APRPS

[Guest]

I have followed all of the threads and have completed all of the suggestion
last week. I had someone from cyberhelp help me. MSAS always finds the two
keys in hklm software aprps. Like everyone else is removes it but it comes
back. Before I was infected with apropos MSAS ran well. Now it either
reboots, blue screen with page fault in a non paged area or somtimes ends
normally. I told MSAS to ignore the threat since I have no symtoms what so
ever on my PC. No pop-ups, browser helpers etc. It still ramdomly reboots.

I see others such having the same proble

 

[Tom Emmelot]

Hello Bruce,

did you try Housecall and the evaluate of Trend AntiSpy?


http://nl.trendmicro-europe.com/consumer/housecall/housecall_launch.php

http://www.trendmicro.com/en/products/desktop/as/evaluate/overview.htm

Regards >*< TOM >*<

 

[Frank Saunders, MS-MVP OE]

I have followed all of the threads and have completed all of the
suggestion last week. I had someone from cyberhelp help me. MSAS
always finds the two keys in hklm software aprps. Like everyone else
is removes it but it comes back. Before I was infected with apropos
MSAS ran well. Now it either reboots, blue screen with page fault in
a non paged area or somtimes ends normally. I told MSAS to ignore
the threat since I have no symtoms what so ever on my PC. No
pop-ups, browser helpers etc. It still ramdomly reboots.

I see others such having the same proble

Boot into Safe Mode and run MSAS there.

 

[Guest]

Hi Bruce

You probably have a rootkit installed as this would also account for the
system giving the Blue screen of death and error messages , Its easy enough
to remove but takes a few steps, Can you let me know what version of windows
you are running and run Rootkit revealer on your system.

Download & Run RootkitRevealer

http://www.sysinternals.com/Files/RootkitRevealer.zip

Save to C:\drive and Extract and press Scan

After the scan finishes choose File then Save it's log to c:drive and post
back the log it produces (It may save into Windows\system32 by default,
change that to c: if you get a pop up about desktop not being a valid
location press ok then change it to c:drive)

DO NOT attempt to fix anything it finds as all entries may be legitimate

Thanks Andy

 

[Guest]

