Several popups and task manager doesnt work

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

hanzzz

Thread Starter
Joined
Mar 28, 2008
Messages
11
Hi,

My computer has had several popups for the last few days directing me to sites which i'm pretty sure contains malware. Also, when i try to open Task Manager, a dialog box opens up which says "Task Manager has been disabled by your administrator", even though i am the admin for the computer.

The desktop background has also changed by itself with a link on it which directs me to a website. It has a head that says "Warning: Spyware has been detected on your computer!"

Any help would be appreciated.

Here is the HijackThis! Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:01 AM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\sbwltbxa.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CbEvtSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\3B Software\Registry Repair Pro\RegistryRepairPro.exe
C:\Program Files\3B Software\Common\Scheduler\wcomschd.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,C:\WINDOWS\system32\sbwltbxa.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {4f866392-1dd2-11b2-b909-cfe421531c96} - C:\WINDOWS\wpibybuz.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: Zango /fleok=1D8A83A5C5ED187A9AAA682A1FBB39BFE4976E26CAEDA120180A196D6093 - {E1BACF55-35E1-4E47-9247-2D48660E5545} - C:\Program Files\Zango\bin\10.1.181.0\HostIE.dll (file missing)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O2 - BHO: Her - {FFFFFFFF-F538-4f86-ABAF-E9D94D5C007C} - C:\WINDOWS\system32\marwin32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Zango - {E1BACF55-35E1-4E47-9247-2D48660E5545} - C:\Program Files\Zango\bin\10.1.181.0\HostIE.dll (file missing)
O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [HotbarOE] C:\Program Files\Hotbar\bin\10.0.412.0\OEAddOn.exe
O4 - HKLM\..\Run: [HotbarSA] "C:\Program Files\Hotbar\bin\10.0.412.0\HotbarSA.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\bboxall\Local Settings\Temporary Internet Files\Content.IE5\ET91FS9T\install_sbd_en[1].exe
O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\AntiSpywareSuite\bm.exe" dm=http://antispywaresuite.com ad=http://antispywaresuite.com sd=http://ykeeper.antispywaresuite.com
O4 - HKLM\..\Run: [hwdilwbq] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\hwdilwbq.dll"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKLM\..\Policies\Explorer\Run: [BKRVE9lx1m] C:\WINDOWS\qxsluzer.exe
O4 - Startup: Registry Repair Pro.lnk = C:\Program Files\3B Software\Registry Repair Pro\RegistryRepairPro.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\3B Software\Common\Scheduler\wcomschd.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CbEvtSvc - Unknown owner - C:\WINDOWS\System32\CbEvtSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: CcEvtSvc - Unknown owner - C:\WINDOWS\System32\CcEvtSvc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Desktop Manager 5.1.709.19590 (GoogleDesktopManager-091907-194040) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10567 bytes
 

OldTimer

Malware Specialist
Joined
Mar 28, 2008
Messages
237
Hello hanzzz and welcome to the TSG Malware Removal forum. Let's see what we can find.

Before running a new scan let's clean out the temporoary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post.

Cheers.

OT
 

OldTimer

Malware Specialist
Joined
Mar 28, 2008
Messages
237
Hi hanzzz. Well, we have a bit of work to do so let's get started. Follow the steps below in order.

