Frustrating "-ware" on my computer

T

ThirtyCigarettes

New member
So, I've been trying to fix thi for quite some time, and it just doesn't seem to work.

Here's my hijack this results:
Logfile of HijackThis v1.99.1
Scan saved at 3:39:53 AM, on 9/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\bmFtZQ\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Chris\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\bmFtZQ\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe




Also, when I go to click on a system application like my computer or the recycle bin or my documents, the screen blanks out like on Windows 98 if you were to close explorer by CTRL ALT DEL. The toolbar and icons dissappear for a second and them come back.

Also, somebody else who uses the computer accused me of deleting his music, and I didn't, I think something may of done that as well.
 
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\{ACBD6678-05FC-1033-0801-030208060001}\Update.exe
C:\PROGRA~1\COMMON~1\STEM~1\csrss.exe
C:\Program Files\s?curity\w?wexec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Chris\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {A1EC8164-3D81-4A75-F7A9-621341DE6DB4} - C:\WINDOWS\system32\alorw.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Etcb] "C:\PROGRA~1\COMMON~1\STEM~1\csrss.exe" -vt yazb
O4 - HKCU\..\Run: [Aqdkgx] C:\Program Files\s?curity\w?wexec.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe


This isn't my computer, it's my roomates, and I'm just trying to get it to run smoother. I don't think he has any form of anti-virus though.
 
Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
 
Chris - 06-09-24 14:36:53.87 Service Pack 2
ComboFix 06.09.23.2 - Running from: "C:\Documents and Settings\Chris\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{1DA1D717-DFD9-4B2D-BCDE-B00563BE091E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1DA1D717-DFD9-4B2D-BCDE-B00563BE091E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1DA1D717-DFD9-4B2D-BCDE-B00563BE091E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F8A802A5-7E2C-4519-AF57-20E4EFF55028}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F8A802A5-7E2C-4519-AF57-20E4EFF55028}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F8A802A5-7E2C-4519-AF57-20E4EFF55028}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{19032D1D-AE30-46FC-B7C3-3A0FD24739D1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{19032D1D-AE30-46FC-B7C3-3A0FD24739D1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{19032D1D-AE30-46FC-B7C3-3A0FD24739D1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{19032D1D-AE30-46FC-B7C3-3A0FD24739D1}\InprocServer32]
@="C:\\WINDOWS\\system32\\lo32.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{68A1BE7A-95CD-49FA-B009-5CE19F45E0E8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{68A1BE7A-95CD-49FA-B009-5CE19F45E0E8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{68A1BE7A-95CD-49FA-B009-5CE19F45E0E8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{68A1BE7A-95CD-49FA-B009-5CE19F45E0E8}\InprocServer32]
@="C:\\WINDOWS\\system32\\kwdcan.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{9735FA46-1E91-49B6-9284-CAE02D1E06C4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9735FA46-1E91-49B6-9284-CAE02D1E06C4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9735FA46-1E91-49B6-9284-CAE02D1E06C4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9735FA46-1E91-49B6-9284-CAE02D1E06C4}\InprocServer32]
@="C:\\WINDOWS\\system32\\dPtaclen.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\system32\agmpvcno.dll
C:\WINDOWS\system32\cbmctl32.dll
C:\WINDOWS\system32\cmadmin.dll
C:\WINDOWS\system32\d80mlid1180.dll
C:\WINDOWS\system32\dinwsock.dll
C:\WINDOWS\system32\djsshlex.dll
C:\WINDOWS\system32\dPtaclen.dll
C:\WINDOWS\system32\fiifs.dll
C:\WINDOWS\system32\fp2003fme.dll
C:\WINDOWS\system32\fvclient.dll
C:\WINDOWS\system32\gp8ul3l91.dll
C:\WINDOWS\system32\hr4805hue.dll
C:\WINDOWS\system32\hrp6057se.dll
C:\WINDOWS\system32\i4600ejmehoa0.dll
C:\WINDOWS\system32\imsetup.dll
C:\WINDOWS\system32\iqmon.dll
C:\WINDOWS\system32\irp0l57m1.dll
C:\WINDOWS\system32\jcpl400.dll
C:\WINDOWS\system32\k226lcfs1f26.dll
C:\WINDOWS\system32\kwdcan.dll
C:\WINDOWS\system32\l2r00c9mef.dll
C:\WINDOWS\system32\l6n40g5qe6.dll
C:\WINDOWS\system32\LGFIL11N.DLL
C:\WINDOWS\system32\LLFAX11N.DLL
C:\WINDOWS\system32\lv0o09d3e.dll
C:\WINDOWS\system32\Lzpng11n.dll
C:\WINDOWS\system32\m2ls0c37ef.dll
C:\WINDOWS\system32\mctlsapi.dll
C:\WINDOWS\system32\mfexcl40.dll
C:\WINDOWS\system32\mhcndmgr.dll
C:\WINDOWS\system32\mjiole32.dll
C:\WINDOWS\system32\mlpmsp.dll
C:\WINDOWS\system32\mprtdep.dll
C:\WINDOWS\system32\msrmsg.dll
C:\WINDOWS\system32\mvsap.dll
C:\WINDOWS\system32\mxports.dll
C:\WINDOWS\system32\mydex.dll
C:\WINDOWS\system32\p84ulih9184.dll
C:\WINDOWS\system32\pvdgen.dll
C:\WINDOWS\system32\pxcrt.dll
C:\WINDOWS\system32\q686lgls16q6.dll
C:\WINDOWS\system32\qtap.dll
C:\WINDOWS\system32\sfell32.dll
C:\WINDOWS\system32\ulerenv.dll
C:\WINDOWS\system32\unnpui.dll
C:\WINDOWS\system32\uspnpmgr.dll
C:\WINDOWS\system32\wchcon.dll
C:\WINDOWS\system32\wdhext.dll


Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Chris\Application Data\Install.dat
C:\WINDOWS\system32\cemetrix.dll
C:\WINDOWS\system32\cv3wanv28.exe
C:\WINDOWS\pf78.exe
C:\WINDOWS\uni_eh.exe
C:\WINDOWS\unin101.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Common Files\download
C:\Program Files\Inetget2
C:\Program Files\Common Files\{ACBD6678-05FC-1033-0801-030208060001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\SCURIT~1
C:\QooBox\Purity\Program Files\Common Files\STEM~1
C:\QooBox\Purity\Program Files\Common Files\STEM~1\csrss.exe
C:\QooBox\Purity\Program Files\Common Files\STEM~1\??stem
C:\QooBox\Purity\Program Files\SCURIT~1\w?wexec.exe
C:\Program Files\Inetget2
C:\Program Files\Common Files\{ACBD6678-05FC-1033-0801-030208060001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\SCURIT~1
C:\QooBox\Purity\Program Files\Common Files\STEM~1
C:\QooBox\Purity\Program Files\Common Files\STEM~1\csrss.exe
C:\QooBox\Purity\Program Files\Common Files\STEM~1\??stem
C:\QooBox\Purity\Program Files\SCURIT~1\w?wexec.exe


((((((((((((((((((((((((((((((( Files Created from 2006-08-24 to 2006-09-24 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-24 14:36 -------- d-------- C:\Program Files\a-squared
2006-09-24 14:34 -------- d-------- C:\Program Files\Common Files
2006-09-24 14:27 -------- d-------- C:\Program Files\PrintView
2006-09-24 14:02 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-24 02:31 -------- d-------- C:\Program Files\Ares
2006-09-23 05:09 93633 --ahs---- C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
2006-09-23 01:01 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-09-23 00:51 -------- d-------- C:\Program Files\RegVac
2006-09-22 06:52 -------- d-------- C:\Program Files\Common Files\ouzz
2006-09-03 20:58 -------- d-------- C:\Program Files\Guitar Pro 5
2006-08-16 16:08 153600 ---hs---- C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
2006-08-11 16:44 -------- d-------- C:\Program Files\Google
 
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsUpdateNT"=""
"a-squared"="\"C:\\Program Files\\a-squared\\a2guard.exe\""
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"Etcb"="\"C:\\PROGRA~1\\COMMON~1\\STEM~1\\csrss.exe\" -vt yazb"
"Aqdkgx"="C:\\Program Files\\s?curity\\w?wexec.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PVModule"="C:\\PROGRA~1\\PRINTV~1\\pvmodule.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonceex]
@=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,96,00,00,00,00,00,00,00,6a,04,00,00,e4,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,96,00,00,00,00,00,00,00,6a,04,00,00,e4,03,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
"location"="Common Startup"
"command"="C:\\PROGRA~1\\ATITEC~1\\ATI.ACE\\CLI.exe SystemTray"
"item"="ATI CATALYST System Tray"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AlcxMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCXMNTR"
"hkey"="HKLM"
"command"="ALCXMNTR.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ATI Launchpad]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="launchpd"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\ATI Multimedia\\main\\launchpd.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ATICCC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cli"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ATIPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DeadAIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DeadAIM"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\Program Files\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\filit]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="foobar"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Media Gateway]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MediaGateway"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Microsoft Windows DLL Services Configuration]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="windir32"
"hkey"="HKLM"
"command"="windir32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\S3TRAY2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="S3tray2"
"hkey"="HKLM"
"command"="S3tray2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\services32]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mc-110-12-0000080"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjh

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Completion time: Sun 09/24/2006 14:41:25.87
ComboFix.txt
ComboFix2.txt
ComboFix3.txt
 
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.
Code: 
REGEDIT4
;
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Media Gateway]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Microsoft Windows DLL Services Configuration]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\services32]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjh]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsUpdateNT"=-
"Etcb"=-
"Aqdkgx"=-
;
Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.
Restart your PC.

Delete these files and folder
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\ouzz
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\WINDOWS\system32\alorw.dll

Install update and do a full scan with atleast a free antivirus program,
Never install more that one, several are mentioned here
http://forums.spybot.info/showthread.php?t=279

Afterwards post back with a new hijackthis log
 
Installed and ran a scan through AVG.

Logfile of HijackThis v1.99.1
Scan saved at 4:36:53 PM, on 9/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Documents and Settings\Chris\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {A1EC8164-3D81-4A75-F7A9-621341DE6DB4} - C:\WINDOWS\system32\alorw.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
 
Start Hijackthis and place a check next to these items If there.
R3 - URLSearchHook: (no name) - {A1EC8164-3D81-4A75-F7A9-621341DE6DB4} - C:\WINDOWS\system32\alorw.dll (file missing)
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
go here and submit each of the files in this folder, let us know whats found if anything
C:\PROGRAM FILES\PRINTVIEW
http://www.virustotal.com/flash/index_en.html


Arere there any current problems ?
 
Alright most of the problems cleared up, the only thing I seem to be getting is an occasional popup advertising Windows antivirus 2006.


That scan found nothing, and heres my hijackthis log now.

Logfile of HijackThis v1.99.1
Scan saved at 9:16:12 PM, on 9/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Chris\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
 
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
 
Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 10:10:25 AM, on 9/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Chris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\rptrukjx.dll (file missing)
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL (file missing)
O2 - BHO: (no name) - {F2D75417-C6E3-455D-A174-DB8D11E375AF} - C:\WINDOWS\system32\mljjh.dll (file missing)
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe




Vundofix:

VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.4

Scan started at 2:44:16 AM 9/25/2006

Listing files found while scanning....

C:\WINDOWS\system32\jkkijkk.dll
C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\system32\hjjlm.ini
C:\WINDOWS\system32\hjjlm.bak1
C:\WINDOWS\system32\hjjlm.bak2

Beginning removal...

VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.4

Scan started at 10:00:09 AM 9/28/2006

Listing files found while scanning....

C:\WINDOWS\system32\jkkijkk.dll
C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\system32\hjjlm.ini
C:\WINDOWS\system32\hjjlm.bak1
C:\WINDOWS\system32\hjjlm.bak2
C:\WINDOWS\system32\hjjlm.ini2
C:\WINDOWS\system32\hjjlm.tmp
C:\WINDOWS\system32\rptrukjx.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkkijkk.dll
C:\WINDOWS\system32\jkkijkk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\system32\mljjh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjjlm.ini
C:\WINDOWS\system32\hjjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjjlm.bak1
C:\WINDOWS\system32\hjjlm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjjlm.bak2
C:\WINDOWS\system32\hjjlm.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjjlm.ini2
C:\WINDOWS\system32\hjjlm.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjjlm.tmp
C:\WINDOWS\system32\hjjlm.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\rptrukjx.dll
C:\WINDOWS\system32\rptrukjx.dll Has been deleted!

Performing Repairs to the registry.
Done!
 
Start Hijackthis and place a check next to these items If there.
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\rptrukjx.dll (file missing)
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL (file missing)
O2 - BHO: (no name) - {F2D75417-C6E3-455D-A174-DB8D11E375AF} - C:\WINDOWS\system32\mljjh.dll (file missing)
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll

====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Manualy delete these folders
C:\Program Files\PRINTVIEW
C:\WINDOWS\bmFtZQ
C:\Program Files\VSToolbar

Post a fresh hijackthis log please, be sure to mention any current problems.

Post a report from this tool if any FILES show
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them YET.....legitimate files can be listed.
 
Logfile of HijackThis v1.99.1
Scan saved at 2:00:50 PM, on 9/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Chris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe


All seems to be well on the computer. No popups or anything.


Thank you for all the help.
 
As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Glad we could help.
 
You must log in or register to reply here.
Back
Top