1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Several popups and task manager doesnt work

Discussion in 'Virus & Other Malware Removal' started by hanzzz, Mar 28, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. hanzzz

    hanzzz Thread Starter

    Joined:
    Mar 28, 2008
    Messages:
    11
    Hi,

    My computer has had several popups for the last few days directing me to sites which i'm pretty sure contains malware. Also, when i try to open Task Manager, a dialog box opens up which says "Task Manager has been disabled by your administrator", even though i am the admin for the computer.

    The desktop background has also changed by itself with a link on it which directs me to a website. It has a head that says "Warning: Spyware has been detected on your computer!"

    Any help would be appreciated.

    Here is the HijackThis! Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:48:01 AM, on 3/28/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\sbwltbxa.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CbEvtSvc.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\WINDOWS\system32\regsvr32.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\3B Software\Registry Repair Pro\RegistryRepairPro.exe
    C:\Program Files\3B Software\Common\Scheduler\wcomschd.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,C:\WINDOWS\system32\sbwltbxa.exe,
    O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
    O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
    O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
    O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
    O2 - BHO: (no name) - {4f866392-1dd2-11b2-b909-cfe421531c96} - C:\WINDOWS\wpibybuz.dll
    O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
    O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
    O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
    O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
    O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
    O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
    O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
    O2 - BHO: Zango /fleok=1D8A83A5C5ED187A9AAA682A1FBB39BFE4976E26CAEDA120180A196D6093 - {E1BACF55-35E1-4E47-9247-2D48660E5545} - C:\Program Files\Zango\bin\10.1.181.0\HostIE.dll (file missing)
    O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
    O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
    O2 - BHO: Her - {FFFFFFFF-F538-4f86-ABAF-E9D94D5C007C} - C:\WINDOWS\system32\marwin32.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Zango - {E1BACF55-35E1-4E47-9247-2D48660E5545} - C:\Program Files\Zango\bin\10.1.181.0\HostIE.dll (file missing)
    O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [HotbarOE] C:\Program Files\Hotbar\bin\10.0.412.0\OEAddOn.exe
    O4 - HKLM\..\Run: [HotbarSA] "C:\Program Files\Hotbar\bin\10.0.412.0\HotbarSA.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\bboxall\Local Settings\Temporary Internet Files\Content.IE5\ET91FS9T\install_sbd_en[1].exe
    O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\AntiSpywareSuite\bm.exe" dm=http://antispywaresuite.com ad=http://antispywaresuite.com sd=http://ykeeper.antispywaresuite.com
    O4 - HKLM\..\Run: [hwdilwbq] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\hwdilwbq.dll"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
    O4 - HKLM\..\Policies\Explorer\Run: [BKRVE9lx1m] C:\WINDOWS\qxsluzer.exe
    O4 - Startup: Registry Repair Pro.lnk = C:\Program Files\3B Software\Registry Repair Pro\RegistryRepairPro.exe
    O4 - Startup: Scheduler.lnk = C:\Program Files\3B Software\Common\Scheduler\wcomschd.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: CbEvtSvc - Unknown owner - C:\WINDOWS\System32\CbEvtSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: CcEvtSvc - Unknown owner - C:\WINDOWS\System32\CcEvtSvc.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Google Desktop Manager 5.1.709.19590 (GoogleDesktopManager-091907-194040) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 10567 bytes
     
  2. OldTimer

    OldTimer Malware Specialist

    Joined:
    Mar 28, 2008
    Messages:
    237
    Hello hanzzz and welcome to the TSG Malware Removal forum. Let's see what we can find.

    Before running a new scan let's clean out the temporoary folders.

    Download ATF Cleaner to your Desktop.
    • Double-click ATF-Cleaner.exe to run the program.
    • Click Select All found at the bottom of the list.
    • Click the Empty Selected button.
    If you use Firefox browser, do this also:
    • Click Firefox at the top and choose Select All from the list.
    • Click the Empty Selected button.
    • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser, do this also:
    • Click Opera at the top and choose Select All from the list.
    • Close ALL Internet browsers (very important).
    • Click the Empty Selected button.
    • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.

    Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

    Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

    • Close ALL OTHER PROGRAMS.
    • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
    • In the Drivers section click on Non-Microsoft.
    • Under Additional Scans click the checkboxes in front of the following items to select them:
      • Reg - BotCheck
        File - Additional Folder Scans
    • Do not change any other settings.
    • Now click the Run Scan button on the toolbar.
    • Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
    • Save the file to your desktop or other location where you can find it back.
    Use the Add Reply button and attach the file in your next post.

    Cheers.

    OT
     
  3. hanzzz

    hanzzz Thread Starter

    Joined:
    Mar 28, 2008
    Messages:
    11
    Hi,

    Here is the OTScanIt Log,

    hanzzz
     

    Attached Files:

  4. OldTimer

    OldTimer Malware Specialist

    Joined:
    Mar 28, 2008
    Messages:
    237
    Hi hanzzz. Well, we have a bit of work to do so let's get started. Follow the steps below in order.

    Step #1

    Please download The Avenger by Swandog46 to your Desktop.
    • Click on Avenger.zip to open the file
    • Extract avenger.exe to your desktop

    Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

    Code:
    Drivers to delete:
    CbEvtSvc
    CcEvtSvc
    Files to delete:
    %allusersprofile%\application data\hwdilwbq.dll
    %programfiles%\alot\bin\alot.dll 
    %systemdrive%\domains.dat
    %systemroot%\123messenger.per
    %systemroot%\180ax.exe
    %systemroot%\2020search.dll
    %systemroot%\2020search2.dll
    %systemroot%\apphelp32.dll
    %systemroot%\asferror32.dll
    %systemroot%\asycfilt32.dll
    %systemroot%\athprxy32.dll
    %systemroot%\ati2dvaa32.dll
    %systemroot%\ati2dvag32.dll
    %systemroot%\audiosrv32.dll
    %systemroot%\autodisc32.dll
    %systemroot%\avifile32.dll
    %systemroot%\avisynthex32.dll
    %systemroot%\aviwrap32.dll
    %systemroot%\bjam.dll
    %systemroot%\bokja.exe
    %systemroot%\browserad.dll
    %systemroot%\cdsm32.dll
    %systemroot%\changeurl_30.dll
    %systemroot%\default.htm
    %systemroot%\didduid.ini
    %systemroot%\ivmvshaf.exe
    %systemroot%\jwlic9lx1m.exe
    %systemroot%\msa64chk.dll
    %systemroot%\msapasrc.dll
    %systemroot%\mspphe.dll
    %systemroot%\mssvr.exe
    %systemroot%\ntnut.exe
    %systemroot%\saiemod.dll
    %systemroot%\salm.exe
    %systemroot%\shdocpe.dll
    %systemroot%\shdocpl.dll
    %systemroot%\snyzkvwz.exe
    %systemroot%\stcloader.exe
    %systemroot%\swin32.dll
    %systemroot%\system32\cbevtsvc.exe
    %systemroot%\system32\ccevtsvc.exe
    %systemroot%\system32\cygwn32.dll
    %systemroot%\system32\drivers\grande48.sys
    %systemroot%\system32\lt.res
    %systemroot%\system32\marwin32.dll
    %systemroot%\system32\marwin32.dll 
    %systemroot%\system32\mgmrwmrv.exe
    %systemroot%\system32\msixu.dll
    %systemroot%\system32\msnsa32.dll
    %systemroot%\system32\ntnut32.exe
    %systemroot%\system32\sbwltbxa.exe
    %systemroot%\system32\sft.res
    %systemroot%\system32\shdocpe.dll
    %systemroot%\system32\sipspi32.dll
    %systemroot%\system32\wer8274.dll
    %systemroot%\system32\winfrun32.bin
    %systemroot%\updatetc.exe
    %systemroot%\uxijslwx.dll
    %systemroot%\voiceip.dll
    %systemroot%\winsb.dll
    %systemroot%\wpibybuz.dll
    %systemroot%\wpibybuz.dll 
    c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat
    c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat
    c:\windows\temp\salm.exe
    Folders to delete:
    %allusersprofile%\application data\salesmon
    %appdata%\alot
    %systemroot%\fleok
    %systemroot%\jntvauhd
    
