11 replies to this topic

[AgCE]

Hello. I’m having some trouble with getting redirected from search engine results. If I do a google or yahoo search and click on one of the search results I get redirected to some random site (several different search engines, ebay, adult sites, etc.). Reading some of the posts on here it looks like you’ve helped folks with similar problems so I was hoping you could help me.

I’ve attached the two of the three logs requested in the “Spyware Removal Guide Version 2” post. The hijack log is shown below (for some reason I can't upload this file). Running the two spyware scans did not find any problems other then some cookies.

Thanks in advance.




Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:39:06 PM, on 4/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tim Taylor\My Documents\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tamu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Groove Networks\Groove\Bin\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Groove Virtual Office.lnk = C:\Program Files\Groove Networks\Groove\Bin\Groove.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B9FDD8A-2B17-43F7-940C-B0966B1B389D}: NameServer = 85.255.115.67,85.255.112.108
O17 - HKLM\System\CCS\Services\Tcpip\..\{D540C36A-D26F-4BE5-8F7E-BEBE7621C5C6}: NameServer = 85.255.115.67,85.255.112.108
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.67 85.255.112.108
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B9FDD8A-2B17-43F7-940C-B0966B1B389D}: NameServer = 85.255.115.67,85.255.112.108
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.67 85.255.112.108
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Groove Audit Service (GrooveAuditService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveAuditService.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: GrooveRunOnceInstaller - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveRunOnceInstaller.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 14560 bytes

Attached Files

•  bitdefender.txt   634bytes   1 downloads
•  SUPERAntiSpyware_Scan_Log___04_04_2007.txt   5.17K   1 downloads

[rridgely]

Welcome to the forum.

Open hijackthis and do a system scan. Then check off the following lines:

O17 - HKLM\System\CCS\Services\Tcpip\..\{0B9FDD8A-2B17-43F7-940C-B0966B1B389D}: NameServer = 85.255.115.67,85.255.112.108
O17 - HKLM\System\CCS\Services\Tcpip\..\{D540C36A-D26F-4BE5-8F7E-BEBE7621C5C6}: NameServer = 85.255.115.67,85.255.112.108
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.67 85.255.112.108
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B9FDD8A-2B17-43F7-940C-B0966B1B389D}: NameServer = 85.255.115.67,85.255.112.108
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.67 85.255.112.108

Then press "fix checked" and exit hijackthis.

-------

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) back into this thread.
Post a new hijackthis log as well.

[AgCE]

O.K. I performed the steps you listed above. The hijack log is shown below. I didn't get a "report.txt" file that open but a file called "XP-2K2" I posted the contents of this file below the hijack log.

The redirect problem I was having is gone now. Thank you for the help.




Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:42:19 PM, on 4/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Groove Networks\Groove\Bin\Groove.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Tim Taylor\My Documents\HiJackThis_v2.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tamu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Groove Networks\Groove\Bin\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Groove Virtual Office.lnk = C:\Program Files\Groove Networks\Groove\Bin\Groove.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Groove Audit Service (GrooveAuditService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveAuditService.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: GrooveRunOnceInstaller - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveRunOnceInstaller.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 14065 bytes

----------------------------------


@echo off
Prompt $
Title FixWareOut
cd %~dp0
Set System=%WinDir%\System32
If not exist setpath.bat call ..\fixit.bat
Nircmd win hide title FixWareOut
CALL setpath.bat
del setpath.bat


NIRCMD INFOBOX "Beginning fix... Click ~qOK~q to start." "Beginning fix"

echo. >>report.txt
echo »»»»» Postrun check >>report.txt

swreg save "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" run1.hiv
dumphive run1.hiv runs.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" >nul
For /F "TOKENS=1 delims=*" %%g IN ('FINDSTR.exe /I /G:Patterns.txt runs.txt') Do @echo HKLM\SOFTWARE\~\version\Run\ "%%~ng">>report.txt
swreg save "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" run2.hiv
dumphive run2.hiv out2.reg "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" >nul
For /F "TOKENS=1 delims=*" %%g IN ('findstr /I "System.=." out2.reg') Do @echo HKLM\SOFTWARE\~\Winlogon\ %%g>>report.txt
echo.....>>report.txt

del /q run?.hiv out?.reg whitelist runs.txt >nul 2>&1


(
swreg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins" Ruins.txt /nt4
swreg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls" Urls.txt /nt4
swreg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r" Urls2.txt /nt4
for /f "tokens=1 delims=\=" %%g in ('find.exe /i ":" ^< ruins.txt') do @echo HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins %%g Deleted
for /f "tokens=1 delims=\=" %%g in ('find.exe /i ":" ^< Urls.txt') do @echo HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls %%g Deleted
for /f "tokens=1 delims=\=" %%g in ('find.exe /i ":" ^< Urls2.txt') do @echo HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r %%g Deleted
)>>report.txt 2>nul

del /q Urls.txt Ruins.txt runs.txt Urls2.txt >nul 2>&1

if exist out3.txt (
if exist "%System%\sc.exe" sc.exe delete "Windows Management Service" >nul 2>&1
swreg delete "HKLM\SYSTEM\CurrentControlSet\Services\Windows Management Service" >nul 2>&1
swreg acl "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_MANAGEMENT_SERVICE" /RESET >nul 2>&1
swreg delete "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_MANAGEMENT_SERVICE" >nul 2>&1
)