Windows XP Pro sp2

Thanks

HKLM\SOFTWARE\C7Tj5Aw8ISn9 9/27/2005 10:40 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NAVEX15 9/19/2005 10:04 PM 0
bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NDICPIP 9/27/2005 8:35 PM 0
bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\NAVEX15 10/16/2005 9:22 PM 0 bytes Hidden
from Windows API.
HKLM\SYSTEM\ControlSet001\Services\Ndicpip 10/16/2005 9:22 PM 0 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Cookies\bruce
(e-mail address removed)[1].txt 10/17/2005 10:33 AM 88 bytes Hidden from Windows
API.
C:\Documents and Settings\Bruce Generotti\Cookies\bruce
(e-mail address removed)[2].txt 10/17/2005 10:03 AM 88 bytes Visible in Windows
API, but not in MFT or directory index.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\GB301BOU\419855_0[1].htm 10/17/2005 10:34 AM 39.06
KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\GB301BOU\antispam[1].gif 10/17/2005 10:34 AM 500
bytes Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\GB301BOU\attention[1].gif 10/17/2005 10:36 AM 62
bytes Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\GB301BOU\catch_all[1].gif 10/17/2005 10:34 AM 1.25
KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\GB301BOU\CAXS8ZL9.swf 10/17/2005 10:33 AM 7.79 KB Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\GB301BOU\change_lan[1].gif 10/17/2005 10:36 AM 491
bytes Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\GB301BOU\header_bar2[1].gif 10/17/2005 10:34 AM 1.37
KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\GB301BOU\i_logout[1].gif 10/17/2005 10:34 AM 551
bytes Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\GB301BOU\info_invoice[1].gif 10/17/2005 10:34 AM 1.01
KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\GB301BOU\mail[1].css 10/17/2005 10:34 AM 1.33 KB Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\GB301BOU\mail_box[1].gif 10/17/2005 10:34 AM 1.09 KB Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\GB301BOU\mail_web[1].gif 10/17/2005 10:34 AM 1.05 KB Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\GB301BOU\main_websets[1].gif 10/17/2005 10:34 AM 823
bytes Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\GB301BOU\middle-green[1].gif 10/17/2005 10:34 AM 51
bytes Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\GB301BOU\sent[1].gif 10/17/2005 10:34 AM 268 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\GB301BOU\static_230x33_2[1].gif 10/17/2005 10:33 AM 3.74
KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\GB301BOU\tile[1].gif 10/17/2005 10:34 AM 45 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\GB301BOU\tool_ss[1].gif 10/17/2005 10:34 AM 1.06 KB Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\GB301BOU\ws_error[1].gif 10/17/2005 10:34 AM 1.19 KB Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\GB301BOU\yafv[1].js 10/17/2005 10:34 AM 11.91 KB Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\LQ3R0AVK\antivirus[1].gif 10/17/2005 10:34 AM 564
bytes Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\LQ3R0AVK\arr[1].gif 10/17/2005 10:34 AM 68 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\LQ3R0AVK\Bruce[1].htm 10/17/2005 10:34 AM 120 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\LQ3R0AVK\cp[1].htm 10/17/2005 10:34 AM 11.46 KB Hidden from
Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\LQ3R0AVK\drafts[1].gif 10/17/2005 10:34 AM 270 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\LQ3R0AVK\forgot[1].gif 10/17/2005 10:36 AM 242 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\LQ3R0AVK\i_home[1].gif 10/17/2005 10:34 AM 151 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\LQ3R0AVK\info_contact[1].gif 10/17/2005 10:34 AM 1.19
KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\LQ3R0AVK\info_mback[1].gif 10/17/2005 10:34 AM 1.08
KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\LQ3R0AVK\left-green[1].gif 10/17/2005 10:34 AM 121
bytes Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\LQ3R0AVK\login[1].gif 10/17/2005 10:34 AM 563 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\LQ3R0AVK\mail_alias[1].gif 10/17/2005 10:34 AM 681
bytes Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\LQ3R0AVK\mail_man[1].gif 10/17/2005 10:34 AM 1.09 KB Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\LQ3R0AVK\main_add_acc[1].gif 10/17/2005 10:34 AM 1.33
KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\LQ3R0AVK\main_domainman[1].gif 10/17/2005 10:34 AM 1.12
KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\LQ3R0AVK\search[3].htm 10/17/2005 10:34 AM 14 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\LQ3R0AVK\sort_none[1].png 10/17/2005 10:35 AM 289
bytes Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\LQ3R0AVK\thumb.bag10510171215.iraq_us_airstrike_victims_bag105[1].jpg 10/17/2005 10:33 AM 3.74 KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\LQ3R0AVK\tool_trace[1].gif 10/17/2005 10:34 AM 1.24
KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\LQ3R0AVK\ws_mime[1].gif 10/17/2005 10:34 AM 1.06 KB Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\[1] 10/17/2005 10:31 AM 0 bytes Hidden from
Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\[2] 10/17/2005 10:31 AM 0 bytes Hidden from
Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\[3] 10/17/2005 10:31 AM 0 bytes Hidden from
Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\[4] 10/17/2005 10:31 AM 0 bytes Hidden from
Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\add[1].gif 10/17/2005 10:34 AM 636 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\ftp_man[1].gif 10/17/2005 10:34 AM 1.10 KB Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\header_bar1[1].gif 10/17/2005 10:34 AM 769
bytes Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\hs_logo[1].jpg 10/17/2005 10:34 AM 8.09 KB Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\info_suminvoice[1].gif 10/17/2005 10:34 AM 1.41
KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\logo[1].gif 10/17/2005 10:34 AM 798 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\mail_forward[1].gif 10/17/2005 10:34 AM 1.17
KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\main_ch_pass[1].gif 10/17/2005 10:34 AM 967
bytes Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\middle-blue[1].gif 10/17/2005 10:34 AM 51
bytes Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\monster_4_employers[1].gif 10/17/2005 10:43
AM 2.66 KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\my.yahoo[1].htm 10/17/2005 10:33 AM 217.40
KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\psoft.hsphere[1].htm 10/17/2005 10:34 AM 465
bytes Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\psoft.hsphere[2].htm 10/17/2005 10:36 AM 16.51
KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\search[4].htm 10/17/2005 10:34 AM 14 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\spacer[1].gif 10/17/2005 10:34 AM 67 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\spacer[2].gif 10/17/2005 10:34 AM 43 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\tile[1].jpg 10/17/2005 10:34 AM 16.84 KB Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\tool_stats[1].gif 10/17/2005 10:34 AM 995
bytes Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\trash[1].gif 10/17/2005 10:34 AM 182 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\wbk20D.tmp 10/17/2005 10:31 AM 1.00 KB Hidden from
Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\wbk20F.tmp 10/17/2005 10:31 AM 982 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\wbk211.tmp 10/17/2005 10:31 AM 892 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\wbk213.tmp 10/17/2005 10:31 AM 686 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\OP6R0XEF\web_shell[1].gif 10/17/2005 10:34 AM 1.12
KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\R4BIYZUM\account_settings[1].gif 10/17/2005 10:34 AM 1.62
KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\R4BIYZUM\am_ban_off_x3_q1r1_200x33_0[1].gif 10/17/2005
10:33 AM 2.77 KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\R4BIYZUM\b[2].gif 10/17/2005 10:33 AM 43 bytes Hidden from
Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\R4BIYZUM\change[1].gif 10/17/2005 10:34 AM 148 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\R4BIYZUM\del[1].gif 10/17/2005 10:34 AM 567 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\R4BIYZUM\go[1].gif 10/17/2005 10:36 AM 469 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\R4BIYZUM\head3[1].jpg 10/17/2005 10:34 AM 451 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\R4BIYZUM\help[1].gif 10/17/2005 10:34 AM 98 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\R4BIYZUM\inbox[1].gif 10/17/2005 10:34 AM 272 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\R4BIYZUM\info_bill[1].gif 10/17/2005 10:34 AM 1.77
KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\R4BIYZUM\info_price[1].gif 10/17/2005 10:34 AM 1.77
KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\R4BIYZUM\launch[1].gif 10/17/2005 10:34 AM 1.10 KB Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\R4BIYZUM\lupa[1].gif 10/17/2005 10:34 AM 308 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\R4BIYZUM\main_ch_acc[1].gif 10/17/2005 10:34 AM 1.01
KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\R4BIYZUM\my.yahoo[1].htm 10/17/2005 10:03 AM 218.39
KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\R4BIYZUM\picher[1].jpg 10/17/2005 10:34 AM 16.13 KB Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\R4BIYZUM\psoft.hsphere[1].htm 10/17/2005 10:34 AM 111
bytes Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\R4BIYZUM\psoft.hsphere[2].htm 10/17/2005 10:34 AM 70.18
KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\R4BIYZUM\right-blue[1].gif 10/17/2005 10:34 AM 82
bytes Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\R4BIYZUM\saved_srch_tab[1].gif 10/17/2005 10:43 AM 1.35
KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\R4BIYZUM\search[2].htm 10/17/2005 10:33 AM 14 bytes Hidden
from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\R4BIYZUM\tool_submit[1].gif 10/17/2005 10:34 AM 1.70
KB Hidden from Windows API.
C:\Documents and Settings\Bruce Generotti\Local Settings\Temporary Internet
Files\Content.IE5\R4BIYZUM\up_pointer[1].png 10/17/2005 10:35 AM 270
bytes Hidden from Windows API.
C:\System Volume
Information\_restore{627A6154-830A-4A65-98F2-7480D118A33D}\RP3\A0001031.msi 10/13/2005 2:47 PM 3.60 MB Hidden from Windows API.
C:\WINDOWS\Prefetch\WISPTIS.EXE-0C21B942.pf 10/17/2005 10:33 AM 19.82
KB Hidden from Windows API.
C:\WINDOWS\system32\dfsctrs2.exe 9/27/2005 8:35 PM 424.00 KB Hidden from
Windows API.
C:\WINDOWS\system32\drivers\mouredrv9.sys 9/27/2005 8:35 PM 12.00 KB Hidden
from Windows API.