Step #1

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code:
Drivers to delete:
CbEvtSvc
CcEvtSvc
Files to delete:
%allusersprofile%\application data\hwdilwbq.dll
%programfiles%\alot\bin\alot.dll 
%systemdrive%\domains.dat
%systemroot%\123messenger.per
%systemroot%\180ax.exe
%systemroot%\2020search.dll
%systemroot%\2020search2.dll
%systemroot%\apphelp32.dll
%systemroot%\asferror32.dll
%systemroot%\asycfilt32.dll
%systemroot%\athprxy32.dll
%systemroot%\ati2dvaa32.dll
%systemroot%\ati2dvag32.dll
%systemroot%\audiosrv32.dll
%systemroot%\autodisc32.dll
%systemroot%\avifile32.dll
%systemroot%\avisynthex32.dll
%systemroot%\aviwrap32.dll
%systemroot%\bjam.dll
%systemroot%\bokja.exe
%systemroot%\browserad.dll
%systemroot%\cdsm32.dll
%systemroot%\changeurl_30.dll
%systemroot%\default.htm
%systemroot%\didduid.ini
%systemroot%\ivmvshaf.exe
%systemroot%\jwlic9lx1m.exe
%systemroot%\msa64chk.dll
%systemroot%\msapasrc.dll
%systemroot%\mspphe.dll
%systemroot%\mssvr.exe
%systemroot%\ntnut.exe
%systemroot%\saiemod.dll
%systemroot%\salm.exe
%systemroot%\shdocpe.dll
%systemroot%\shdocpl.dll
%systemroot%\snyzkvwz.exe
%systemroot%\stcloader.exe
%systemroot%\swin32.dll
%systemroot%\system32\cbevtsvc.exe
%systemroot%\system32\ccevtsvc.exe
%systemroot%\system32\cygwn32.dll
%systemroot%\system32\drivers\grande48.sys
%systemroot%\system32\lt.res
%systemroot%\system32\marwin32.dll
%systemroot%\system32\marwin32.dll 
%systemroot%\system32\mgmrwmrv.exe
%systemroot%\system32\msixu.dll
%systemroot%\system32\msnsa32.dll
%systemroot%\system32\ntnut32.exe
%systemroot%\system32\sbwltbxa.exe
%systemroot%\system32\sft.res
%systemroot%\system32\shdocpe.dll
%systemroot%\system32\sipspi32.dll
%systemroot%\system32\wer8274.dll
%systemroot%\system32\winfrun32.bin
%systemroot%\updatetc.exe
%systemroot%\uxijslwx.dll
%systemroot%\voiceip.dll
%systemroot%\winsb.dll
%systemroot%\wpibybuz.dll
%systemroot%\wpibybuz.dll 
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat
c:\windows\temp\salm.exe
Folders to delete:
%allusersprofile%\application data\salesmon
%appdata%\alot
%systemroot%\fleok
%systemroot%\jntvauhd
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.