(
swreg save "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" run1.hiv
dumphive run1.hiv runs.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" >nul
For /F "TOKENS=1 delims==" %%g IN ('FINDSTR.exe /I /G:Patterns.txt runs.txt') Do @(
SWREG delete "HKLM\software\microsoft\windows\currentversion\run" /v %%~nxg >nul
echo.HKLM\~\currentversion\run "%%~nxg" Deleted
)2>nul
)>>report.txt
del /q run1.hiv runs.txt out3.txt >nul 2>&1


::strings
FOR /F "TOKENS=*" %%g in (
'VFIND.exe -tf -r -s+28680 %System%\dm???.exe %System%\cs???.exe %System%\jb???.exe %windir%\temp\?????.ren'
) DO @IF %%~zg LEQ 643471 FINDSTR.exe /M /I "_full.exe csr.exe" %%g >>files.txt 2>nul

FOR /F "TOKENS=*" %%g in ('type files.txt'
) do @if exist %%g (
del /a/f/q %%g >nul 2>&1
if not exist %%g ECHO.%%g Deleted
) >>report.txt 2>&1
For /f "tokens=*" %%g in ('VFIND.exe -tf -r %System%\?????.exe 2^>nul^|Findstr.exe /m /i "big_down.exe" %SYSTEM%\*.exe'
) do @if exist %%g (
del /a/f/q %%g >nul 2>&1
if not exist %%g ECHO.%%g Deleted
) >>report.txt 2>&1
del /q files.txt >nul 2>&1


if exist movfile.bat (
call movfile.bat
del movfile.bat
)