    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    Now, start The Avenger program by clicking on its icon on your desktop.
    • Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
    • Click the Execute button
    • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger¬ís actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    Step #2

    Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

    Code:
    [Kill Explorer]
    [Unregister Dlls]
    [Processes - Non-Microsoft Only]
    YY -> sbwltbxa.exe -> %SystemRoot%\system32\sbwltbxa.exe
    YY -> cbevtsvc.exe -> %SystemRoot%\system32\CbEvtSvc.exe
    [Win32 Services - Non-Microsoft Only]
    YY -> (CbEvtSvc) CbEvtSvc [Win32_Own | Auto | Running] -> %SystemRoot%\system32\CbEvtSvc.exe
    YY -> (CcEvtSvc) CcEvtSvc [Win32_Own | Auto | Stopped] -> %SystemRoot%\system32\CcEvtSvc.exe
    [Registry - Non-Microsoft Only]
    < Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> bm -> %CommonProgramFiles%\AntiSpywareSuite\bm.exe
    YN -> HotbarOE -> %ProgramFiles%\Hotbar\bin\10.0.412.0\OEAddOn.exe
    YN -> HotbarSA -> %ProgramFiles%\Hotbar\bin\10.0.412.0\HotbarSA.exe
    YN -> SBI -> %UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\ET91FS9T\install_sbd_en[1].exe
    < Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> AROReminder -> 
    < Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    *UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
    YY -> C:\WINDOWS\system32\mgmrwmrv.exe -> %SystemRoot%\system32\mgmrwmrv.exe
    YY -> C:\WINDOWS\system32\sbwltbxa.exe -> %SystemRoot%\system32\sbwltbxa.exe
    < Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    < Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    *UserInit* -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
    YN ->  -> 
    YY -> C:\WINDOWS\system32\mgmrwmrv.exe -> %SystemRoot%\system32\mgmrwmrv.exe
    YY -> C:\WINDOWS\system32\sbwltbxa.exe -> %SystemRoot%\system32\sbwltbxa.exe
    < Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    < CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
    YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\BKRVE9lx1m -> C:\WINDOWS\qxsluzer.exe [C:\WINDOWS\qxsluzer.exe]
    YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\DisableTaskMgr -> 1
    < CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
    YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr -> 1
    < BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    YN -> {00000250-0320-4dd4-be4f-7566d2314352} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {13197ace-6851-45c3-a7ff-c281324d5489} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {15651c7c-e812-44a2-a9ac-b467a2233e7d} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {4e1075f4-eec4-4a86-add7-cd5f52858c31} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YY -> {4f866392-1dd2-11b2-b909-cfe421531c96} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\wpibybuz.dll [Reg Error: Value  does not exist or could not be read.]