The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Step #2

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code:
[Kill Explorer]
[Unregister Dlls]
[Processes - Non-Microsoft Only]
YY -> sbwltbxa.exe -> %SystemRoot%\system32\sbwltbxa.exe
YY -> cbevtsvc.exe -> %SystemRoot%\system32\CbEvtSvc.exe
[Win32 Services - Non-Microsoft Only]
YY -> (CbEvtSvc) CbEvtSvc [Win32_Own | Auto | Running] -> %SystemRoot%\system32\CbEvtSvc.exe
YY -> (CcEvtSvc) CcEvtSvc [Win32_Own | Auto | Stopped] -> %SystemRoot%\system32\CcEvtSvc.exe
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> bm -> %CommonProgramFiles%\AntiSpywareSuite\bm.exe
YN -> HotbarOE -> %ProgramFiles%\Hotbar\bin\10.0.412.0\OEAddOn.exe
YN -> HotbarSA -> %ProgramFiles%\Hotbar\bin\10.0.412.0\HotbarSA.exe
YN -> SBI -> %UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\ET91FS9T\install_sbd_en[1].exe
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> AROReminder -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
YY -> C:\WINDOWS\system32\mgmrwmrv.exe -> %SystemRoot%\system32\mgmrwmrv.exe
YY -> C:\WINDOWS\system32\sbwltbxa.exe -> %SystemRoot%\system32\sbwltbxa.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*UserInit* -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
YN ->  -> 
YY -> C:\WINDOWS\system32\mgmrwmrv.exe -> %SystemRoot%\system32\mgmrwmrv.exe
YY -> C:\WINDOWS\system32\sbwltbxa.exe -> %SystemRoot%\system32\sbwltbxa.exe
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\BKRVE9lx1m -> C:\WINDOWS\qxsluzer.exe [C:\WINDOWS\qxsluzer.exe]
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\DisableTaskMgr -> 1
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr -> 1
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {00000250-0320-4dd4-be4f-7566d2314352} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {13197ace-6851-45c3-a7ff-c281324d5489} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {15651c7c-e812-44a2-a9ac-b467a2233e7d} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {4e1075f4-eec4-4a86-add7-cd5f52858c31} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YY -> {4f866392-1dd2-11b2-b909-cfe421531c96} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\wpibybuz.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YY -> {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\alot\bin\alot.dll [ALOT Toolbar]
YN -> {5dafd089-24b1-4c5e-bd42-8ca72550717b} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {5fa6752a-c4a0-4222-88c2-928ae5ab4966} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {622cc208-b014-4fe0-801b-874a5e5e403a} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {8674aea0-9d3d-11d9-99dc-00600f9a01f1} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {965a592f-8efa-4250-8630-7960230792f1} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {9c5b2f29-1f46-4639-a6b4-828942301d3e} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {cf021f40-3e14-23a5-cba2-717765728274} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {E1BACF55-35E1-4E47-9247-2D48660E5545} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Zango\bin\10.1.181.0\HostIE.dll [Zango]
YN -> {fc3a74e5-f281-4f10-ae1e-733078684f3c} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {ffff0001-0002-101a-a3c9-08002b2f49fb} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YY -> {FFFFFFFF-F538-4f86-ABAF-E9D94D5C007C} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\marwin32.dll [Her]