 

[Guest]

Hi Again Bruce

When you read this response if your using the standard http address and not
a newsreader please double click this reply so it opens into a new window, I
need you to do a registry export and it may split the line if viewed on the
standard small display box,

You have a Kernel-Level driver installed thats hiding files and registry
entries on your system so first we need to delete the file thats causing the
problem then the other files will become visible and stop running, Then we do
a export of the registry file and get information on any other files related
to this then finally we delete them all, remove the service and delete the
reg folders and you will have no more problems with Aprps entries

You need to do this next part in safe mode because you will not find the
file in normal mode, Copy this to notepad so you can still read it in safe
mode , Let me know if you have any problems or questions and I will help
where I can.

Reboot Into safe mode (Reboot and keep tapping F8 then choose safe mode from
the list)

In Safe mode delete this file :

C:\WINDOWS\system32\drivers\mouredrv9.sys

If you cannot find it then enable hidden files and folders ( You should be
able to find this file but here's instructions to enable hidden files and
folder incase you need them for other files we will be removing abit later)

Go to Start then open C:drive > goto 'Tools' on the top bar> then click'
Folder Options' > then goto the 'View' tab, make sure that 'Show hidden files
and folders' is enabled. 'Display the contents of system folders' is checked
& 'Hide extentions for known file types ' is not checked then press apply

You can set this back later by opening the same page and pressing 'restore
defaults' then pressing apply,

For the File I want you to delete first open c:drive then the Windows folder
then go into the System32 folder and finally open the Drivers Folder and
delete the mouredrv9.sys file (Only Visible In Safe Mode)

C:\WINDOWS\system32\drivers\mouredrv9.sys

Once that file is deleted then goto Start Menu then Run and type this (Or
Copy and Paste)

regedit /e C:\root.txt "HKEY_LOCAL_MACHINE\SOFTWARE\C7Tj5Aw8ISn9"

This will export the contents of the Registry Key and save it to a file
named root.txt on c:drive,

Reboot back into Normal Mode ,

Goto C:drive and open root.txt and copy and paste the contents back on here.

Regards

Andy

 

[Guest]

Performed requested work. Here is the log

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\c7tj5aw8isn9]
"Device"="\\\\.\\DfYjA13c"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\mouredrv9.sys"
"DriverName"="Ndicpip"
"UninstallerParams"=""
"PageFiltering"=dword:00000001
"AutoUpdater"="C:\\WINDOWS\\system32\\dfsctrs2.exe"
"Version"="2.0.81"
"LastAURestoreMsgTS"="2005:09:28-00:45:32:062"

[HKEY_LOCAL_MACHINE\software\c7tj5aw8isn9\AU2]
"AP"="/DVNM=\"\\\\.\\DfYjA13c\" /INSC=\"AU\""
"SU"="http://au.contextplus.net/services/AUServer"
"NPT"="2005:10:17-19:23:34:062"
"TO"=dword:01499700
"LastCLRestoreMsgTS"="2005:09:28-02:11:07:796"

[HKEY_LOCAL_MACHINE\software\c7tj5aw8isn9\AU2\RGR]

[HKEY_LOCAL_MACHINE\software\c7tj5aw8isn9\AU2\RGR\Messages]

