Any help with these repeating problems?(RESOLVED)

**Kazna3** · 06-11-2006

Hi,
I've posted on the 02-11-2006, 01:13 PM in this section and I was told to wait 24 hours, but people posting 3 days after me have had replies but not me.
Is this due to a mix up, or something?

I followed all the rules that I know of and even tried to make it easier by following procedures I already know, such as how to run HijackThis, BitDefender online scan, ewido anti-spyware, CCleaner etc.

Here's the thread I'm talking about:
http://www.d-a-l.com/help/showthread.php?t=47850

This is the first time I've made a repeating post on the same topic but only because I wanted to make absolute sure as to why, as the last two times I posted for help here my post was completely ignored.

Thanks.

**Kazna3** · 11-11-2006

I guess not.

**Neal** · 13-11-2006

Please post a new hijackthis log, my own computer died and just now got it back up and running.

**Kazna3** · 13-11-2006

Well ok Neal. At least someone replied

Logfile of HijackThis v1.99.1
Scan saved at 07:11:20, on 13/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Advanced Spyware Remover\Asr.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\YPOPs\ypops.exe
D:\Program Files\SpywareGuard\sgbhp.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Documents and Settings\Home\Desktop\Software\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchgateway.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchgateway.net/search/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Advanced Spyware Remover Pro] D:\Program Files\Advanced Spyware Remover\Asr.exe
O4 - Startup: SpywareBlaster.lnk = D:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: YPOPs.lnk = D:\Program Files\YPOPs\ypops.exe
O8 - Extra context menu item: Download with GetRight - D:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - D:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: System Safety Monitor - D:\WINDOWS\SYSTEM32\SSMWinlogonEx.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - D:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe

**Neal** · 13-11-2006

Did you put the searchgateway on your computer?

You said you used Ewido anti-spyware are you meaning AVG anti-spyware as it is an enhanced version of Ewido which does not exist any longer.

If you haven't used the AVG anti-spyware program please get that run a scan and post the log it makes, instructions to follow for that program.

There isn't anything malicious showing in your HJT log, so I need you to right click on hijackthis.exe, then click on rename and rename it foolyou.exe and post a log from the newly renamed hijackthis.exe

Also...

Download Silent runners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click yes to the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it.
Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.

INSTRUCTIONS FOR USING AVG ANTI-SPYWARE in "NORMAL MODE"

Download and scan with AVG Anti-Spyware
1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
7. Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
8. Go to Start > Run and type: services.msc

* Press "OK".
* Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
* When you find the guard service, double-click on it.
* In the Properties Window > General Tab that opens, click the "Stop" button.
* From the drop-down menu next to "Startup Type", click on "Manual".
* Now click "Apply", then "OK" and close the Services window.

9. Select the "Update" button and click "Start update". Wait until you see the "Update succesfull message". If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from HERE .

Once the updates are installed do the following:
1. Click on the "Scanner" button and choose the "Settings" tab.

* Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
* Under "How to Scan?" check all (default).
* Under "Possibly unwanted software" check all (default).
* Under "What to Scan?" make sure "Scan every file" is selected (default).
* Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".

2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.
4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

IMPORTANT! Do not save the report before you have clicked the "Apply all actions button". If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?

5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
6. Exit AVG Anti-Spyware when done and submit the log report in your next response.

Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

**Kazna3** · 14-11-2006

Thanks Neal.

Prior to your reply yesterday, I had ran a-square free 2.1 and avast! anti-virus complete system scan.

EDIT: I forgot to add, I ran TrojanHunter 4.6 as well and it didn't find anything.

Avast! found one file with a trojan on my desktop. I still have it in a zipped format there. It was a download I required called Bad CD Repair Pro v4.06. I don't think its accurate but a false positive.

I haven't unzipped it yet, as everytime I try I receive an alert after alert.

Here's the link where I download it from: http://www.programurl.com/bad-cd-repair-pro.htm

Can you let me know if its safe please.

Did you put the searchgateway on your computer?