    YN -> {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YY -> {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\alot\bin\alot.dll [ALOT Toolbar]
    YN -> {5dafd089-24b1-4c5e-bd42-8ca72550717b} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {5fa6752a-c4a0-4222-88c2-928ae5ab4966} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {622cc208-b014-4fe0-801b-874a5e5e403a} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {8674aea0-9d3d-11d9-99dc-00600f9a01f1} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {965a592f-8efa-4250-8630-7960230792f1} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {9c5b2f29-1f46-4639-a6b4-828942301d3e} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {cf021f40-3e14-23a5-cba2-717765728274} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {E1BACF55-35E1-4E47-9247-2D48660E5545} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Zango\bin\10.1.181.0\HostIE.dll [Zango]
    YN -> {fc3a74e5-f281-4f10-ae1e-733078684f3c} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {ffff0001-0002-101a-a3c9-08002b2f49fb} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YY -> {FFFFFFFF-F538-4f86-ABAF-E9D94D5C007C} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\marwin32.dll [Her]
    < Internet Explorer Bars [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
    YN -> {CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Zango\bin\10.1.181.0\HostIE.dll [Zango Information Window]
    < Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
    YN -> {CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Zango\bin\10.1.181.0\HostIE.dll [Zango Information Window]
    < Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
    YY -> {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\alot\bin\alot.dll [ALOT Toolbar]
    [Files/Folders - Created Within 30 days]
    NY -> grande48.sys -> %SystemRoot%\System32\drivers\grande48.sys
    NY -> CbEvtSvc.exe -> %SystemRoot%\System32\CbEvtSvc.exe
    NY -> CcEvtSvc.exe -> %SystemRoot%\System32\CcEvtSvc.exe
    NY -> cygwn32.dll -> %SystemRoot%\System32\cygwn32.dll
    NY -> lt.res -> %SystemRoot%\System32\lt.res
    NY -> marwin32.dll -> %SystemRoot%\System32\marwin32.dll
    NY -> MSIXU.DLL -> %SystemRoot%\System32\MSIXU.DLL
    NY -> MSNSA32.dll -> %SystemRoot%\System32\MSNSA32.dll
    NY -> ntnut32.exe -> %SystemRoot%\System32\ntnut32.exe
    NY -> sbwltbxa.exe -> %SystemRoot%\System32\sbwltbxa.exe
    NY -> sft.res -> %SystemRoot%\System32\sft.res
    NY -> shdocpe.dll -> %SystemRoot%\System32\shdocpe.dll
    NY -> SIPSPI32.dll -> %SystemRoot%\System32\SIPSPI32.dll
    NY -> WER8274.DLL -> %SystemRoot%\System32\WER8274.DLL
    NY -> winfrun32.bin -> %SystemRoot%\System32\winfrun32.bin
    NY -> 123messenger.per -> %SystemRoot%\123messenger.per
    NY -> 180ax.exe -> %SystemRoot%\180ax.exe
    NY -> 2020search.dll -> %SystemRoot%\2020search.dll
    NY -> 2020search2.dll -> %SystemRoot%\2020search2.dll
    NY -> apphelp32.dll -> %SystemRoot%\apphelp32.dll
