Cookies\bud vanvelzor@ehg-dig.hitbox[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink(2)\6(2).0\vanvelzor@earthlink(2).net\Cookies\bud vanvelzor@go[2].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink(2)\6(2).0\vanvelzor@earthlink(2).net\Cookies\bud vanvelzor@linkexchange[2].txt
Spyware:Cookie/Buzztone Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink(2)\6(2).0\vanvelzor@earthlink(2).net\Cookies\bud vanvelzor@www.buzztone[2].txt
Spyware:Cookie/web-stat Not disinfected C:\Documents and Settings\Bud Vanvelzor\Application Data\Earthlink(2)\6(2).0\vanvelzor@earthlink(2).net\Cookies\bud vanvelzor@www.web-stat[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@2o7[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@2o7[3].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@ad.yieldmanager[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@ad.yieldmanager[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@ad.yieldmanager[4].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@adrevolver[3].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@ads.addynamix[2].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@ads.addynamix[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@ads.pointroll[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@adultfriendfinder[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@apmebf[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@as-us.falkag[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@as-us.falkag[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@as-us.falkag[3].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@ath.belnk[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@atwola[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@atwola[2].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@banners.searchingbooth[1].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@banners.searchingbooth[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@belnk[2].txt

vanvelzor
2006-09-16, 17:39
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@bluestreak[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@burstnet[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@burstnet[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@burstnet[3].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@burstnet[5].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@c5.zedo[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@casalemedia[2].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@cdfreaks[2].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@club.cdfreaks[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@com[2].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@ct.360i[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@dist.belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@dist.belnk[3].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@drivecleaner[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@ehg-dig.hitbox[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@errorsafe[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@errorsafe[3].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@go[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@go[3].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@i.screensavers[2].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@linkexchange[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@www.burstbeacon[2].txt
Spyware:Cookie/Buzztone Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@www.buzztone[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@www.drivecleaner[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@www.errorsafe[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@www.errorsafe[2].txt
Spyware:Cookie/web-stat Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@www.web-stat[1].txt
Spyware:Cookie/Zedo

vanvelzor
2006-09-16, 17:40
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Bud Vanvelzor\Cookies\bud vanvelzor@zedo[3].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Bud Vanvelzor\Desktop\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@com[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Bud Vanvelzor\Desktop\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@ehg-dig.hitbox[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Bud Vanvelzor\Desktop\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@go[2].txt
Spyware:Cookie/Buzztone Not disinfected C:\Documents and Settings\Bud Vanvelzor\Desktop\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@www.buzztone[2].txt
Spyware:Cookie/web-stat Not disinfected C:\Documents and Settings\Bud Vanvelzor\Desktop\Application Data\Earthlink\6.0\vanvelzor@earthlink.net\Cookies\bud vanvelzor@www.web-stat[1].txt
Adware:Adware/DigInk Not disinfected C:\Documents and Settings\Bud Vanvelzor\Desktop\TagASaurus.exe
Adware:Adware/Sqwire Not disinfected C:\Documents and Settings\Bud Vanvelzor\Local Settings\Temp\GLF61GLF61.EXE
Adware:Adware/Sqwire Not disinfected C:\Documents and Settings\Bud Vanvelzor\Local Settings\Temp\GLF6CGLF6C.EXE

tashi
2006-09-16, 17:48
Hello

I merged your five topics, please see this sticky:
"BEFORE you POST" -Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)

Click 'Post Reply' not "New Thread'

Thank you. :)

tashi
2006-09-22, 23:13
Hi

If you have not resolved the problem, we have this sticky topic:

If you have waited four days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)

LonnyRJones
2006-09-23, 09:24
Hi vanvelzor

Start Hijackthis and place a check next to these items If there.
R3 - URLSearchHook: (no name) - ~00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - _{44F9B173-041C-4825-A9B9-D914BD9DCBB3} - (no file)
O4 - HKLM\..\Run: [Yeqqciuo] C:\Program Files\Yuponv\Rzpyi.exe
O4 - HKLM\..\Run: [SpywareBot] "C:\Program Files\spywarebot\spywarebot.exe" -boot
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZS

====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Manualy delete these files/folders
C:\Program Files\Yuponv
C:\Documents and Settings\Bud Vanvelzor\Desktop\Click to Find and Fix Errors.url
c:\windows\GatorPdpPlugin.log
c:\windows\keyboard1.dat
c:\program files\ClockSync

It appears you do not have a permant antivirus installed, why is that ?