[HKEY_LOCAL_MACHINE\software\c7tj5aw8isn9\AU2\RGR\Properties]
"CP.cv"=hex:43,50,2e,63,76,00,32,2e,30,2e,38,31,00,31,36,30,31,3a,30,31,3a,30,\
31,2d,30,30,3a,30,30,3a,30,30,3a,30,30,30,00,00
"CP.id"=hex:43,50,2e,69,64,00,7b,58,61,66,36,37,39,35,62,2d,36,63,32,39,2d,36,\
62,39,38,2d,35,62,38,36,2d,63,63,37,66,35,36,32,33,66,35,39,63,7d,00,31,36,\
30,31,3a,30,31,3a,30,31,2d,30,30,3a,30,30,3a,30,30,3a,30,30,30,00,00
"CP.pc"=hex:43,50,2e,70,63,00,43,50,2e,47,48,32,00,31,36,30,31,3a,30,31,3a,30,\
31,2d,30,30,3a,30,30,3a,30,30,3a,30,30,30,00,00
"CP.st"=hex:43,50,2e,73,74,00,49,00,31,36,30,31,3a,30,31,3a,30,31,2d,30,30,3a,\
30,30,3a,30,30,3a,30,30,30,00,00
"CP.is"=hex:43,50,2e,69,73,00,4c,52,00,31,36,30,31,3a,30,31,3a,30,31,2d,30,30,\
3a,30,30,3a,30,30,3a,30,30,30,00,00
"CP.it"=hex:43,50,2e,69,74,00,32,30,30,35,30,39,32,38,30,30,33,36,30,30,00,31,\
36,30,31,3a,30,31,3a,30,31,2d,30,30,3a,30,30,3a,30,30,3a,30,30,30,00,00
"CP.os"=hex:43,50,2e,6f,73,00,5b,32,5d,20,35,2e,31,2e,32,36,30,30,20,22,53,65,\
72,76,69,63,65,20,50,61,63,6b,20,32,22,00,31,36,30,31,3a,30,31,3a,30,31,2d,\
30,30,3a,30,30,3a,30,30,3a,30,30,30,00,00

 

[Guest]

That was quick, Nice work Bruce

Here's the final part

You do not need to reboot into safe mode now but if you have any problems
locating this remaining file Enable hidden files and folder's as explained in
the last post,

Delete This file :


C:\WINDOWS\system32\dfsctrs2.exe


Then goto Start Menu and Run and type:


cmd


Then press OK and on the command screen type this (Or Copy & Paste):


sc delete Ndicpip


press enter then type exit and press enter again


Open Notepad and save this into it, Making REGEDIT4 the top line in notepad


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Aprps]

[-HKEY_LOCAL_MACHINE\SOFTWARE\c7tj5aw8isn9]



Save this as fix.reg Choose to save as type "*all files" and place it on
your desktop.
Doubleclick on it and when it asks you if you want to merge the contents
into the registry, click yes.

Reboot

Your Done !!!

If you have enabled hidden files and folders you should go back and press
Restore Defaults on the view tab of Folder Options to re-hide the folders

These entries are Random and sometimes involves alot more files than this
including a complete folder in c:\programfiles so if anyone else
has this rootkit they should start a new topic

Let us know if you have any problems

Regards Andy

 

[Guest]

Well I've been working on this for over a week. Couldn't wait for it to be
fixed. APRPS reg keys are gone, MSAS finishes without crashing my computer.

You have been very helpful

Thanks Andy

 

[Guest]

No Problem Bruce

All The Best

Andy

Well I've been working on this for over a week. Couldn't wait for it to be
fixed. APRPS reg keys are gone, MSAS finishes without crashing my computer.

You have been very helpful

Thanks Andy

That was quick, Nice work Bruce

Here's the final part

You do not need to reboot into safe mode now but if you have any problems
locating this remaining file Enable hidden files and folder's as explained in
the last post,

Delete This file :


C:\WINDOWS\system32\dfsctrs2.exe


Then goto Start Menu and Run and type:


cmd


Then press OK and on the command screen type this (Or Copy & Paste):


sc delete Ndicpip


press enter then type exit and press enter again


Open Notepad and save this into it, Making REGEDIT4 the top line in notepad


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Aprps]

[-HKEY_LOCAL_MACHINE\SOFTWARE\c7tj5aw8isn9]



Save this as fix.reg Choose to save as type "*all files" and place it on
your desktop.
Doubleclick on it and when it asks you if you want to merge the contents
into the registry, click yes.