    NY -> asferror32.dll -> %SystemRoot%\asferror32.dll
    NY -> asycfilt32.dll -> %SystemRoot%\asycfilt32.dll
    NY -> athprxy32.dll -> %SystemRoot%\athprxy32.dll
    NY -> ati2dvaa32.dll -> %SystemRoot%\ati2dvaa32.dll
    NY -> ati2dvag32.dll -> %SystemRoot%\ati2dvag32.dll
    NY -> audiosrv32.dll -> %SystemRoot%\audiosrv32.dll
    NY -> autodisc32.dll -> %SystemRoot%\autodisc32.dll
    NY -> avifile32.dll -> %SystemRoot%\avifile32.dll
    NY -> avisynthex32.dll -> %SystemRoot%\avisynthex32.dll
    NY -> aviwrap32.dll -> %SystemRoot%\aviwrap32.dll
    NY -> bjam.dll -> %SystemRoot%\bjam.dll
    NY -> bokja.exe -> %SystemRoot%\bokja.exe
    NY -> browserad.dll -> %SystemRoot%\browserad.dll
    NY -> cdsm32.dll -> %SystemRoot%\cdsm32.dll
    NY -> changeurl_30.dll -> %SystemRoot%\changeurl_30.dll
    NY -> 3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
    NY -> default.htm -> %SystemRoot%\default.htm
    NY -> didduid.ini -> %SystemRoot%\didduid.ini
    NY -> FLEOK -> %SystemRoot%\FLEOK
    NY -> ivmvshaf.exe -> %SystemRoot%\ivmvshaf.exe
    NY -> jntvauhd -> %SystemRoot%\jntvauhd
    NY -> JwLIC9lx1m.exe -> %SystemRoot%\JwLIC9lx1m.exe
    NY -> msa64chk.dll -> %SystemRoot%\msa64chk.dll
    NY -> msapasrc.dll -> %SystemRoot%\msapasrc.dll
    NY -> mspphe.dll -> %SystemRoot%\mspphe.dll
    NY -> mssvr.exe -> %SystemRoot%\mssvr.exe
    NY -> ntnut.exe -> %SystemRoot%\ntnut.exe
    NY -> saiemod.dll -> %SystemRoot%\saiemod.dll
    NY -> salm.exe -> %SystemRoot%\salm.exe
    NY -> shdocpe.dll -> %SystemRoot%\shdocpe.dll
    NY -> shdocpl.dll -> %SystemRoot%\shdocpl.dll
    NY -> snyzkvwz.exe -> %SystemRoot%\snyzkvwz.exe
    NY -> stcloader.exe -> %SystemRoot%\stcloader.exe
    NY -> swin32.dll -> %SystemRoot%\swin32.dll
    NY -> updatetc.exe -> %SystemRoot%\updatetc.exe
    NY -> uxijslwx.dll -> %SystemRoot%\uxijslwx.dll
    NY -> voiceip.dll -> %SystemRoot%\voiceip.dll
    NY -> winsb.dll -> %SystemRoot%\winsb.dll
    NY -> wpibybuz.dll -> %SystemRoot%\wpibybuz.dll
    [Files Created - Additional Folder Scans - Non-Microsoft Only]
    NY -> hwdilwbq.dll -> %AllUsersProfile%\Application Data\hwdilwbq.dll
    NY -> SalesMon -> %AllUsersProfile%\Application Data\SalesMon
    [Files/Folders - Modified Within 30 days]
    NY -> domains.dat -> %SystemDrive%\domains.dat
    NY -> grande48.sys -> %SystemRoot%\System32\drivers\grande48.sys
    NY -> 2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
    NY -> CbEvtSvc.exe -> %SystemRoot%\System32\CbEvtSvc.exe
    NY -> CcEvtSvc.exe -> %SystemRoot%\System32\CcEvtSvc.exe
    NY -> cygwn32.dll -> %SystemRoot%\System32\cygwn32.dll
    NY -> lt.res -> %SystemRoot%\System32\lt.res
    NY -> marwin32.dll -> %SystemRoot%\System32\marwin32.dll
    NY -> MSIXU.DLL -> %SystemRoot%\System32\MSIXU.DLL
    NY -> MSNSA32.dll -> %SystemRoot%\System32\MSNSA32.dll
    NY -> ntnut32.exe -> %SystemRoot%\System32\ntnut32.exe
    NY -> sbwltbxa.exe -> %SystemRoot%\System32\sbwltbxa.exe