Regedit.exe /s FixWareOut.reg

echo.....>>report.txt
echo »»»»» Misc files. >>report.txt
(
ECHO."%APPDATA%\Install.dat"
ECHO."%APPDATA%\kc.tmp"
ECHO."%APPDATA%\uns.tmp"
ECHO."%APPDATA%\wo.tmp"
ECHO."%Common Favorites%\AdultGambling.url"
ECHO."%Common Favorites%\Download Free Spyware Remover.url"
ECHO."%Common Favorites%\Free Online Dating.url"
ECHO."%Common Favorites%\f*** Real Girls.url"
ECHO."%Common Favorites%\Girls.url"
ECHO."%Common Favorites%\Kill Annoying Popups.url"
ECHO."%Common Favorites%\NEW VIAGRA at Half Price!.url"
ECHO."%Common Favorites%\Online Chat With Nude Girls.url"
ECHO."%Common Favorites%\Online Sex Poker Rooms.url"
ECHO."%Common Favorites%\Order CIALIS online without leaving home..url"
ECHO."%Common Favorites%\PC protection in under 2 minutes!.url"
ECHO."%Common Favorites%\Play Adult-Poker.url"
ECHO."%Common Favorites%\Price!.url"
ECHO."%Common Favorites%\Remove Toolbars.url"
ECHO."%Common Favorites%\Remover.url"
ECHO."%Common Favorites%\SEX Dating - Real Girls For Real SEX.url"
ECHO."%Common Favorites%\Spyware Uninstall.url"
ECHO."%Common Favorites%\SPYWARE.url"
ECHO."%Common Favorites%\Stop PopUps On Your Computer.url"
ECHO."%Common Favorites%\VIAGRA at incredible low price. Bonus Pills!.url"
ECHO."%Common Favorites%\View ADULT photos of REAL GIRLS!.url"
ECHO."%Common Favorites%\XXX personal photos.url"
ECHO."%Common Start Menu%\Monaco Gold Casino.lnk"
ECHO."%DESKTOP%\1.dat
ECHO."%DESKTOP%\2.dat
ECHO."%DESKTOP%\3.dat
ECHO."%DESKTOP%\Kill & Clean Scanner and Monitor.lnk
ECHO."%DESKTOP%\Monaco Gold Casino.lnk
ECHO."%DESKTOP%\SpyMarshal.lnk"
ECHO."%DESKTOP%\UnSpyPC Scanner & Monitor.lnk"
ECHO."%DESKTOP%\WareOut Scanner & Monitor.lnk"
ECHO."%Favorites%\\Download Free Spyware"
ECHO."%Favorites%\AdultGambling.url"
ECHO."%Favorites%\Download Free Spyware Remover.url"
ECHO."%Favorites%\Favorites\NEW VIAGRA at Half"
ECHO."%Favorites%\Free Online Dating.url"
ECHO."%Favorites%\f*** Real Girls.url"
ECHO."%Favorites%\Girls.url"
ECHO."%Favorites%\Kill Annoying Popups.url"
ECHO."%Favorites%\NEW VIAGRA at Half Price!.url"
ECHO."%Favorites%\Online Chat With Nude Girls.url"
ECHO."%Favorites%\Online Chat With Nude"
ECHO."%Favorites%\Online Sex Poker Rooms.url"
ECHO."%Favorites%\Order CIALIS online without leaving home..url"
ECHO."%Favorites%\PC protection in under 2 minutes!.url"
ECHO."%Favorites%\Play Adult-Poker.url"
ECHO."%Favorites%\Price!.url"
ECHO."%Favorites%\Remove Toolbars.url"
ECHO."%Favorites%\Remover.url"
ECHO."%Favorites%\SEX Dating - Real Girls For Real SEX.url"
ECHO."%Favorites%\Spyware Uninstall.url"
ECHO."%Favorites%\SPYWARE.url"
ECHO."%Favorites%\Stop PopUps On Your Computer.url"
ECHO."%Favorites%\VIAGRA at incredible low price. Bonus Pills!.url"
ECHO."%Favorites%\View ADULT photos of REAL GIRLS!.url"
ECHO."%Favorites%\XXX personal photos.url"
ECHO."%START MENU%\Monaco Gold Casino.lnk"
ECHO."%USERPROFILE%\1.dat"
ECHO."%USERPROFILE%\2.dat"
ECHO."%USERPROFILE%\3.dat"
ECHO."%USERPROFILE%\Block Popups.url"
ECHO."%USERPROFILE%\Free Online Dating.url"
ECHO."%USERPROFILE%\Make MONEY.url"
ECHO."%USERPROFILE%\Personal Photos.url"
ECHO."%USERPROFILE%\Phentermine.url"
ECHO."%USERPROFILE%\VIAGRA.url"
ECHO."%USERPROFILE%\Work at Home.url"
ECHO."%WinDir%\Monaco Gold Casino setup.exe"
ECHO."%WinDir%\Carnival Casino setup.exe"
ECHO.%WINDIR%\BALLOON.WAV
ECHO.%WinDir%\desktop.html
ECHO.%WinDir%\Help\SPAlert.chm
ECHO.%WINDIR%\RDT.INI
ECHO.%SYSTEM%\1.dat
ECHO.%SYSTEM%\2.dat
ECHO.%SYSTEM%\3.dat
ECHO.%SYSTEM%\atmtd.dll
ECHO.%SYSTEM%\atmtd.dll._
ECHO.%SYSTEM%\bndmod.exe
ECHO.%SYSTEM%\cisvvc.exe
ECHO.%SYSTEM%\close.bmp
ECHO.%SYSTEM%\coded1.exe
ECHO.%SYSTEM%\dating.bmp
ECHO.%SYSTEM%\dflnl.exe
ECHO.%SYSTEM%\dgprpsetup.exe
ECHO.%SYSTEM%\dllhstgp.exe
ECHO.%SYSTEM%\drivers\zpmodemnt.sys
ECHO.%SYSTEM%\favme.exe
ECHO.%SYSTEM%\favset.exe
ECHO.%SYSTEM%\filesafer.exe
ECHO.%SYSTEM%\filesafer23.exe
ECHO.%SYSTEM%\filesaver32.exe
ECHO.%SYSTEM%\gambling.bmp
ECHO.%SYSTEM%\gpsresl32.exe
ECHO.%SYSTEM%\HCLEAN32.EXE
ECHO.%SYSTEM%\hgqhp.exe
ECHO.%SYSTEM%\hlmicro.exe
ECHO.%SYSTEM%\howiper.exe
ECHO.%SYSTEM%\hwiper.exe
ECHO.%SYSTEM%\hybsys32.dll
ECHO.%SYSTEM%\HYBSYS32.DLL
ECHO.%SYSTEM%\idemlog.exe
ECHO.%SYSTEM%\idesk.conf
ECHO.%SYSTEM%\insurance.bmp
ECHO.%SYSTEM%\kilacln.exe
ECHO.%SYSTEM%\LOADCTR.EXE
ECHO.%SYSTEM%\LOADCTR32.EXE
ECHO.%SYSTEM%\logo_big.exe
ECHO.%SYSTEM%\maxd1.exe
ECHO.%SYSTEM%\msblank.html
ECHO.%SYSTEM%\MSSOSXRT.EXE
ECHO.%SYSTEM%\NTFSNLPA.EXE
ECHO.%SYSTEM%\pgsresl32.exe
ECHO.%SYSTEM%\pharmacy.bmp
ECHO.%SYSTEM%\popcorn72.exe
ECHO.%SYSTEM%\pppcgm.exe
ECHO.%SYSTEM%\PXPCYA64.EXE
ECHO.%SYSTEM%\RDSNDIN.EXE"
ECHO.%SYSTEM%\setupcarnival.exe
ECHO.%SYSTEM%\sphlp32.exe
ECHO.%SYSTEM%\spyware.bmp
ECHO.%SYSTEM%\trapi12.exe
ECHO.%SYSTEM%\uptdsrv2.exe
ECHO.%SYSTEM%\winctrl16.exe
ECHO.%SYSTEM%\winctrl32.exe
ECHO.%SYSTEM%\winctrl64.exe
ECHO.%SYSTEM%\WOINST32.EXE
ECHO.%SYSTEM%\xxx.bmp
ECHO.%SYSTEM%\yaemu.exe
ECHO.%WinDir%\xpupdate.exe
ECHO.%SYSTEM%\neom.exe
ECHO.%SYSTEM%\neom.ex_
ECHO.%SYSTEM%\neom.ren
)>Files.txt
FOR /F "TOKENS=*" %%g in (files.txt) do @if exist "%%~g" (
del /a/f/Q "%%~g" 2>nul
if not exist "%%~g" Echo.%%~g Deleted>>report.txt
if exist "%%~g" (
Echo.%%~g ... renamed to %%~ng.ren>>report.txt
attrib -h -r -s -a "%%~g"
ren "%%~g" "%%~ng.ren"
))