Post a new Hijackthis log

What version of SpyBot is it you have ?

vanvelzor
2006-09-24, 16:52
Thanks for the reply, Ihave PC-cillin 2000 installed. Isn't it operating properly?Also the version of SpyBot is 1.99.1 Logfile of HijackThis v1.99.1
Scan saved at 9:24:07 AM, on 9/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB002" /M "Stylus CX6400"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: VNIStartup.lnk = C:\WINDOWS\system32\correc16.exe
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O9 - Extra button: Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\earthlinkim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .aam: C:\Program Files\Internet Explorer\PLUGINS\np32asw.dll
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/support/pops/mdldetect/VaioInfo.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132808757968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

LonnyRJones
2006-09-24, 21:10
These is no sign of PC-cillin on your logs, perhaps you should reinstall it.

Or since you mention the 2000 version why not uninstall it and get the most recent, there are free alternative's, interested ?

I asked what version of SpyBot you have not hijackthis , please check
run spybot then go help about, version information is there ?

C:\Program Files\spywarebot < delete that folder
Not spybots folder which is C:\Program Files\Spybot - Search & Destroy

vanvelzor
2006-09-25, 00:27
There has to be somthing wrong with PC-cillin, I am intrested in another program . What do you suggest? I don't have a folder spywarebot only Spybot Search & Destroy version 1.4. I once had SpywareBot installed,but the folder is gone. My recycle bin is empty.

LonnyRJones
2006-09-25, 03:30
If you go with another program uninstall pccillion first
AVG has my vote but the other are often recommended to, the choice is yours.

vanvelzor
2006-09-25, 04:43
I'll look into that software. In the meantime, what do I do about this problem with all these pop-ups, and this program that keeps reloading itself no matter how many times you remove it? How do I get this PC back to operating properly?

LonnyRJones
2006-09-25, 04:52
Explain a bit further
What keeps reloading itself ? and what keeps removing it ?
If its spybot post a results report after fixing once
Post a SpyBot results report.
Run SpyBot check for problems, when its finished right click and choose copy results (not full report) to clipboard and past that back here please.

Anyway avg will most likey help.

vanvelzor
2006-09-25, 06:19
Rotue: Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Rotue

ErrorSafe: Tracking cookie (Internet Explorer: Bud Vanvelzor) (Cookie, nothing done)


Winsoftware.WinAntiVirusPro2006: Tracking cookie (Internet Explorer: Bud Vanvelzor) (Cookie, nothing done)


Winsoftware.WinAntiVirusPro2006: Tracking cookie (Internet Explorer: Bud Vanvelzor) (Cookie, nothing done)


Winsoftware.WinAntiVirusPro2006: Tracking cookie (Internet Explorer: Bud Vanvelzor) (Cookie, nothing done)


ErrorSafe: Tracking cookie (Internet Explorer: Bud Vanvelzor) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Internet Explorer: Bud Vanvelzor) (Cookie, nothing done)


ErrorSafe: Tracking cookie (Internet Explorer: Bud Vanvelzor) (Cookie, nothing done)


Cassava: Tracking cookie (Internet Explorer: Bud Vanvelzor) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-09-09 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-09-08 Includes\Cookies.sbi (*)
2006-09-08 Includes\Dialer.sbi (*)
2006-09-08 Includes\Hijackers.sbi (*)
2006-09-08 Includes\Keyloggers.sbi (*)
2006-09-08 Includes\Malware.sbi (*)
2006-09-08 Includes\PUPS.sbi (*)
2006-09-08 Includes\Revision.sbi (*)
2006-09-08 Includes\Security.sbi (*)
2006-09-08 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-09-08 Includes\Trojans.sbi (*)
Rotue is always in my registry. I have Advanced Uninstaller Pro 2006 Installed When I remove it as an invalid install when I reboot its there to be removed again. The pop-ups are a real big problem. They start loading even before my home page loads .