No

You said you used Ewido anti-spyware are you meaning AVG anti-spyware as it is an enhanced version of Ewido which does not exist any longer.

Re Ewido, well yes when I mentioned Ewido it was exactly that. I didn't think AVG has now become Ewido updated. So I've ran the AVG scan here aswell.

I've been having problems with Firefox2 basically, that when I visit a website, everything starts being downloaded & doesn't stop, no matter if I have a firewall installed, or an extension named NoScript which is supposed to block this.

I remember I had a problem removing MyWebsearch as well, it just doesn't leave.

Anyway, first I ran CCleaner and deleted all the extra's.

Silent Runners.vbs

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"Advanced Spyware Remover Pro" = "D:\Program Files\Advanced Spyware Remover\Asr.exe" ["Evonsoft"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"SunJavaUpdateSched" = "D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" ["Sun Microsystems, Inc."]
"avast!" = "D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"UserFaultCheck" = "D:\WINDOWS\system32\dumprep 0 -u"
"TkBellExe" = ""D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"QuickTime Task" = ""D:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{31FF080D-12A3-439A-A2EF-4BA95A3148E8}\(Default) = (no title provided)
-> {HKLM...CLSID} = "bho2gr Class"
\InProcServer32\(Default) = "D:\Program Files\GetRight\xx2gr.dll" ["Headlight Software, Inc."]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper"
\InProcServer32\(Default) = "D:\Program Files\SpywareGuard\dlprotect.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "D:\Program Files\SpywareGuard\spywareguard.dll" [null data]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "D:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "D:\PROGRA~1\TROJAN~1.6\contmenu.dll" [null data]
"{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}" = "PhotoToys"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\WINDOWS\system32\phototoys.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "D:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{A965C8E0-54A7-11D6-BF08-00079500BB23}" = "ZipZag Shell extension"
-> {HKLM...CLSID} = "ZipZag Shell Extension"
\InProcServer32\(Default) = "D:\PROGRA~1\ZipZag\zipzagcm.dll" [null data]
"{B46C1E0F-F61D-4B19-BC55-B68D8BB3CAFE}" = "GSplit Context Menu Shell Extension"
-> {HKLM...CLSID} = "GSplit Context Menu Shell Extension"
\InProcServer32\(Default) = "D:\WINDOWS\system32\gspshell.dll" ["http://www.gdgsoft.com"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
<<!>> "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "D:\Program Files\SpywareGuard\spywareguard.dll" [null data]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> System Safety Monitor\DLLName = "SSMWinlogonEx.dll" ["System Safety Limited"]

HKLM\Software\Classes\Folder\shellex\ColumnHandler s\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "D:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "D:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
GSplitShell\(Default) = "{B46C1E0F-F61D-4B19-BC55-B68D8BB3CAFE}"
-> {HKLM...CLSID} = "GSplit Context Menu Shell Extension"
\InProcServer32\(Default) = "D:\WINDOWS\system32\gspshell.dll" ["http://www.gdgsoft.com"]
MyPictures3D\(Default) = "{AA7A03E6-7FA5-42E7-9D7A-9A2A4E344B3F}"
-> {HKLM...CLSID} = "MyPicturesContextMenu Class"
\InProcServer32\(Default) = "D:\Program Files\My Pictures 3D\My Pictures 3D ScreenSaver\Bin\MyPicContext.dll" ["TODO: <Company name>"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "D:\PROGRA~1\TROJAN~1.6\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
ZipZag\(Default) = "{A965C8E0-54A7-11D6-BF08-00079500BB23}"
-> {HKLM...CLSID} = "ZipZag Shell Extension"
\InProcServer32\(Default) = "D:\PROGRA~1\ZipZag\zipzagcm.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "D:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
MyPictures3D\(Default) = "{AA7A03E6-7FA5-42E7-9D7A-9A2A4E344B3F}"
-> {HKLM...CLSID} = "MyPicturesContextMenu Class"
\InProcServer32\(Default) = "D:\Program Files\My Pictures 3D\My Pictures 3D ScreenSaver\Bin\MyPicContext.dll" ["TODO: <Company name>"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "D:\PROGRA~1\TROJAN~1.6\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
ZipZag\(Default) = "{A965C8E0-54A7-11D6-BF08-00079500BB23}"
-> {HKLM...CLSID} = "ZipZag Shell Extension"
\InProcServer32\(Default) = "D:\PROGRA~1\ZipZag\zipzagcm.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "D:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "D:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "D:\PROGRA~1\TROJAN~1.6\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\

"NoActiveDesktop" = (REG_BINARY) hex:01 00 00 00
{User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop|
Disable Active Desktop}

"NoSaveSettings" = (REG_BINARY) hex:00 00 00 00
{User Configuration|Administrative Templates|Desktop|
Don't save settings at exit}

"ClearRecentDocsOnExit" = (REG_BINARY) hex:01 00 00 00
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "D:\WINDOWS\system32\config\systemprofile\Loca l Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\Documents and Settings\Home\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Startup items in "Home" & "All Users" startup folders:
------------------------------------------------------

D:\Documents and Settings\Home\Start Menu\Programs\Startup
"SpywareBlaster" -> shortcut to: "D:\Program Files\SpywareBlaster\spywareblaster.exe" [null data]
"SpywareGuard" -> shortcut to: "D:\Program Files\SpywareGuard\sgmain.exe" [null data]
"YPOPs" -> shortcut to: "D:\Program Files\YPOPs\ypops.exe" ["http://yahoopops.sourceforge.net"]

Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "D:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]
"RegCure" -> launches: "D:\Program Files\RegCure\RegCure.exe -t" [null data]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""D:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Web Scanner, avast! Web Scanner, ""D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monito rs\
EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]

----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 86 seconds, including 7 seconds for message boxes)

When I ran the AVG scan, an alert showed up stating "D:\System Volume Information\_restore (xxxxxxx) is corrupt and unreadable. Run the chkdsk utility"

Well I've ran chkdsk and it shows up perfect. So it seems to me that one of the restore points is corrupt.

AVG Anti-Spyware scan:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 09:47:46 14/11/2006

+ Scan result:

D:\System Volume Information\_restore{02E815AF-FBD2-4F33-9D64-1E3E2E5EFDFC}\RP563\A0960246.DLL -> Adware.IWon : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{02E815AF-FBD2-4F33-9D64-1E3E2E5EFDFC}\RP563\A0960253.EXE -> Adware.MyWebSearch : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{02E815AF-FBD2-4F33-9D64-1E3E2E5EFDFC}\RP563\A0960234.DLL -> Downloader.IstBar : Cleaned with backup (quarantined).
D:\Documents and Settings\Home\Desktop\Software\EnumProcess.exe -> Heuristic.Win32.AVKiller : Cleaned with backup (quarantined).

::Report end

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 09:50:35, on 14/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Advanced Spyware Remover\Asr.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\YPOPs\ypops.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\SpywareGuard\sgbhp.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Documents and Settings\Home\Desktop\Software\Foolyou.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Advanced Spyware Remover Pro] D:\Program Files\Advanced Spyware Remover\Asr.exe
O4 - Startup: SpywareBlaster.lnk = D:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: YPOPs.lnk = D:\Program Files\YPOPs\ypops.exe
O8 - Extra context menu item: Download with GetRight - D:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - D:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: System Safety Monitor - D:\WINDOWS\SYSTEM32\SSMWinlogonEx.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - D:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe

Await the reply.

**Neal** · 14-11-2006

Silentrunners came up clean.

I would not trust that program ( Bad CD Repair Pro v4.06), it appears to be a cracked program. Your choice.

For the time being disable AVG anti-spyware so the next tool doesn't have problems removeing what it finds if anything.

Download, install and scan with the 15-day free trial of Sunbelt CounterSpy.
CounterSpy User Guide.
1. When Counterspy completes its scan, the "Scan Results" box will appear.
2. Click on "View Results".
3.Under (Recommended Action), using the drop down menu arrows at the side of each entry found, set EVERYTHING to "Remove".
4. Click on "Take Action".
5. Once everything has been removed, click on "View Details".
6. Copy and Paste the details into a text document and save it to your desktop.
7. Exit Counterspy and post the results in your next reply.

Easily uninstalled thru add/remove program

**Kazna3** · 15-11-2006

Thanks Neal.

I was concerned you never told me what step to take for the ones I had previously quarantined picked up in the AVG scan. But soon it made all sense.

A word of caution for anyone, Sunbelt CounterSpy took 2hours to scan, using up 80% of the CPU and 230MB while running alone!

Anyway I forgot to mention in this post that Sunbelt products do not like my system at all. I had Sunbelt Kerio personal Firewall and it took me 2 months to figure out it totally destroyed my system on every clean reinstall of Window, to give BSoDs one after another, all different.
Why? Because one of its main drivers fwdrv.sys conflicts with everything of Windows, shutting down Windows explorer and every other program running.

I had CounterSpy installed but disabled... but I forgot why I had disabled it. When I downloaded another version after deleting the old, updated it, my PC crashed! It made spywaregurad.dll crash, then Dr Watson followed by explorer.exe so basically my PC would bootup until the drivers are loading at the windows logon screen and then crash to a reboot again.

I managed to get it working by stopping avast! and spywareguard.exe through SafeMode.

One thing to notice.. it picked up the same and much more than the AVG scan. One of the items: ZipItFast Pro which I use quite a lot. But after I read the details of it being adware, I deleted it.

I ran it on two separate drives as I had taken out the other HDD. The other drive returned nothing hence I haven't posted for it.

Spyware Scan Details
Start Date: 15/11/2006 07:08:57
End Date: 15/11/2006 08:02:00
Total Time: 53 mins 3 secs

Detected spyware

ZipItPro Adware (General) more information...
Details: ZipItPro is a software that displays popup/popunder ads when the primary user interface is not visible.
Status: Deleted

Infected files detected
D:\Program Files\ZipItFast.exe
D:\Program Files\zShellAD.dll
D:\Program Files\zShellEX.dll

Infected registry entries detected
HKEY_CLASSES_ROOT\ZipItFast!
HKEY_CLASSES_ROOT\ZipItFast!\DefaultIcon D:\PROGRA~1\zipitfast.exe,0
HKEY_CLASSES_ROOT\ZipItFast!\Shell\Open\Command "D:\PROGRA~1\zipitfast.exe" "%1"
HKEY_CLASSES_ROOT\ZipItFast! ZipItFast! File
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast!
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \Columns Order 0,1,2,3,4,5,6,7
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \Columns Sizes 145,95,90,60,75,150,120,120
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \Config RootDir D:\PROGRA~1\zipitfast.exe
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \Config Opened 0
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \Config Open Dir D:\WINDOWS
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \Config New Dir D:\WINDOWS
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \Config Add Dir D:\WINDOWS
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \Config Ex Dir D:\WINDOWS
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \Sort Ascending 1
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \Sort SortCol 0
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmConfig FormVersion 3
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmConfig OpenPictureDialog2_FileName
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmConfig OpenSkin_FileName
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmConfig ColdLCheck_Checked False
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmConfig ColorCombo_ItemIndex 0
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmConfig FlatBtn_Checked False
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmConfig FlatCheck_Checked False
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmConfig GridCheck_Checked False
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmConfig HandCheck_Checked False
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmConfig HotCheck_Checked False
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmConfig HotLCheck_Checked False
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmConfig RowCheck_Checked True
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmConfig StartUp_Checked True
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmConfig ViewCombo_ItemIndex 1
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmConfig ShellItems_ItemIndex 1
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMain FormVersion 3
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMain Flags 0
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMain ShowCmd 1
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMain PixelsPerInch 96
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMain MinMaxPos(1024x768) -1,-1,-1,-1
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMain MinMaxPos -1,-1,-1,-1
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMain NormPos(1024x768) 301,212,722,555
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMain NormPos 301,212,722,555
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMain Visible 0
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMain AlwaysOnTop1_Checked False
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMain LargeIcons1_Checked False
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMain SmallIcons1_Checked True
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMain List1_Checked False
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMain Detalis1_Checked False
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMain SpeedBar_Options [sbGrayedBtns,sbTransparentBtns]
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMain ListView1_ExtendedStyles [lvxHeaderDragDrop,lvxFullRowSelect,lvxLabelTip]
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMainSpeedBar Position 2
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMainSpeedBar Width 71
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMainSpeedBar Version 0
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMainSpeedBar PixelsPerInch 96
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMainSpeedBar BtnWidth 55
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMainSpeedBar BtnHeight 59
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMainSpeedBar Button1 OpenBtn1,4,4
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMainSpeedBar Button2 NewBtn1,59,4
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMainSpeedBar Button3 FavoritesBtn1,114,4
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMainSpeedBar Button4 ADDBtn1,180,4
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMainSpeedBar Button5 ExtractBtn1,235,4
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMainSpeedBar Button6 ViewBtn1,290,4
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMainSpeedBar Button7 TestBtn1,345,4
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \TfrmMainSpeedBar Count 7
HKEY_CURRENT_USER\Software\TarekHussein\ZipItFast! \ViewStyle ViewStyle 1