Reboot

Your Done !!!

If you have enabled hidden files and folders you should go back and press
Restore Defaults on the view tab of Folder Options to re-hide the folders

These entries are Random and sometimes involves alot more files than this
including a complete folder in c:\programfiles so if anyone else
has this rootkit they should start a new topic

Let us know if you have any problems

Regards Andy

 

[plun]

Hi Andy

Great solution, thumbs up !

--
plun



AndyManchesta presented the following explanation :

No Problem Bruce

All The Best

Andy

Well I've been working on this for over a week. Couldn't wait for it to be
fixed. APRPS reg keys are gone, MSAS finishes without crashing my computer.

You have been very helpful

Thanks Andy

That was quick, Nice work Bruce

Here's the final part

You do not need to reboot into safe mode now but if you have any problems
locating this remaining file Enable hidden files and folder's as explained
in the last post,

Delete This file :


C:\WINDOWS\system32\dfsctrs2.exe


Then goto Start Menu and Run and type:


cmd


Then press OK and on the command screen type this (Or Copy & Paste):


sc delete Ndicpip


press enter then type exit and press enter again


Open Notepad and save this into it, Making REGEDIT4 the top line in notepad


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Aprps]

[-HKEY_LOCAL_MACHINE\SOFTWARE\c7tj5aw8isn9]



Save this as fix.reg Choose to save as type "*all files" and place it on
your desktop.
Doubleclick on it and when it asks you if you want to merge the contents
into the registry, click yes.

Reboot

Your Done !!!

If you have enabled hidden files and folders you should go back and press
Restore Defaults on the view tab of Folder Options to re-hide the folders

These entries are Random and sometimes involves alot more files than this
including a complete folder in c:\programfiles so if anyone else
has this rootkit they should start a new topic

Let us know if you have any problems

Regards Andy

 

[Guest]

Thanks Plun

It was showing in the reg export that it last updated on 28th September so
it could of been hiding on there for a while, I'm glad I was able to help
them get it removed

Andy

 

[Guest]

Andy, (or others)
I also have this same problem as mentioned by Bruce in the opening question.
I have followed all advice on all related threads and Bruce's problem sounds
identical in nature. Only I get no error messages and only random re-boot
once in a great while. Also, when the computer starts, it immediately tries
to go to a non-exsistant web page in IE. My Anti-virus and spyware programs
are all current and run often. MSAS keeps finding it at these two registry
keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Aprps, and
HKEY_LOCAL_MACHINE\SOFTWARE\Aprps\Client
I followed your advice to Bruce, but I had neither file you mentioned. I am
currently running the RootkitRevealer. Any advice? Thanks Andy, hope you
still monitor this thread...

 

[Guest]

Hi Jim

I did have it set to notify me of replies so just got a email about your
post, These entries are random named so its unlikely you would find the same
named files on more than one system except for the files that are sometimes
hidden in the program files area called wingenerics.dll,atl.dll & ace.dll ,
These were not present on Bruce's system but are sometimes included and can
be seen using the registry export for related files, Here's a few options and
if you have problems just post the logs back or email them to me at
(e-mail address removed)

Download CCleaner , CCleaner is a utility that will remove unused and
temporary files from your system.

http://www.ccleaner.com , run the installer then close Ccleaner.

Please download, install, and update the free version of ewido security suite

http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu". Click on update in the left menu,
then click the Start update button. After the update finishes close Ewido

Copy this to notepad and save it if needed so you can still view it in safe
mode.

Now reboot to Safe Mode - Restart your computer and immediately begin
tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe
Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

Run Ewido again. From the main menu click on 'scanner' then click 'Complete
System Scan' When ewido finds something, it will pop up a notification.
Select "Remove" and check the boxes "Perform action with all infections" and
"Create encrypted backup" then click on ok.When the scan finishes, click on
"Save Report" and save it to your desktop or c:/drive incase you need it
again.

Open Ccleaner, Before running, uncheck cookies on the windows and
applications tabs, if you have cookies you do not want to remove then Click
the run cleaner button, allow it to run, then exit.

While still in safe mode reset the Internet Settings : Goto Start Menu then
Control Panel then to Internet Options, Click the Programs Tab and press
"Reset Web Settings" and include the homepage then press Yes, Then goto the
General Tab and enter the homepage you want to use into the space provided
and press Apply .

Reboot back to normal mode

If the system still has problems use Hijack This and post the log it
produces to show your system in more detail and the contents of the Rootkit
Revealer Log.

Download Hijack This :

http://downloads.andymanchesta.com/1/HJTsetup.exe

Save Hijack This to your desktop. Double click on the HJTsetup.exe icon. By
default it will install to C:\Program Files\Hijack This. Continue to click
Next in the setup dialogue boxes until you get to the "Select Additional
Tasks" dialogue. Put a check by Create a desktop icon then click Next again.
At the final dialogue box click Finish and it will launch Hijack This. Click
on the "Do a system scan and save a log file" button. It will scan and then
open the results in notepad and also save them into the Program Files 'Hijack
This' folder, Can you send that log, Most of what it lists will be harmless
or even essential to your system so don't fix anything at this stage.

Run HijackThis a second time and from the main menu click on “Open the Misc
Tools sectionâ€, and then on “Open Uninstall Managerâ€. Click the “Save listâ€
button, save the file 'uninstall_list.txt' to your Desktop, and post the
contents with the Hijack This and Rootkit Revealer Logs .

Regards

Andy

 

[Guest]

Hi Andy,
I had the results of RootkitReavealer(after it scanned for over two
hours), but when I tried to save it to a .txt file, I got an error message.
When opening that log on the c drive, it only had about half of the entries
so I deleted it and can run it again if needed.
I ran ewido and MSAS last evening in safe mode, but did not run ccleaner.
I'm sending the logs from the Hijackthis below, and the saved list from the
uninstall manager as directed.
Should I now run RootkitReavealer again and the others as you mentioned
in your message?...I thought I'd get you the logs while the others are
running.
Thanks again,

Jim


Logfile of HijackThis v1.99.1
Scan saved at 4:30:08 PM, on 1/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\RootkitRevealer\RootkitRevealer.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com
R3 - URLSearchHook: {B5AB638F-D76C-415B-A8F2-F3CEAC502212} - - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Itunes] C:\dials.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search -
http://bar.mywebsearch.com/menusearch.html?p=ZCxdm231YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker -
http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 -
http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -
https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {413D6754-BFD4-47FE-9346-319559290BFA} (HTECtrl Class) -
http://www.webpcfos.com/webpcfos/websabre/HTEweb.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} -
http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety
Center Base Module) -
https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1105372564109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -
http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) -
https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) -
https://oca.microsoft.com/en/secure/ocarpt.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -
http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\pIpsvc.dll (file
missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\system32\kkdcz2.dll
(file missing)
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\kkdcz2.dll (file missing)
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\kkdcz2.dll (file missing)
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\mvobjs.dll (file
missing)
O20 - Winlogon Notify: ShellServiceObjectDelayLoad -
C:\WINDOWS\system32\kkdcz2.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec
Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak
Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec
AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program
Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: YEMBC - Sysinternals - www.sysinternals.com -
C:\DOCUME~1\Owner\LOCALS~1\Temp\YEMBC.exe

Uninstall_list.txt:

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0.5
AOL Instant Messenger
ArcSoft Software Suite
Atomic Pop
CardRd81
CCScore
Citrix ICA Web Client
CR2
DLA
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
ESSTUTOR
ESSvpaht
ESSvpot
FinePixViewer Ver.4.3
FUJIFILM USB Driver
GemMaster 2
Greeting Card Creator 32
HijackThis 1.99.1
HLPIndex
HLPPDOCK
HLPRFO
hp center
HP Image Zone 4.0
hp instant support
hp learning adventure
HP Memories Disc
HP Photo and Imaging 1.0 - HP Photosmart Printer Series
HP Photo and Imaging 1.0 - Scanjet 2300c Series
HP Photo and Imaging 1.1 - Photosmart Cameras
HP Photo and Imaging 2.0 - Scanners
HP Photosmart Cameras 4.0
HP Software Update
hp toolkit
ICS Viewer 6.0
Inactive HP Printer Drivers (Remove only)
Intel(R) Extreme Graphics Driver
InterVideo WinDVD
iPod Updater 2004-11-15
iTunes
iTunes
iTunes
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 5
KBD
Kodak EasyShare software
KSU
Kublox
LANBridge
Lavasoft VX2 Cleaner
Lernout & Hauspie TruVoice American English TTS Engine
LimeWire 4.9.37
LiveUpdate 2.0 (Symantec Corporation)
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft AntiSpyware
Microsoft Office Professional Edition 2003
Mozilla Firefox (1.0.6)
MSN Music Assistant
MUSICMATCH Jukebox
NoAds
Notifier
NVIDIA Windows 2000/XP Display Drivers
OTtBP
OTtBPSDK
PC-Doctor for Windows
Photosmart 130,230,7150,7345,7350,7550 (Remove only)
PigPen
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2002 New User Edition
Quicken Financial Center
QuickTime
Radio@Netscape
RAW FILE CONVERTER LE
RCSBP Calculator
RecordNow
RecordNow Update Manager
S3Display
S3Gamma2
S3Info2
S3Overlay
SabreWing 2
SBC Yahoo! Applications
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
SFR
SHASTA
SKIN0001
SKINXSDK
SoundMAX
Space Rocks
SpySubtract
Symantec AntiVirus
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Viewpoint Media Player
Virtual Warfare
VPRINTOL
WildTangent Channel Manager
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Live Safety scanner
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WIRELESS
WordPerfect Productivity Pack
WordPerfect Productivity Pack

 

[Guest]

Hey Jim

Sorry for the delay Ive not been with the pc, give me about 30 minutes to
check your log and I will get a fix together

Thanks Andy

 

[Guest]

Hi Jim There is a few problems showing there, Dont worry about Rootkit
Revealer for now, Remove some entries using Hijack This then we can try
Rootkit Revealer again or use Swandogs Apropos fix if needed.

Open Notepad and save this next part into it making REGEDIT4 the top line in
notepad :

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

save it as type *All Files and call it fix.reg then save it to your desktop .

double click fix.reg and allow it to be merged into the registry.


Run Hijack This and choose to do a system scan then place checks next to
these entries (The first R3 should not be present now but fix it if its
there):

R3 - URLSearchHook: {B5AB638F-D76C-415B-A8F2-F3CEAC502212} - - (no file)

O4 - HKLM\..\Run: [Itunes] C:\dials.exe

O8 - Extra context menu item: &Search -
http://bar.mywebsearch.com/menusearch.html?p=ZCxdm231YYUS

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)

O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\pIpsvc.dll (file
missing)

O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\system32\kkdcz2.dll
(file missing)

O20 - Winlogon Notify: Run - C:\WINDOWS\system32\kkdcz2.dll (file missing)

O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\kkdcz2.dll (file missing)

O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\mvobjs.dll (file
missing)

O20 - Winlogon Notify: ShellServiceObjectDelayLoad -
C:\WINDOWS\system32\kkdcz2.dll (file missing)

Close all open Browser windows except Hijack This and then press 'Fix Checked'

Reboot the pc then delete this file :

C:\dials.exe

I was going to suggest running Spysweeper to make sure the look2me infection
hasnt left files on your system but it looks like they have stopped the 2
week free trial, They seem to only have a free scanner now which doesnt fix
anything unless you pay so can you use CWShredder

Download and install then press fix and let it scan the system.

http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe

Then run Ccleaner to remove any temp and unused files from your system

Give Rootkit Revealer another try, Run from the Admin account and close all
other open programs first,

If you still cannot complete a scan let us now and we can use Swandogs fix
tool to check for the rootkit.

Regards

Andy