LonnyRJones
2006-09-25, 07:58
Thanks

Is that C:\Program Files\Yuponv folder still in your recycle bin ?
If so id like a copy of the file's inside ?

Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.

vanvelzor
2006-09-26, 03:01
Lonny, Yuponv was removed from recycle bin along with everything else,sorry.Here is the combofix log. Thanks.

vanvelzor
2006-09-26, 03:03
Lonny, Yuponv was removed from recycle bin along with everything else,sorry.Here is the combofix log. Thanks. ud Vanvelzor - 06-09-25 19:47:32.01 Service Pack 2
ComboFix 06.09.25 - Running from: "C:\Hijackthis"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\Duce6.exe
C:\WINDOWS\uninst104.exe
C:\WINDOWS\uni_ehhhh.exe


((((((((((((((((((((((((((((((( Files Created from 2006-08-25 to 2006-09-25 ))))))))))))))))))))))))))))))))))


2006-09-06 22:27 78,488 --a------ C:\WINDOWS\system32\XMD5.dll
2006-09-03 21:51 0 --a------ C:\WINDOWS\system32\ondsregn.exe
2006-09-03 21:33 930 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-09-03 21:09 23,552 --a------ C:\WINDOWS\sys020529667952006.exe
2006-09-03 21:08 215,308 --a------ C:\WINDOWS\srvoluyfdp.exe
2006-09-03 21:08 0 --a------ C:\WINDOWS\srvvyqqixa.exe
2006-09-03 21:04 103,909 --a------ C:\WINDOWS\v1201.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-25 19:19 -------- d-------- C:\Program Files\EarthLink TotalAccess
2006-09-16 00:26 -------- d-------- C:\Program Files\Windows Defender
2006-09-16 00:26 -------- d-------- C:\Program Files\Internet Explorer
2006-09-10 15:48 -------- d-------- C:\Program Files\InterActual
2006-09-09 19:31 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-09 18:26 -------- d-------- C:\Documents and Settings\Bud Vanvelzor\Application Data\Lavasoft
2006-09-08 23:59 -------- d-------- C:\Program Files\EarthLink
2006-09-06 17:50 -------- d-------- C:\Program Files\Microsoft Windows OneCare Live
2006-09-06 17:50 -------- d-------- C:\Program Files\Common Files\EarthLink
2006-09-04 19:17 -------- d-------- C:\Documents and Settings\Bud Vanvelzor\Application Data\ScamBlocker
2006-09-04 14:29 -------- d-------- C:\Program Files\Messenger
2006-09-04 10:48 220 --a------ C:\WINDOWS\qrt2.reg
2006-09-03 21:50 -------- d-------- C:\Program Files\Common Files\iuum
2006-09-03 21:26 -------- d-------- C:\Program Files\Common Files
2006-08-27 16:09 -------- d-------- C:\Program Files\directx
2006-08-26 09:03 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-25 21:43 -------- d-------- C:\Program Files\123 Free Puzzle
2006-08-25 18:24 -------- d-------- C:\Program Files\Corel
2006-08-21 14:18 -------- d-------- C:\Program Files\Windows Media Player
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-20 14:04 -------- d-------- C:\Program Files\Sony
2006-08-20 12:22 -------- d-------- C:\Program Files\Common Files\Sony Shared
2006-08-19 23:53 -------- d-------- C:\Program Files\Innovative Solutions
2006-08-19 02:43 -------- d-------- C:\Program Files\Network Associates
2006-08-19 02:43 -------- d-------- C:\Program Files\CyberMedia
2006-08-18 18:56 -------- d-------- C:\Program Files\FunWebProducts(3)
2006-08-18 18:56 -------- d-------- C:\Program Files\FunWebProducts(2)
2006-07-27 09:24 679424 --------- C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --------- C:\WINDOWS\system32\hlink.dll
2006-07-14 11:31 332288 --a------ C:\WINDOWS\system32\netapi32(3)(2).dll
2006-06-26 13:37 148480 --a------ C:\WINDOWS\system32\dnsapi(3)(2).dll
2006-06-07 13:55 3753 --a------ C:\Program Files\Common Files\zyte.html