WhenU.VVSN Adware Downloader more information...
Details: WhenU.VVSN is an installer application for many WhenU products, including WhenU.Save!, WhenU.Weathercast, WhenUSearch, and WhenU.ClockSync.
Status: Deleted

Infected files detected
D:\Program Files\badcdrepair\VVSNInst.exe

MyWebSearch Toolbar Potentially Unwanted Program more information...
Details: MyWebSearch Toolbar is a customizable Internet Explorer search toolbar with various other tools.
Status: Deleted

Infected files detected
D:\Program Files\MSN Messenger\msimg32.dll
D:\Program Files\MSN Messenger\riched20.dll

FunWebProducts Potentially Unwanted Program more information...
Details: Fun Web Products bundles adware software in its products.
Status: Deleted

Infected registry entries detected
HKEY_CURRENT_USER\SOFTWARE\FunWebProducts
HKEY_CURRENT_USER\SOFTWARE\FunWebProducts\Settings UID 5FC13DBC-1AE3-4014-B0C9-EF3FD2ADB512
HKEY_CURRENT_USER\SOFTWARE\FunWebProducts\Settings BinParam234
HKEY_CURRENT_USER\SOFTWARE\FunWebProducts\Settings BinParam129

Basically I deleted the four apps and their registries.

I need help with one thing.: the MyWebSearch menu item is still there in Firefox2. How do I go about removing it?

Await the reply.

**Neal** · 15-11-2006

Let me see a new hijackthis log please.

**Kazna3** · 15-11-2006

Sure Neal.

Logfile of HijackThis v1.99.1
Scan saved at 20:49:59, on 15/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Advanced Spyware Remover\Asr.exe
D:\WINDOWS\system32\cisvc.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\YPOPs\ypops.exe
D:\Program Files\SpywareGuard\sgbhp.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Documents and Settings\Home\Desktop\Software\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Advanced Spyware Remover Pro] D:\Program Files\Advanced Spyware Remover\Asr.exe
O4 - Startup: SpywareBlaster.lnk = D:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: YPOPs.lnk = D:\Program Files\YPOPs\ypops.exe
O8 - Extra context menu item: Download with GetRight - D:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - D:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: System Safety Monitor - D:\WINDOWS\SYSTEM32\SSMWinlogonEx.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - D:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe

Thanks.

Any help with these repeating problems?(RESOLVED)

Any help with these repeating problems?(RESOLVED)

Similar Threads

NETGEAR Wirless repeating

laptop keeps getting unmountable boot volume error, repeating blue screen

having a few problems with msn(RESOLVED)

this message is repeating

scandisk repeating