< Internet Explorer Bars [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Zango\bin\10.1.181.0\HostIE.dll [Zango Information Window]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Zango\bin\10.1.181.0\HostIE.dll [Zango Information Window]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YY -> {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\alot\bin\alot.dll [ALOT Toolbar]
[Files/Folders - Created Within 30 days]
NY -> grande48.sys -> %SystemRoot%\System32\drivers\grande48.sys
NY -> CbEvtSvc.exe -> %SystemRoot%\System32\CbEvtSvc.exe
NY -> CcEvtSvc.exe -> %SystemRoot%\System32\CcEvtSvc.exe
NY -> cygwn32.dll -> %SystemRoot%\System32\cygwn32.dll
NY -> lt.res -> %SystemRoot%\System32\lt.res
NY -> marwin32.dll -> %SystemRoot%\System32\marwin32.dll
NY -> MSIXU.DLL -> %SystemRoot%\System32\MSIXU.DLL
NY -> MSNSA32.dll -> %SystemRoot%\System32\MSNSA32.dll
NY -> ntnut32.exe -> %SystemRoot%\System32\ntnut32.exe
NY -> sbwltbxa.exe -> %SystemRoot%\System32\sbwltbxa.exe
NY -> sft.res -> %SystemRoot%\System32\sft.res
NY -> shdocpe.dll -> %SystemRoot%\System32\shdocpe.dll
NY -> SIPSPI32.dll -> %SystemRoot%\System32\SIPSPI32.dll
NY -> WER8274.DLL -> %SystemRoot%\System32\WER8274.DLL
NY -> winfrun32.bin -> %SystemRoot%\System32\winfrun32.bin
NY -> 123messenger.per -> %SystemRoot%\123messenger.per
NY -> 180ax.exe -> %SystemRoot%\180ax.exe
NY -> 2020search.dll -> %SystemRoot%\2020search.dll
NY -> 2020search2.dll -> %SystemRoot%\2020search2.dll
NY -> apphelp32.dll -> %SystemRoot%\apphelp32.dll
NY -> asferror32.dll -> %SystemRoot%\asferror32.dll
NY -> asycfilt32.dll -> %SystemRoot%\asycfilt32.dll
NY -> athprxy32.dll -> %SystemRoot%\athprxy32.dll
NY -> ati2dvaa32.dll -> %SystemRoot%\ati2dvaa32.dll
NY -> ati2dvag32.dll -> %SystemRoot%\ati2dvag32.dll
NY -> audiosrv32.dll -> %SystemRoot%\audiosrv32.dll
NY -> autodisc32.dll -> %SystemRoot%\autodisc32.dll
NY -> avifile32.dll -> %SystemRoot%\avifile32.dll
NY -> avisynthex32.dll -> %SystemRoot%\avisynthex32.dll
NY -> aviwrap32.dll -> %SystemRoot%\aviwrap32.dll
NY -> bjam.dll -> %SystemRoot%\bjam.dll
NY -> bokja.exe -> %SystemRoot%\bokja.exe
NY -> browserad.dll -> %SystemRoot%\browserad.dll
NY -> cdsm32.dll -> %SystemRoot%\cdsm32.dll
NY -> changeurl_30.dll -> %SystemRoot%\changeurl_30.dll
NY -> 3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> default.htm -> %SystemRoot%\default.htm
NY -> didduid.ini -> %SystemRoot%\didduid.ini
NY -> FLEOK -> %SystemRoot%\FLEOK
NY -> ivmvshaf.exe -> %SystemRoot%\ivmvshaf.exe
NY -> jntvauhd -> %SystemRoot%\jntvauhd
NY -> JwLIC9lx1m.exe -> %SystemRoot%\JwLIC9lx1m.exe
NY -> msa64chk.dll -> %SystemRoot%\msa64chk.dll
NY -> msapasrc.dll -> %SystemRoot%\msapasrc.dll
NY -> mspphe.dll -> %SystemRoot%\mspphe.dll
NY -> mssvr.exe -> %SystemRoot%\mssvr.exe
NY -> ntnut.exe -> %SystemRoot%\ntnut.exe
NY -> saiemod.dll -> %SystemRoot%\saiemod.dll
NY -> salm.exe -> %SystemRoot%\salm.exe
NY -> shdocpe.dll -> %SystemRoot%\shdocpe.dll
NY -> shdocpl.dll -> %SystemRoot%\shdocpl.dll
NY -> snyzkvwz.exe -> %SystemRoot%\snyzkvwz.exe
NY -> stcloader.exe -> %SystemRoot%\stcloader.exe
NY -> swin32.dll -> %SystemRoot%\swin32.dll
NY -> updatetc.exe -> %SystemRoot%\updatetc.exe
NY -> uxijslwx.dll -> %SystemRoot%\uxijslwx.dll
NY -> voiceip.dll -> %SystemRoot%\voiceip.dll
NY -> winsb.dll -> %SystemRoot%\winsb.dll
NY -> wpibybuz.dll -> %SystemRoot%\wpibybuz.dll
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> hwdilwbq.dll -> %AllUsersProfile%\Application Data\hwdilwbq.dll
NY -> SalesMon -> %AllUsersProfile%\Application Data\SalesMon
[Files/Folders - Modified Within 30 days]
NY -> domains.dat -> %SystemDrive%\domains.dat
NY -> grande48.sys -> %SystemRoot%\System32\drivers\grande48.sys
NY -> 2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> CbEvtSvc.exe -> %SystemRoot%\System32\CbEvtSvc.exe
NY -> CcEvtSvc.exe -> %SystemRoot%\System32\CcEvtSvc.exe
NY -> cygwn32.dll -> %SystemRoot%\System32\cygwn32.dll
NY -> lt.res -> %SystemRoot%\System32\lt.res
NY -> marwin32.dll -> %SystemRoot%\System32\marwin32.dll
NY -> MSIXU.DLL -> %SystemRoot%\System32\MSIXU.DLL
NY -> MSNSA32.dll -> %SystemRoot%\System32\MSNSA32.dll
NY -> ntnut32.exe -> %SystemRoot%\System32\ntnut32.exe
NY -> sbwltbxa.exe -> %SystemRoot%\System32\sbwltbxa.exe
NY -> sft.res -> %SystemRoot%\System32\sft.res
NY -> shdocpe.dll -> %SystemRoot%\System32\shdocpe.dll
NY -> SIPSPI32.dll -> %SystemRoot%\System32\SIPSPI32.dll
NY -> WER8274.DLL -> %SystemRoot%\System32\WER8274.DLL
NY -> winfrun32.bin -> %SystemRoot%\System32\winfrun32.bin
NY -> 123messenger.per -> %SystemRoot%\123messenger.per
NY -> 180ax.exe -> %SystemRoot%\180ax.exe
NY -> 2020search.dll -> %SystemRoot%\2020search.dll
NY -> 2020search2.dll -> %SystemRoot%\2020search2.dll
NY -> apphelp32.dll -> %SystemRoot%\apphelp32.dll
NY -> asferror32.dll -> %SystemRoot%\asferror32.dll
NY -> asycfilt32.dll -> %SystemRoot%\asycfilt32.dll
NY -> athprxy32.dll -> %SystemRoot%\athprxy32.dll
NY -> ati2dvaa32.dll -> %SystemRoot%\ati2dvaa32.dll
NY -> ati2dvag32.dll -> %SystemRoot%\ati2dvag32.dll
NY -> audiosrv32.dll -> %SystemRoot%\audiosrv32.dll
NY -> autodisc32.dll -> %SystemRoot%\autodisc32.dll
NY -> avifile32.dll -> %SystemRoot%\avifile32.dll
NY -> avisynthex32.dll -> %SystemRoot%\avisynthex32.dll
NY -> aviwrap32.dll -> %SystemRoot%\aviwrap32.dll
NY -> bjam.dll -> %SystemRoot%\bjam.dll
NY -> bokja.exe -> %SystemRoot%\bokja.exe
NY -> browserad.dll -> %SystemRoot%\browserad.dll
NY -> cdsm32.dll -> %SystemRoot%\cdsm32.dll
NY -> changeurl_30.dll -> %SystemRoot%\changeurl_30.dll
NY -> 3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> didduid.ini -> %SystemRoot%\didduid.ini
NY -> FLEOK -> %SystemRoot%\FLEOK
NY -> ivmvshaf.exe -> %SystemRoot%\ivmvshaf.exe
NY -> jntvauhd -> %SystemRoot%\jntvauhd
NY -> JwLIC9lx1m.exe -> %SystemRoot%\JwLIC9lx1m.exe
NY -> msa64chk.dll -> %SystemRoot%\msa64chk.dll
NY -> msapasrc.dll -> %SystemRoot%\msapasrc.dll
NY -> mspphe.dll -> %SystemRoot%\mspphe.dll
NY -> mssvr.exe -> %SystemRoot%\mssvr.exe
NY -> ntnut.exe -> %SystemRoot%\ntnut.exe
NY -> saiemod.dll -> %SystemRoot%\saiemod.dll
NY -> salm.exe -> %SystemRoot%\salm.exe
NY -> shdocpe.dll -> %SystemRoot%\shdocpe.dll
NY -> shdocpl.dll -> %SystemRoot%\shdocpl.dll
NY -> snyzkvwz.exe -> %SystemRoot%\snyzkvwz.exe
NY -> stcloader.exe -> %SystemRoot%\stcloader.exe
NY -> swin32.dll -> %SystemRoot%\swin32.dll
NY -> updatetc.exe -> %SystemRoot%\updatetc.exe
NY -> uxijslwx.dll -> %SystemRoot%\uxijslwx.dll
NY -> voiceip.dll -> %SystemRoot%\voiceip.dll
NY -> winsb.dll -> %SystemRoot%\winsb.dll
NY -> wpibybuz.dll -> %SystemRoot%\wpibybuz.dll
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
NY -> SALM.EXE -> C:\WINDOWS\Temp\SALM.EXE
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> hwdilwbq.dll -> %AllUsersProfile%\Application Data\hwdilwbq.dll
NY -> SalesMon -> %AllUsersProfile%\Application Data\SalesMon
NY -> alot -> %AppData%\alot
[Extra Files]
%CommonProgramFiles%\AntiSpywareSuite\
%ProgramFiles%\Hotbar\
[Empty Temp Folders]
[Start Explorer]
The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix.. Either way, click the Ok button. If it is finished, Notepad will open with a log of actions taken during the fix. If a reboot is required, this log will be placed in the Moved Files folder (see the last step for location directions). Post that log back here in your next reply.

Step #3

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

Step #4

Run a new OTScanIt scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Step #5

Post the following back here:

  • The Avenger report (c:\Avenger.txt)
    The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
    The new OTScanIt scan log

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
 

hanzzz

Thread Starter
Joined
Mar 28, 2008
Messages
11
Hi,

It looks like most of the problems have gone. The desktop background is back to normal, task manager opens, and there are no longer any pop-up dialog boxes.

Thi is the F-Secure Online Scanner Report:

Scanning Report
Tuesday, April 01, 2008 11:45:25 - 12:46:03
Computer name: BOXALL
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 6 malware found
Backdoor:W32/Agent.CXZ (virus)
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\951192718.EXE (Submitted)
Backdoor:W32/Agent.CYB (virus)
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\869715802.EXE (Submitted)
Trojan.Win32.Pakes.cml (virus)
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\907608617.EXE (Renamed & Submitted)
not-virus:Hoax.Win32.Renos.bes (virus)
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\1099444196.EXE (Submitted)
not-virus:Hoax.Win32.Renos.bhe (virus)
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\1095315177.EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\1095839497.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 26254
System: 3075
Not scanned: 12
Actions:
Disinfected: 0
Renamed: 1
Deleted: 0
None: 5
Submitted: 6
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\DOCUMENTS AND SETTINGS\BBOXALL\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP SEARCH\DBDAM
C:\DOCUMENTS AND SETTINGS\BBOXALL\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP SEARCH\DBDAO
C:\DOCUMENTS AND SETTINGS\BBOXALL\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP SEARCH\DBEAM
C:\DOCUMENTS AND SETTINGS\BBOXALL\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP SEARCH\DBEAO
C:\DOCUMENTS AND SETTINGS\BBOXALL\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP SEARCH\DBM
C:\DOCUMENTS AND SETTINGS\BBOXALL\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP SEARCH\HP

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-04-01
F-Secure AVP: 7.0.171, 2008-03-31
F-Secure Pegasus: 1.20.0, 2008-02-28
F-Secure Blacklight: 1.0.64
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.


------

Attached are the Avenger report, OTScanit log, and OTscanit report.
 

Attachments

OldTimer

Malware Specialist
Joined
Mar 28, 2008
Messages
237
Hi hanzzz. That looks great. Good job! We have one item that came back but it's not so serious. the file is gone anyway. Let's get rid of that.

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code:
[Registry - Non-Microsoft Only]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> {E1BACF55-35E1-4E47-9247-2D48660E5545} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

If you need to reboot, the log file will be placed in the MovedFiles folder in the folder that OTScanIt is running from. It will have a .log extension and a name in the format of mmddyyyy_hhmmss.log. Once you reboot, locate that file, open it with Notepad (not Write or any other text program) and post the contents back here.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
 

hanzzz

Thread Starter
Joined
Mar 28, 2008
Messages
11
I just restarted my computer again, and a dialog box which i have never seen before popped:

RegScr32

LoadLibrary("C:\Documents and Settings\All Users\Application Data\hwdilwbq.dll") has failed - The specified module could not be found.
 

hanzzz

Thread Starter
Joined
Mar 28, 2008
Messages
11
Here is the latest OTScanIt log:

[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{E1BACF55-35E1-4E47-9247-2D48660E5545} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E1BACF55-35E1-4E47-9247-2D48660E5545}\ not found.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.8.0 fix logfile created on 04012008_135812


Hanzzz
 

OldTimer

Malware Specialist
Joined
Mar 28, 2008
Messages
237
Hi hanzzz. That RegScr32 file is one of those icky bad files. It's did not show up in the last scan so let's see if we can find it.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - Approved Shell Extensions
      Reg - Desktop Components
      Reg - Disabled MS Config Items
      Reg - File Associations
      Reg - Print Monitors
      Reg - Shell Spawning
      Reg - Software Policy Settings
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post.

Cheers.

OT
 

hanzzz

Thread Starter
Joined
Mar 28, 2008
Messages
11
I made a typo in my earlier post, the dialog box is:

RegSvr32

with the same error message.

Does this change anything?
 

OldTimer

Malware Specialist
Joined
Mar 28, 2008
Messages
237
Hi hanzzz. That looks clean also. It's not starting up from anywhere inthe registry that I can tell. Let's see if the file is even present on the system.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Click the None button on the toolbar.
  • Copy/paste the text in the code box below into the Custom Scans box:
    Code:
    c:\*.regscr*.* /s
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post.

Cheers.

OT
 

OldTimer

Malware Specialist
Joined
Mar 28, 2008
Messages
237
Hi hanzzz. Yes, that would make a difference. Skip my last post. RegSvc32 is a standard Windows registration file. Some other process is trying to load the hwdilwbq.dll file. Does this come up everytime the system starts? Then we will need to find out what the other process is to see if it is legitimate or not.

Cheers.

OT
 

OldTimer

Malware Specialist
Joined
Mar 28, 2008
Messages
237
Hi hanzzz. Let's try this once.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Click the None button on the toolbar.
  • Click the Scan All Users checkbox on the toolbar to select it.
  • In the Registry group click All.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post.

Cheers.

OT
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top