    NY -> sft.res -> %SystemRoot%\System32\sft.res
    NY -> shdocpe.dll -> %SystemRoot%\System32\shdocpe.dll
    NY -> SIPSPI32.dll -> %SystemRoot%\System32\SIPSPI32.dll
    NY -> WER8274.DLL -> %SystemRoot%\System32\WER8274.DLL
    NY -> winfrun32.bin -> %SystemRoot%\System32\winfrun32.bin
    NY -> 123messenger.per -> %SystemRoot%\123messenger.per
    NY -> 180ax.exe -> %SystemRoot%\180ax.exe
    NY -> 2020search.dll -> %SystemRoot%\2020search.dll
    NY -> 2020search2.dll -> %SystemRoot%\2020search2.dll
    NY -> apphelp32.dll -> %SystemRoot%\apphelp32.dll
    NY -> asferror32.dll -> %SystemRoot%\asferror32.dll
    NY -> asycfilt32.dll -> %SystemRoot%\asycfilt32.dll
    NY -> athprxy32.dll -> %SystemRoot%\athprxy32.dll
    NY -> ati2dvaa32.dll -> %SystemRoot%\ati2dvaa32.dll
    NY -> ati2dvag32.dll -> %SystemRoot%\ati2dvag32.dll
    NY -> audiosrv32.dll -> %SystemRoot%\audiosrv32.dll
    NY -> autodisc32.dll -> %SystemRoot%\autodisc32.dll
    NY -> avifile32.dll -> %SystemRoot%\avifile32.dll
    NY -> avisynthex32.dll -> %SystemRoot%\avisynthex32.dll
    NY -> aviwrap32.dll -> %SystemRoot%\aviwrap32.dll
    NY -> bjam.dll -> %SystemRoot%\bjam.dll
    NY -> bokja.exe -> %SystemRoot%\bokja.exe
    NY -> browserad.dll -> %SystemRoot%\browserad.dll
    NY -> cdsm32.dll -> %SystemRoot%\cdsm32.dll
    NY -> changeurl_30.dll -> %SystemRoot%\changeurl_30.dll
    NY -> 3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
    NY -> didduid.ini -> %SystemRoot%\didduid.ini
    NY -> FLEOK -> %SystemRoot%\FLEOK
    NY -> ivmvshaf.exe -> %SystemRoot%\ivmvshaf.exe
    NY -> jntvauhd -> %SystemRoot%\jntvauhd
    NY -> JwLIC9lx1m.exe -> %SystemRoot%\JwLIC9lx1m.exe
    NY -> msa64chk.dll -> %SystemRoot%\msa64chk.dll
    NY -> msapasrc.dll -> %SystemRoot%\msapasrc.dll
    NY -> mspphe.dll -> %SystemRoot%\mspphe.dll
    NY -> mssvr.exe -> %SystemRoot%\mssvr.exe
    NY -> ntnut.exe -> %SystemRoot%\ntnut.exe
    NY -> saiemod.dll -> %SystemRoot%\saiemod.dll
    NY -> salm.exe -> %SystemRoot%\salm.exe
    NY -> shdocpe.dll -> %SystemRoot%\shdocpe.dll
    NY -> shdocpl.dll -> %SystemRoot%\shdocpl.dll
    NY -> snyzkvwz.exe -> %SystemRoot%\snyzkvwz.exe
    NY -> stcloader.exe -> %SystemRoot%\stcloader.exe
    NY -> swin32.dll -> %SystemRoot%\swin32.dll
    NY -> updatetc.exe -> %SystemRoot%\updatetc.exe
    NY -> uxijslwx.dll -> %SystemRoot%\uxijslwx.dll
    NY -> voiceip.dll -> %SystemRoot%\voiceip.dll
    NY -> winsb.dll -> %SystemRoot%\winsb.dll
    NY -> wpibybuz.dll -> %SystemRoot%\wpibybuz.dll
    NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    NY -> SALM.EXE -> C:\WINDOWS\Temp\SALM.EXE
    [Files Modified - Additional Folder Scans - Non-Microsoft Only]
    NY -> hwdilwbq.dll -> %AllUsersProfile%\Application Data\hwdilwbq.dll
    NY -> SalesMon -> %AllUsersProfile%\Application Data\SalesMon
    NY -> alot -> %AppData%\alot
    [Extra Files]
    %CommonProgramFiles%\AntiSpywareSuite\
    %ProgramFiles%\Hotbar\
    [Empty Temp Folders]
    [Start Explorer]
    