(
ECHO."%Common Favorites%\Online Pharmacy"
ECHO."%Common Favorites%\Sex and Dating"
ECHO."%Common Favorites%\Spyware Uninstall"
ECHO."%Common Programs%\Monaco Gold Casino"
ECHO."%Favorites%\Online Pharmacy"
ECHO."%Favorites%\Sex and Dating"
ECHO."%Favorites%\Spyware Uninstall"
ECHO."%PROGRAMS%\Domains Error"
ECHO."%PROGRAMS%\Kill & Clean"
ECHO."%PROGRAMS%\KillAndClean"
ECHO."%PROGRAMS%\Monaco Gold Casino"
ECHO."%PROGRAMS%\SpyMarshal"
ECHO."%PROGRAMS%\VideoAccess"
ECHO."%PROGRAMFILES%\Domains Error"
ECHO."%PROGRAMFILES%\KillAndClean"
ECHO."%PROGRAMFILES%\SpyMarshal"
ECHO."%PROGRAMFILES%\UnSpyPC"
ECHO."%PROGRAMFILES%\VideoAccess"
ECHO."%PROGRAMFILES%\WareOut"
ECHO.%systemdrive%\Casino
)>Folders.txt
FOR /F "TOKENS=*" %%g in (Folders.txt) do @if exist "%%~g" (
RD /S/Q "%%~g" >nul 2>&1
if not exist "%%~g" ECHO.%%~g Deleted>>report.txt
if exist "%%~g" ECHO."%%~g" Not Deleted>>report.txt
)


pushd %SYSTEM%
for /f "tokens=*" %%g in ('dir /s/b/a-d {*.exe {*.dll {*.ren 2^>nul^|findstr.exe /v /i "32\\.*\\."') do @(
del /a/f/q "%%g" 2>nul
if not exist "%%g" Echo.%%~fg Deleted>>%~dp0\report.txt
if exist "%%g" (
Echo.%%~fg ... renamed to %%~nxg.ren>>%~dp0\report.txt
attrib -h -r -s -a "%%g"
ren "%%g" "%%~nxg.ren"
))
popd



(
ECHO.%WinDir%\rdt.ini
ECHO.%WinDir%\balloon.wav
ECHO.%WinDir%\Help\SPAlert.chm
ECHO.%SYSTEM%\ntfsnlpa.exe
ECHO.%SYSTEM%\cisvvc.exe
ECHO.%SYSTEM%\drv2cltr.dll
ECHO.%SYSTEM%\hybsys32.dll
ECHO.%SYSTEM%\loadctr.exe
ECHO.%SYSTEM%\loadctr32.exe
ECHO.%SYSTEM%\rdsndin.exe
ECHO.%SYSTEM%\pxpcya64.exe
ECHO.%SYSTEM%\uptdsrv2.exe
ECHO.%SYSTEM%\MSSOSXRT.EXE
ECHO.%SYSTEM%\hclean32.exe
ECHO.%SYSTEM%\hgqhp.exe"
ECHO.%SYSTEM%\taskdir.exe
ECHO.%SYSTEM%\adir.dll
ECHO.%SYSTEM%\taskdir.dll
ECHO.%SYSTEM%\gpsresl32.exe
ECHO.%SYSTEM%\popcorn72.exe
ECHO.%SYSTEM%\trapi12.exe
ECHO.%SYSTEM%\winctrl16.exe
ECHO.%SYSTEM%\winctrl32.exe
ECHO.%SYSTEM%\winctrl64.exe
ECHO.%SYSTEM%\msblank.html
ECHO.%SYSTEM%\msblank32.html
ECHO.%SYSTEM%\302.exe
ECHO.%SYSTEM%\666.exe
ECHO.%SYSTEM%\winuptd.exe
ECHO.%SYSTEM%\xscan.exe
ECHO.%SYSTEM%\maxd1.exe
ECHO."%SYSTEM%\kernel32.exe"
)>Files.txt
FOR /F "TOKENS=*" %%g in (files.txt) do @if exist "%%~g" (
del /a/f/Q "%%~g" 2>nul
if not exist "%%~g" Echo.%%~g Deleted>>report.txt
if exist "%%~g" (
Echo.%%~g ... renamed to %%~ng.ren>>report.txt
attrib -h -r -s -a "%%~g"
ren "%%~g" "%%~ng.ren"
))

echo.....>>report.txt
echo »»»»» Checking for older varients.>>report.txt
(
ECHO.%SYSTEM%\40.exe
ECHO.%SYSTEM%\adsnp.dll
ECHO.%SYSTEM%\amax.exe
ECHO.%SYSTEM%\aud-cnet2.exe
ECHO.%SYSTEM%\audissrp.exe
ECHO.%SYSTEM%\autodmfp.exe
ECHO.%SYSTEM%\bischk.exe
ECHO.%SYSTEM%\cdrview.dll
ECHO.%SYSTEM%\chkntfsfat.exe
ECHO.%SYSTEM%\chmredir.chm
ECHO.%SYSTEM%\clfmon.exe
ECHO.%SYSTEM%\comctrl32.dll
ECHO.%SYSTEM%\connmie.exe
ECHO.%SYSTEM%\ctbasxt.exe
ECHO.%SYSTEM%\CustIE32.dll
ECHO.%SYSTEM%\d3dxov.dll
ECHO.%SYSTEM%\dbconf.exe
ECHO.%SYSTEM%\deski.exe
ECHO.%SYSTEM%\diantzpt.exe
ECHO.%SYSTEM%\dllhostxp.exe
ECHO.%SYSTEM%\dmkschk.exe
ECHO.%SYSTEM%\dmsadmins.exe
ECHO.%SYSTEM%\dnsaquota.dll
ECHO.%SYSTEM%\dnsauth.dll
ECHO.%SYSTEM%\dnsping.exe
ECHO.%SYSTEM%\docntrop.dll
ECHO.%SYSTEM%\dosxpd.exe
ECHO.%SYSTEM%\doul.exe
ECHO.%SYSTEM%\dskrfuoui.dll
ECHO.%SYSTEM%\dwcrnt.exe
ECHO.%SYSTEM%\dx9vbc.dll
ECHO.%SYSTEM%\dxconf.exe
ECHO.%SYSTEM%\ebwvgok.exe
ECHO.%SYSTEM%\elswap.dll
ECHO.%SYSTEM%\etile.exe
ECHO.%SYSTEM%\extrac16.exe
ECHO.%SYSTEM%\ezschk.exe
ECHO.%SYSTEM%\fixmapirs.exe
ECHO.%SYSTEM%\f***sex.exe
ECHO.%SYSTEM%\getdns.exe
ECHO.%SYSTEM%\hdr.dll
ECHO.%SYSTEM%\hlp32.exe
ECHO.%SYSTEM%\hostnameip.exe
ECHO.%SYSTEM%\hrlink.dll
ECHO.%SYSTEM%\ie2cltr.dll
ECHO.%SYSTEM%\ie4unit.exe
ECHO.%SYSTEM%\iecust.dll
ECHO.%SYSTEM%\iecust.exe
ECHO.%SYSTEM%\iecustme.exe
ECHO.%SYSTEM%\iecustme32.exe
ECHO.%SYSTEM%\iegfxfrw.dll
ECHO.%SYSTEM%\ieprschk.exe
ECHO.%SYSTEM%\iesp1.dll
ECHO.%SYSTEM%\iesp2.dll
ECHO.%SYSTEM%\ifcfg.exe
ECHO.%SYSTEM%\inetkwschk.exe
ECHO.%SYSTEM%\ipdnssec6.exe
ECHO.%SYSTEM%\ipv9x.exe
ECHO.%SYSTEM%\ipvcx6.exe
ECHO.%SYSTEM%\ipxroutex.exe
ECHO.%SYSTEM%\kzc.exe
ECHO.%SYSTEM%\logogdi.exe
ECHO.%SYSTEM%\micefix.exe
ECHO.%SYSTEM%\Microsoft.hta
ECHO.%SYSTEM%\mptsgsvc.exe
ECHO.%SYSTEM%\mqbckup.exe
ECHO.%SYSTEM%\mqspbkup.exe
ECHO.%SYSTEM%\mqsvch.exe
ECHO.%SYSTEM%\ms_update.exe
ECHO.%SYSTEM%\msacmx.dll
ECHO.%SYSTEM%\MSBKUP.EXE
ECHO.%SYSTEM%\msinfo.exe
ECHO.%SYSTEM%\mskgu.dll
ECHO.%SYSTEM%\msmkd.dll
ECHO.%SYSTEM%\msmsgs.exe
ECHO.%SYSTEM%\msng.exe
ECHO.%SYSTEM%\msnwf.dll
ECHO.%SYSTEM%\mspax.dll
ECHO.%SYSTEM%\msswch.exe
ECHO.%SYSTEM%\msswchxp.exe
ECHO.%SYSTEM%\mxbkup.exe
ECHO.%SYSTEM%\nasll.dll
ECHO.%SYSTEM%\nbtrstat.exe
ECHO.%SYSTEM%\net2.exe
ECHO.%SYSTEM%\netcgf.dll
ECHO.%SYSTEM%\netddx.exe
ECHO.%SYSTEM%\netdetect.exe
ECHO.%SYSTEM%\netdns.exe
ECHO.%SYSTEM%\netssh.exe
ECHO.%SYSTEM%\netssl.exe
ECHO.%SYSTEM%\netstart.exe
ECHO.%SYSTEM%\netupd32.exe
ECHO.%SYSTEM%\nlsfuncs.exe
ECHO.%SYSTEM%\od.exe
ECHO.%SYSTEM%\odbcfg32.dll
ECHO.%SYSTEM%\odcfg.exe
ECHO.%SYSTEM%\openconf.exe
ECHO.%SYSTEM%\opensdl.exe
ECHO.%SYSTEM%\opensdl2.exe
ECHO.%SYSTEM%\p2pserv.dll
ECHO.%SYSTEM%\pentxpl.exe
ECHO.%SYSTEM%\pingnet.exe
ECHO.%SYSTEM%\powerconf.exe
ECHO.%SYSTEM%\protect32.dll
ECHO.%SYSTEM%\proxyconf.exe
ECHO.%SYSTEM%\pxhping.exe
ECHO.%SYSTEM%\qappsrvc32.exe
ECHO.%SYSTEM%\qwinnta.exe
ECHO.%SYSTEM%\qwinsta32.exe
ECHO.%SYSTEM%\qwsxp.dll
ECHO.%SYSTEM%\rasaoutu.exe
ECHO.%SYSTEM%\rcip.exe
ECHO.%SYSTEM%\rdpclips.exe
ECHO.%SYSTEM%\rdpnr.exe
ECHO.%SYSTEM%\rdshost32.exe
ECHO.%SYSTEM%\rdspclips.exe
ECHO.%SYSTEM%\resrvc32.exe
ECHO.%SYSTEM%\rexece32.exe
ECHO.%SYSTEM%\rexecs.exe
ECHO.%SYSTEM%\rnr.dll
ECHO.%SYSTEM%\routenet.exe
ECHO.%SYSTEM%\rpcnt4.dll
ECHO.%SYSTEM%\rshe.exe
ECHO.%SYSTEM%\rsn.exe
ECHO.%SYSTEM%\rsvph.exe
ECHO.%SYSTEM%\rsvxp.exe
ECHO.%SYSTEM%\run_dos.dll
ECHO.%SYSTEM%\scardsvrhr.exe
ECHO.%SYSTEM%\serf_link.dll
ECHO.%SYSTEM%\service.exe
ECHO.%SYSTEM%\servises.exe
ECHO.%SYSTEM%\sesmgr.exe
ECHO.%SYSTEM%\sessngr.exe
ECHO.%SYSTEM%\sethcd.exe
ECHO.%SYSTEM%\setvers.exe
ECHO.%SYSTEM%\sfcman32.dll
ECHO.%SYSTEM%\sfcver.exe
ECHO.%SYSTEM%\sharenet.exe
ECHO.%SYSTEM%\smbdins.exe
ECHO.%SYSTEM%\smbin.exe
ECHO.%SYSTEM%\smlogvcc.exe
ECHO.%SYSTEM%\smlogvcc.exe
ECHO.%SYSTEM%\snnpapi.dll
ECHO.%SYSTEM%\snnpapi.exe
ECHO.%SYSTEM%\sp2chek.exe
ECHO.%SYSTEM%\sp2chk.exe
ECHO.%SYSTEM%\spatx.dll
ECHO.%SYSTEM%\spnping.exe
ECHO.%SYSTEM%\spoolsrv.exe
ECHO.%SYSTEM%\spoolsvc.exe
ECHO.%SYSTEM%\sprestrst.exe
ECHO.%SYSTEM%\sprmover.exe
ECHO.%SYSTEM%\subsys.exe
ECHO.%SYSTEM%\sysobj.exe
ECHO.%SYSTEM%\syspack.dll
ECHO.%SYSTEM%\tasknngr.exe
ECHO.%SYSTEM%\taskopen.exe
ECHO.%SYSTEM%\taskrun.exe
ECHO.%SYSTEM%\taskrun.exe
ECHO.%SYSTEM%\tcpsvcss.exe
ECHO.%SYSTEM%\tksvr99.exe
ECHO.%SYSTEM%\tlntadmnx.exe
ECHO.%SYSTEM%\trayinfo.exe
ECHO.%SYSTEM%\truettf.exe
ECHO.%SYSTEM%\tsmsetup.exe
ECHO.%SYSTEM%\unlodctl.exe
ECHO.%SYSTEM%\update.exe
ECHO.%SYSTEM%\upncont.exe
ECHO.%SYSTEM%\upncont32.exe
ECHO.%SYSTEM%\usrdate.exe
ECHO.%SYSTEM%\usrshutd.exe
ECHO.%SYSTEM%\vwipxspnt.exe
ECHO.%SYSTEM%\w32sxp.exe
ECHO.%SYSTEM%\whistleschk.exe
ECHO.%SYSTEM%\winmcd.exe
ECHO.%SYSTEM%\winmsdc.exe
ECHO.%SYSTEM%\winsrv.exe
ECHO.%SYSTEM%\winsrv32.dll
ECHO.%SYSTEM%\winuptd.exe
ECHO.%SYSTEM%\winwiz32.exe
ECHO.%SYSTEM%\wmplayer.exe
ECHO.%SYSTEM%\wncust.exe
ECHO.%SYSTEM%\wowdbe.exe
ECHO.%SYSTEM%\ywde.exe
)>Files.txt
FOR /F "TOKENS=*" %%g in (files.txt) do @if exist "%%~g" (
del /a/f/Q "%%~g" 2>nul
if not exist "%%~g" Echo.%%~g Deleted>>report.txt
if exist "%%~g" (
Echo.%%~g ... renamed to %%~ng.ren>>report.txt
attrib -h -r -s -a "%%~g"
ren "%%~g" "%%~ng.ren"
))
del /q files.txt folders.txt >nul 2>&1
echo.....>>report.txt




REM Create whitelist
>whitelist (
echo %SYSTEM%\csrss.exe
echo %SYSTEM%\DMCPL.EXE
)

(
echo.
echo.Search five digit cs, dm, kd, jb, other, files.
echo.The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.
echo.

FOR /F "TOKENS=*" %%g in (
'VFIND.exe -tf -r -s+34875 %System%\?????.exe'
) DO @IF %%~zg LEQ 34875 FINDSTR.exe /M /I "vFKEvFKMvFKIvFKevFKivFK" %%g >Nul && (
echo %%g >>prere1.txt
)

FOR /F "TOKENS=*" %%g in (
'VFIND.exe -tf -r -s+34903 %System%\?????.exe'
) DO @IF %%~zg LEQ 34903 FINDSTR.exe /M /I "[{?@1c!" %%g >Nul && (
echo %%g >>prere1.txt 2>nul
)

FOR /F "TOKENS=*" %%g in (
'VFIND.exe -tf -r %System%\dm???.exe %System%\cs???.exe %System%\jb???.exe'
) DO @echo %%g >>prere1.txt 2>nul

type prere1.txt |findstr /v /i /l /g:whitelist >>prere2.txt

For /F "TOKENS=*" %%g IN ('type prere2.txt') Do @(
echo.%%~sg %%~zg %%~tg >>prere3.txt
)

if exist prere3.txt For /F "TOKENS=1-4 delims= " %%g IN ('type prere3.txt') Do @(
echo.%%~g %%~h %%~i
)


echo.
echo.
echo.Click browse, find the file then click submit.
echo.http://www.virustotal.com/flash/index_en.html
echo.Or http://virusscan.jotti.org/
echo.
echo.»»»»» Other
For /F "TOKENS=*" %%g IN ('VFIND.exe -rtf %windir%\temp\*.ren 2^>nul') Do @(
echo.%%~sg %%~zg %%~tg >>tmp.txt
)
If Exist tmp.txt For /F "TOKENS=1-4 delims= " %%g IN ('type tmp.txt') Do @(
echo.%%~g %%~h %%~i
)
echo.
echo.
echo.
)>>report.txt 2>&1
del /q prere*.txt tmp.txt whitelist >nul 2>&1

REM Locate/Fix Hosts File
For /F "tokens=2*" %%g in ('swreg query "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DataBasePath"^|
find.exe /i "reg_"') do call SET HostDir=%%h

attrib -h -s -r "%HostDir%\hosts"
if exist "%HostDir%\hosts" ren "%HostDir%\hosts" "%HostDir%\hostsbak"
echo.127.0.0.1 localhost >"%HostDir%\hosts"


REM Tif
IF DEFINED cache DEL /A/S/F/Q "%cache%\*" >Nul 2>&1
ECHO."%Cache default%" | FIND.exe "\" >Nul && DEL /A/S/F/Q "%Cache default%\*" >Nul 2>&1
NIRCMD emptybin

NIRCMD INFOBOX "Finished! Please post the contents of the report.txt for the forum helper.~nClick ~qOK~q to continue." "Finish"

swreg save "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" run1.hiv
dumphive run1.hiv hklm.reg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" >nul
swreg save "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" HKCU.hiv
dumphive HKCU.hiv HKCU.reg "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion" >nul
echo »»»»» Current runs >> report.txt
For /f "tokens=*" %%g in ('findstr /v "REGEDIT4 Installed NoChange OptionalComponents" hklm.reg') DO @(
echo %%g
)>> report.txt 2>&1
For /f "tokens=*" %%g in ('findstr /v "REGEDIT4" HKCU.reg') DO @(
echo %%g
)>> report.txt 2>&1
del /q HKCU.reg hklm.reg run1.hiv HKCU.hiv >nul 2>&1

echo.....>> report.txt
echo.Hosts file was reset, If you use a custom hosts file please replace it>> report.txt

SWReg ADD "HKCU\temp" >nul
SWReg save "HKCU\temp" tmp.hiv >nul
SWReg ADD "HKCU\temp\pe386" >nul
SWReg save "HKCU\temp\pe386" temp.hiv >nul
if not exist temp.hiv echo.>> report.txt
if not exist temp.hiv echo Rustock pe386 is present>>report.txt
SWReg restore "HKCU\temp" tmp.hiv >nul
swreg delete "HKCU\temp" >nul
del /q temp.hiv >nul 2>&1
SWReg ADD "HKCU\temp" >nul
SWReg ADD "HKCU\temp\msguard" >nul
SWReg save "HKCU\temp\msguard" temp.hiv >nul
if not exist temp.hiv echo.>> report.txt
if not exist temp.hiv echo Rustock msguard is present>>report.txt
del /q temp.hiv >nul 2>&1
SWReg restore "HKCU\temp" tmp.hiv >nul
swreg delete "HKCU\temp" >nul
del /q temp.hiv >nul 2>&1
SWReg ADD "HKCU\temp" >nul
SWReg ADD "HKCU\temp\lzx32" >nul
SWReg save "HKCU\temp\lzx32" temp.hiv >nul
if not exist temp.hiv echo.>> report.txt
if not exist temp.hiv echo Rustock lzx32 is present>>report.txt
del /q temp.hiv >nul 2>&1
SWReg restore "HKCU\temp" tmp.hiv >nul
swreg delete "HKCU\temp" >nul
del /q temp.hiv >nul 2>&1
SWReg ADD "HKCU\temp" >nul
SWReg ADD "HKCU\temp\huy32" >nul
SWReg save "HKCU\temp\huy32" temp.hiv >nul
if not exist temp.hiv echo.>> report.txt
if not exist temp.hiv echo Rustock huy32 is present>>report.txt
del /q temp.hiv >nul 2>&1
SWReg restore "HKCU\temp" tmp.hiv >nul
swreg delete "HKCU\temp" >nul
del /q tmp.hiv temp.hiv >nul 2>&1
swreg delete "HKLM\SYSTEM\CurrentControlSet\Services\pe386" >nul
swreg delete "HKLM\SYSTEM\CurrentControlSet\Services\msguard" >nul
swreg delete "HKLM\SYSTEM\CurrentControlSet\Services\lzx32" >nul
swreg delete "HKLM\SYSTEM\CurrentControlSet\Services\huy32" >nul

if exist missing.txt type missing.txt >> report.txt
echo.»»»»» End report »»»»»>> report.txt


Move /y report.txt ..\
start notepad ..\report.txt & exit

[rridgely]

Delete this with hijackthis the same way as the others.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html

Make sure you only have one antivirus installed and also please run the below scan and post the log back.(just to make sure your 100% clean. )

Run Kaspersky WebScanner

• Please go HERE and click Kaspersky Online Scanner
  
• Read and Accept the Agreement
  
• You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  
• If you see a Windows dialog asking if you want to install this software, click the Install button.
  
• The program will launch and then begin downloading the latest definition files,
  
• When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
  
• Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
  
• Under "Please select a target to scan:", click My Computer to start the scan.
  
• When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
  
• Paste kaspersky log onto forum.

[AgCE]

I deleted the file using hijack thin.


When I go to Kaspersky and accept the agreement I get a new window with a screen that says its loading the scanner. It then wants to install active X control. I let it install active X and then I get the screen shown in the attached picture. There's nothing to click on in the screen to run the program and nothing happens.

Am I doing something wrong?

Attached Files

•  Kaspersky.JPG   176.23K   7 downloads

[rridgely]

I'm not sure why its not working.
Instead try the below scan, and if that don't work we will try another.

Run Panda Activescan from Here.

Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.

[login123]

Hi, AgCE. FYI, I had trouble with that screen also. Several have.

The accept or decline buttons are there, you just can't see them at first. I'll try to put 2 pictures into this post to show you what the screens look like.

What you do to get down to them is to left click on any line of text near the bottom, hold the mouse button down, then drag the cursor downward. It moves the "window" downward and the buttons come into view.

Rridgely, sorry to butt in. I just used Kaspersky, so remember how.

OK, gonna try the pictures now. . . . . . .it worked!

[rridgely]

I think its some browser setting that causes it because I've never had a problem with it but every once in a while some people will.
You can try login's suggestion or just run panda, either one is fine.

[AgCE]

Thanks login, I just saw your post after I finished running Panda over night.

Panda took a little while to run. Looks like it still found a couple things. 1 Virus, 14 spyware cookies, and 1 hacking root. The scan log is attached.

Attached Files

•  Activescan.txt   6.11K   3 downloads

[rridgely]

The report you saved didn't really provide any information since you didn't save the one with the file paths.
If you want you can try the kaspersky scan again, but your computer should be all clean.

[AgCE]

I ran the Kaspersky scan and it did not find anything so I guess the system is clean. I've attached the scan log just in case.

Thank you so much for your help.

Attached Files

•  Kaspersky.txt   20.44K   3 downloads

[rridgely]

Looks great.
If you have any problems in the future feel free to come back and start a new topic.