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"=""
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"E6TaskPanel"="\"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe\" -winstart"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX6400"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2L1.EXE /P19 \"EPSON Stylus CX6400\" /O6 \"USB002\" /M \"Stylus CX6400\""
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg"
"PCLEPCI"="C:\\PROGRA~1\\Pinnacle\\PPE\\ppe.exe"
"UserFaultCheck"="%systemroot%\\system32\\dumprep 0 -u"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000002

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://www.iceshanty.com/iceshanty/icefishing_pics/IM000279.JPG"
"SubscribedURL"="About:Home"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,58,02,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,58,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,58,02,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Common Files\\zyte.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="C:\\Program Files\\Internet Explorer\\worygo.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ec,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\3]
"Source"="http://downloads.indya.com/wallpaper/images/june_1024.jpg"
"SubscribedURL"="http://www.iceshanty.com/iceshanty/icefishing_pics/IM000279.JPG"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,90,01,00,00,2f,00,00,00,a8,00,00,00,a8,00,00,00,ee,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,90,01,00,00,2f,00,00,00,a8,00,00,00,a8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,44,05,86,bb,e9,77,b0,8d,e8,77,ff,ff,ff,ff,83,9a,\
e7,77,28,80,d1,07

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\4]
"Source"="About:Home"
"SubscribedURL"=""
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,77,01,00,00,01,00,00,00,89,02,00,00,cc,02,00,00,f0,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,77,01,00,00,01,00,00,00,89,02,00,00,cc,02,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"Tmntsrv"=dword:00000002
"SPTISRV"=dword:00000003
"EPSONStatusAgent2"=dword:00000002
"Creative Service for CDROM Access"=dword:00000002
"ATI Smart"=dword:00000002
"Ati HotKey Poller"=dword:00000002


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\System Restore.job

Completion time: Mon 09/25/2006 19:48:43.76
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

LonnyRJones
2006-09-26, 03:27
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.


REGEDIT4
;
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Rotue]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
;

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.
Restart your PC.

To be on the safe side Go here and scan each of these files
http://www.virustotal.com/flash/index_en.html
C:\WINDOWS\system32\XMD5.dll
C:\WINDOWS\system32\ondsregn.exe
C:\WINDOWS\system32\winpfg32.sys
if found to be bad delete them
Which did you delete ?

Delete these also
C:\WINDOWS\sys020529667952006.exe
C:\WINDOWS\srvoluyfdp.exe
C:\WINDOWS\srvvyqqixa.exe
C:\WINDOWS\v1201.exe
C:\Program Files\Common Files\zyte.html
C:\Program Files\Internet Explorer\worygo.html
C:\Program Files\Common Files\iuum < delete folder


Optional uninstall any FunWebProducts from addremove programs then delete its folder in program files

Run SpyBot be sure to update this time (they come out friday of each week)
check for problems and let us know if Rotue still shows ?

vanvelzor
2006-09-26, 04:20
Lonny, When I try to right click the desktop, to bring up the box ,to show icons, nothing happens!!!! I don't know if this is part of the same problem or something else. I haven't had my icons on my desktop for sometime now. Can I work around this somehow or does fixme.reg absolutely have to be on the desktop? Thanks.

LonnyRJones
2006-09-26, 05:38
Icons ?
You can rightclick > new > text document
or start programs > accessories > notepad
then copy and paste from my previous post
Where you save it isnt important

vanvelzor
2006-09-28, 01:23
Lonny, Did everything you advised,no viruses in windows\32, deleted the other files,deleted 2 folders of FunWebProducts,updated SpyBot and ran. NO ROTUE ,popups computer running great. Thanks you have been a great help, and I really appreciated all the time and patience you had with me. I will send a donation this week end Thanks again.

LonnyRJones
2006-09-28, 02:30
Great

Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

tashi
2006-10-03, 01:15
vanvelzor as the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Cheers. :)