    The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix.. Either way, click the Ok button. If it is finished, Notepad will open with a log of actions taken during the fix. If a reboot is required, this log will be placed in the Moved Files folder (see the last step for location directions). Post that log back here in your next reply.

    Step #3

    Run the F-Secure Online Scanner

    Note: This Scanner is for Internet Explorer Only!
    • Click on Online Services and then Online Scanner
    • Accept the License Agreement.
    • Once the ActiveX installs,Click Full System Scan
    • Once the download completes,the scan will begin automatically.
    • The scan will take some time to finish,so please be patient.
    • When the scan completes, click the Automatic cleaning (recommended) button.
    • Click the Show Report button and Copy&Paste the entire report in your next reply.

    Step #4

    Run a new OTScanIt scan with the following options

    Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
    • Close ALL OTHER PROGRAMS.
    • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
    • Under Additional Scans click the checkboxes in front of the following items to select them:
      • File - Additional Folder Scans
    • Do not change any other settings.
    • Now click the Run Scan button on the toolbar.
    • Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

    Step #5

    Post the following back here:

    • The Avenger report (c:\Avenger.txt)
      The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
      The new OTScanIt scan log

    I will review the information when it comes back in.

    Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

    Cheers.

    OT
     
  5. hanzzz

    hanzzz Thread Starter

    Joined:
    Mar 28, 2008
    Messages:
    11
    Hi,

    It looks like most of the problems have gone. The desktop background is back to normal, task manager opens, and there are no longer any pop-up dialog boxes.

    Thi is the F-Secure Online Scanner Report:

    Scanning Report
    Tuesday, April 01, 2008 11:45:25 - 12:46:03
    Computer name: BOXALL
    Scanning type: Scan system for malware, rootkits
    Target: C:\


    --------------------------------------------------------------------------------

    Result: 6 malware found
    Backdoor:W32/Agent.CXZ (virus)
    C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\951192718.EXE (Submitted)
    Backdoor:W32/Agent.CYB (virus)
    C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\869715802.EXE (Submitted)
    Trojan.Win32.Pakes.cml (virus)
    C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\907608617.EXE (Renamed & Submitted)
    not-virus:Hoax.Win32.Renos.bes (virus)
    C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\1099444196.EXE (Submitted)
    not-virus:Hoax.Win32.Renos.bhe (virus)
    C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\1095315177.EXE (Submitted)
    C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\1095839497.EXE (Submitted)

    --------------------------------------------------------------------------------

    Statistics
    Scanned:
    Files: 26254
    System: 3075
    Not scanned: 12
    Actions:
    Disinfected: 0
    Renamed: 1
    Deleted: 0
    None: 5
    Submitted: 6
    Files not scanned:
    C:\PAGEFILE.SYS
    C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
    C:\WINDOWS\SYSTEM32\CONFIG\SAM
    C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
    C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
    C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
    C:\DOCUMENTS AND SETTINGS\BBOXALL\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP SEARCH\DBDAM
    C:\DOCUMENTS AND SETTINGS\BBOXALL\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP SEARCH\DBDAO
    C:\DOCUMENTS AND SETTINGS\BBOXALL\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP SEARCH\DBEAM
    C:\DOCUMENTS AND SETTINGS\BBOXALL\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP SEARCH\DBEAO
    C:\DOCUMENTS AND SETTINGS\BBOXALL\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP SEARCH\DBM
    C:\DOCUMENTS AND SETTINGS\BBOXALL\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP SEARCH\HP

    --------------------------------------------------------------------------------

    Options
    Scanning engines:
    F-Secure USS: 2.30.0
    F-Secure Hydra: 2.8.8110, 2008-04-01
    F-Secure AVP: 7.0.171, 2008-03-31
    F-Secure Pegasus: 1.20.0, 2008-02-28
    F-Secure Blacklight: 1.0.64
    Scanning options:
    Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
    Use Advanced heuristics

    --------------------------------------------------------------------------------

    Copyright © 1998-2007 Product support |Send virus sample to F-Secure
    F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.


    ------

    Attached are the Avenger report, OTScanit log, and OTscanit report.
     

    Attached Files:

  6. OldTimer

    OldTimer Malware Specialist

    Joined:
    Mar 28, 2008
    Messages:
    237
    Hi hanzzz. That looks great. Good job! We have one item that came back but it's not so serious. the file is gone anyway. Let's get rid of that.

    Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

    Code:
    [Registry - Non-Microsoft Only]
    < Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
    YN -> {E1BACF55-35E1-4E47-9247-2D48660E5545} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    
    
    The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

    If you need to reboot, the log file will be placed in the MovedFiles folder in the folder that OTScanIt is running from. It will have a .log extension and a name in the format of mmddyyyy_hhmmss.log. Once you reboot, locate that file, open it with Notepad (not Write or any other text program) and post the contents back here.

    I will review the information when it comes back in.

    Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

    Cheers.

    OT
     
  7. hanzzz

    hanzzz Thread Starter

    Joined:
    Mar 28, 2008
    Messages:
    11
    I just restarted my computer again, and a dialog box which i have never seen before popped:

    RegScr32

    LoadLibrary("C:\Documents and Settings\All Users\Application Data\hwdilwbq.dll") has failed - The specified module could not be found.
     
  8. hanzzz

    hanzzz Thread Starter

    Joined:
    Mar 28, 2008
    Messages:
    11
    Here is the latest OTScanIt log:

    [Registry - Non-Microsoft Only]
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{E1BACF55-35E1-4E47-9247-2D48660E5545} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E1BACF55-35E1-4E47-9247-2D48660E5545}\ not found.
    < End of fix log >
    OTScanIt by OldTimer - Version 1.0.8.0 fix logfile created on 04012008_135812


    Hanzzz
     
  9. OldTimer

    OldTimer Malware Specialist

    Joined:
    Mar 28, 2008
    Messages:
    237
    Hi hanzzz. That RegScr32 file is one of those icky bad files. It's did not show up in the last scan so let's see if we can find it.

    Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

    • Close ALL OTHER PROGRAMS.
    • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
    • In the Drivers section click on Non-Microsoft.
    • Under Additional Scans click the checkboxes in front of the following items to select them:
      • Reg - Approved Shell Extensions
        Reg - Desktop Components
        Reg - Disabled MS Config Items
        Reg - File Associations
        Reg - Print Monitors
        Reg - Shell Spawning
        Reg - Software Policy Settings
    • Do not change any other settings.
    • Now click the Run Scan button on the toolbar.
    • Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
    • Save the file to your desktop or other location where you can find it back.
    Use the Add Reply button and attach the file in your next post.

    Cheers.

    OT
     
  10. hanzzz

    hanzzz Thread Starter

    Joined:
    Mar 28, 2008
    Messages:
    11
    Attached is the lateset OTScanIt report,

    Hanzzz
     

    Attached Files:

  11. hanzzz

    hanzzz Thread Starter

    Joined:
    Mar 28, 2008
    Messages:
    11
    I made a typo in my earlier post, the dialog box is:

    RegSvr32

    with the same error message.

    Does this change anything?
     
  12. OldTimer

    OldTimer Malware Specialist

    Joined:
    Mar 28, 2008
    Messages:
    237
    Hi hanzzz. That looks clean also. It's not starting up from anywhere inthe registry that I can tell. Let's see if the file is even present on the system.

    Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

    • Close ALL OTHER PROGRAMS.
    • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
    • Click the None button on the toolbar.
    • Copy/paste the text in the code box below into the Custom Scans box:
      Code:
      c:\*.regscr*.* /s
      
    • Do not change any other settings.
    • Now click the Run Scan button on the toolbar.
    • Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
    • Save the file to your desktop or other location where you can find it back.
    Use the Add Reply button and attach the file in your next post.

    Cheers.

    OT
     
  13. OldTimer

    OldTimer Malware Specialist

    Joined:
    Mar 28, 2008
    Messages:
    237
    Hi hanzzz. Yes, that would make a difference. Skip my last post. RegSvc32 is a standard Windows registration file. Some other process is trying to load the hwdilwbq.dll file. Does this come up everytime the system starts? Then we will need to find out what the other process is to see if it is legitimate or not.

    Cheers.

    OT
     
  14. hanzzz

    hanzzz Thread Starter

    Joined:
    Mar 28, 2008
    Messages:
    11
    Yes, the message comes up everytime the system starts up.
     
  15. OldTimer

    OldTimer Malware Specialist

    Joined:
    Mar 28, 2008
    Messages:
    237
    Hi hanzzz. Let's try this once.

    Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

    • Close ALL OTHER PROGRAMS.
    • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
    • Click the None button on the toolbar.
    • Click the Scan All Users checkbox on the toolbar to select it.
    • In the Registry group click All.
    • Do not change any other settings.
    • Now click the Run Scan button on the toolbar.
    • Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
    • Save the file to your desktop or other location where you can find it back.
    Use the Add Reply button and attach the file in your next post.

    Cheers.

    OT
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Several popups task
  1. medreth
    Replies:
    1
    Views:
    484
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/697921

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice