# Beware PANDASCAN VIRUS/WORM



## Sheree1313 (Jul 27, 2003)

I just went to the official pandascan website to scan computer, my AVAST antivirus stopped a virus/worm from downloading to my computer from pandascan.


----------



## brendandonhu (Jul 8, 2002)

It was either a false positive by Avast, or the virus was already there and Avast didn't find it until panda accessed the file.


----------



## xgerryx (May 16, 2003)

This is a known issue with Avast and Panda:
http://www.avast.com/eng/virus_detection_and.html#idt_1554


----------



## Sheree1313 (Jul 27, 2003)

Thank you, however,since that happened I went to etrust scan and it found win32.propo and the path is C://Killbox, blah blah blah. How can I get rid of this?


----------



## xgerryx (May 16, 2003)

Please do this:

* *Click here* to download *HJTsetup.exe*

Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Addition Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a logfile* button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required. 

One of the Security team will advise you from here.


----------



## Sheree1313 (Jul 27, 2003)

Logfile of HijackThis v1.99.1
Scan saved at 8:54:57 PM, on 3/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /M "Stylus C64" /EF "HKCU"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB0_0_0
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093437711939
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


----------



## valis (Sep 24, 2004)

I run ewido on all my clients pc's, and virtually every time it triggers the av app to find something that had been lurking.


----------



## Sheree1313 (Jul 27, 2003)

i still have error safe pop ups and search inquire. Did anyone look at my hijack this log? Thanks again, Sheree


----------



## Sheree1313 (Jul 27, 2003)

Also winfixer is on here.


----------



## brendandonhu (Jul 8, 2002)

Have you tried uninstalling errorsafe from Start>>Control Panel>>Add or Remove Programs?
Then delete the C:\Program Files\errorsafe\ folder


----------



## Sheree1313 (Jul 27, 2003)

it's not there


----------



## brendandonhu (Jul 8, 2002)

Download and install *Ewido Anti-Malware*
During the installation, uncheck the following under *Additional Options*:
*
Install background guard
Install scan via context menu
*​Run *Ewido* and click *OK* when prompted to update the program
On the left side of the screen, click *update*>>*Start*
When the update is finished, exit *Ewido*

Run *Ewido Anti-Malware*
Click *scanner*>>*Complete System Scan*
Click *OK* when prompted to clean the problems found
When the scan is finished, click *Save Report* and save a copy of this log to your *Desktop*
Exit *Ewido*

Post the contents of the *Ewido Anti-Malware* report that you saved to your *Desktop* earlier


----------



## Sheree1313 (Jul 27, 2003)

I have ewido and its not keeping winfixer or error safe or search inqwire off of my computer. I also have spybot and ad aware and clean up and spyware blaster.


----------



## brendandonhu (Jul 8, 2002)

Run RootkitRevealer and click *Scan*. When finished, go to File>>Save and post a copy of that log here.


----------



## Sheree1313 (Jul 27, 2003)

I will, and thank you again. I have to pick kids up from school right now. I'll run it when i get back. Sheree


----------



## brendandonhu (Jul 8, 2002)

Ok


----------



## Sheree1313 (Jul 27, 2003)

My post isn't here from yesterday. I did the rootkit reveal scan and the file was too big to post so i sent it to you email. What about the hijack this scan the other day? Anyone?


----------



## brendandonhu (Jul 8, 2002)

Save AproposFix to your Desktop: http://swandog46.geekstogo.com/aproposfix.exe

Restart your computer in Safe Mode

Double-click aproposfix.exe and unzip it to the desktop.
Open the aproposfix folder on your desktop
Run RunThis.bat and follow the prompts

Restart your computer and post the contents of log.txt from the aproposfix folder


----------



## Sheree1313 (Jul 27, 2003)

ok, i downloaded it, however, I've forgotten how to restart in safe mode. Is it hold down ctrl?


----------



## brendandonhu (Jul 8, 2002)

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument


----------



## Sheree1313 (Jul 27, 2003)

Log of AproposFix v1.1

************

Running from directory: 
C:\Documents and Settings\JIJO\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CoihnAznYR8m]
@="7 9B065IJJIJJKJo\\37S\\EIJJIYLJsejZksoJAGAB 4POJz90D 9AJx yNPVQKAGA"
"Device"="\\\\.\\Sflp6fw"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\beec1394.sys"
"DriverName"="pertion"
"HideUninstallerName"="C:\\Program Files\\Suppac 2\\vcdtowiz.exe"
"HDll"="C:\\WINDOWS\\system32\\dx7cecli.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.LAV"
"InstallationId"="{X8a9feb7-dd9e-4775-f880-90875e0235a9}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Suppac 2\\wmpxml3r.exe"
"AutoUpdater"="C:\\WINDOWS\\system32\\extmsvcs.exe"
"Version"="2.0.131"
"LastAURestoreMsgTS"="2006:03:11-07:00:44:140"

************

Removing hidden service: 
Service pertion removed.

Removing hidden folder:


----------



## brendandonhu (Jul 8, 2002)

Ok, lets see if this gets rid of it

Go to to *Start*>>*Run*>>*cmd*
Type *sc delete pertion* and hit Enter
Type *reg delete HKLM\Software\CoihnAznYR8m /f* and press enter
Close the command prompt

Save *KillBox* to your *Desktop*

Run *KillBox* and select *Delete on Reboot*
Copy this list of file and folder locations to your clipboard:
*
C:\WINDOWS\system32\drivers\beec1394.sys
C:\Program Files\Suppac 2\
C:\WINDOWS\system32\dx7cecli.dll
C:\WINDOWS\system32\extmsvcs.exe
*​Go to *File*>>*Paste from clipboard*. Click *All Files*
Press the button with a red circle with an X in it, then *Yes* when prompted to restart your computer
*WARNING:* Your computer will be restarted. Any unsaved work in open applications will be lost.​Then repeat the AproposFix instructions and post the log.


----------



## Sheree1313 (Jul 27, 2003)

on the last two entries to delete on reboot, a warning came up, Pending File Rename Operations Registry Data has been removed by External Process! The first two worked fine. Should i reboot in safe and do the aproposfix anyway?


----------



## brendandonhu (Jul 8, 2002)

Yes, also see if you can delete these 2 files by hand
C:\WINDOWS\system32\dx7cecli.dll
C:\WINDOWS\system32\extmsvcs.exe


----------



## Sheree1313 (Jul 27, 2003)

how?


----------



## brendandonhu (Jul 8, 2002)

Start>>Run>>C:\Windows\system32\
Select them and hit Delete if they're listed


----------



## Sheree1313 (Jul 27, 2003)

ok. the exe deleted, however, the other one wasn't there.I will safe reboot and run the apropos and post. thank you again


----------



## Sheree1313 (Jul 27, 2003)

Log of AproposFix v1.1

************

Running from directory: 
C:\Documents and Settings\JIJO\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CoihnAznYR8m]
@="7 9B065IJJIJJKJo\\37S\\EIJJIYLJsejZksoJAGAB 4POJz90D 9AJx yNPVQKAGA"
"Device"="\\\\.\\Sflp6fw"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\beec1394.sys"
"DriverName"="pertion"
"HideUninstallerName"="C:\\Program Files\\Suppac 2\\vcdtowiz.exe"
"HDll"="C:\\WINDOWS\\system32\\dx7cecli.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.LAV"
"InstallationId"="{X8a9feb7-dd9e-4775-f880-90875e0235a9}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Suppac 2\\wmpxml3r.exe"
"AutoUpdater"="C:\\WINDOWS\\system32\\extmsvcs.exe"
"Version"="2.0.131"
"LastAURestoreMsgTS"="2006:03:11-07:00:44:140"

************

Removing hidden service: 
Service pertion removed.

Removing hidden folder:


----------



## brendandonhu (Jul 8, 2002)

Hm, its still there. Try repeating this all in Safe Mode:

Go to to *Start*>>*Run*>>*cmd*
Type *sc delete pertion* and hit Enter
Type *reg delete HKLM\Software\CoihnAznYR8m /f* and press enter
Close the command prompt

Run *KillBox* and select *Delete on Reboot*
Copy this list of file and folder locations to your clipboard:
*
C:\WINDOWS\system32\drivers\beec1394.sys
C:\Program Files\Suppac 2\
C:\WINDOWS\system32\dx7cecli.dll
C:\WINDOWS\system32\extmsvcs.exe
*​Go to *File*>>*Paste from clipboard*. Click *All Files*
Press the button with a red circle with an X in it, then *Yes* when prompted to restart your computer
*WARNING:* Your computer will be restarted. Any unsaved work in open applications will be lost.​Then repeat the AproposFix instructions and post the log.[/QUOTE]


----------



## Sheree1313 (Jul 27, 2003)

ok and you are so sweet to help me with this. I really feel like getting the gun and putting the computer out of its misery.


----------



## Sheree1313 (Jul 27, 2003)

ok, I did exactly that. When I put sc delete pertion and hit enter, it says the specified service does not exist as an installed service. Then I typed reg delete HKLM\Software\CoihnAznYR8m/f and pressed enter. It said permanently delete the registry key software\coihn blah blah blah? Y/N? I said Yes, and it said, Error the system was unable to find the specified registry key or value. Then I did the apropos again and it had the box again with the red circle with an x in it and said PendingFile Rename Operations Registry Data has been Removed by External Process!


----------



## brendandonhu (Jul 8, 2002)

I'm going to see if I can get someone else to take a look at this.


----------



## Cookiegal (Aug 27, 2003)

Open HijackThis and click on the *Open Misc Tools section* button. Click on the *Open Uninstall Manager* button. Click the *Save List* button. Save the list then copy and paste it here.


----------



## Sheree1313 (Jul 27, 2003)

Abacast Client
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0.7
Age of Empires III
Age of Empires III Trial
American McGee's Alice(tm)
Anark Client 1.0
AOL Instant Messenger
ArcSoft Camera Suite 1.3
avast! Antivirus
BellSouth FastAccess DSL Help Center
BigFix
Bubblet!
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
CleanUp!
CompuServe
Conexant SoftK56 Modem(M)
EPSON EPIC C64
EPSON PhotoCenter
EPSON Printer Software
EuroTalk Talk Now Plus!
ewido anti-malware
FileZilla (remove only)
Film Factory
Galactic Teddy 2 v1.5
Galactic Teddy v1.2
GunBound
GunboundWC
HijackThis 1.99.1
HTML-Kit
ICQ
Intel(R) Extreme Graphics Driver
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment Standard Edition v1.3.1_02
Java 2 Runtime Environment, SE v1.4.2_05
K. Hawk - Survival Instinct
LimeWire 4.10.3
Macromedia Shockwave Player
MapleStory
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886904)
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Data Access Components KB870669
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Return of Arcade Trial Version
Microsoft Works 6.0
Miss PacFish
Mozilla Firefox (1.5.0.1)
MSXML4 Parser
Netscape 6 (6.2.1)
NVIDIA Display Driver
NVIDIA WDM Drivers
NVIDIA Windows 2000/XP Display Drivers
OneTouch Version 2.2
Pacadou
PacFish
Pacman 2002 Trial 1.2.0
PacMan Adventures 3D
PaperPort 6.5
QuickTime
Rakion International
RealArcade
RealPlayer
Realtek AC'97 Audio
Security Task Manager 1.6f
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Softnyx Launcher
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Suma Games Super Hits #1
Tomb Raider - The Lost Artifact
TweakNow RegCleaner Standard
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Westell Firmware Upgrade
Winamp (remove only)
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinTasks Trial
Wonderland Secret Worlds Demo v1.00
Wonderland v1.15
XnView 1.82.1


----------



## Cookiegal (Aug 27, 2003)

You should remove the older versions of Java that you have and I also recommend removing LimeWire as it's the source of many infections.

Please remove the Apropros fix that your currently have by dragging and dropping it into the recycle bin. Let's redownload it and run it again.

Please download AproposFix from  *here*

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:

 Restart your computer
 After hearing your computer beep once during start-up, but before the Windows icon appears, press F8.
 Instead of Windows loading as normal, a menu should appear
 Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click *aproposfix.exe* and unzip it to the desktop. Open the aproposfix folder on your desktop and run *RunThis.bat*. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the *log.txt* file in the aproposfix folder.


----------



## Sheree1313 (Jul 27, 2003)

Logfile of HijackThis v1.99.1
Scan saved at 10:38:43 PM, on 3/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /M "Stylus C64" /EF "HKCU"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB0_0_0
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093437711939
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

Log of AproposFix v1.1

************

Running from directory: 
C:\Documents and Settings\JIJO\Desktop\aproposfix

************

Registry entries found:

************

No service found!

Removing hidden folder: 
No folder found!

Deleting files:

Backing up files: 
Done!

Removing registry entries:

REGEDIT4

Done!

Finished!


----------



## Cookiegal (Aug 27, 2003)

Rescan with HijackThis and have it fix these entries:

*R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k*

How are things running now?


----------



## Sheree1313 (Jul 27, 2003)

Logfile of HijackThis v1.99.1
Scan saved at 11:21:51 PM, on 3/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Support.com\bin\jobcheck.exe
C:\Program Files\Support.com\bin\tgshell.exe
C:\Program Files\Outlook Express\msimn.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /M "Stylus C64" /EF "HKCU"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB0_0_0
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093437711939
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

Please let me know what you think. This is the scan you asked for. I deleted the ones you mentioned. Later today I ran Adaware SE,manually, I scanned the volume and it found a tac rating of 10 on Adintelligence Apropos Toolbar in C:\Program Files
Suppac2\cache. Wasn't that what we removed before but not in volume and not cache? Then I manually scanned with Avast and it found a TROJAN, Win32 Trojan-3087 in C:\WINDOWS\MINIDUMP\Mini 120505-01.dmp. Then I ran Ewido manually and it found Adware LZIO and said there was an error during cleaning. Why would I have to run all these things manually and keep finding more. Seems like to me, it would be taken off permantely unless its embedded under another name somewhere else, such as the volume. Please help, maybe I should just buy a new computer and throw this one in the garbage. I'm scared to use my credit card, etc until this is resolved. Thank you for your help. I did remove limewire, age of empires, pacadou and one of the java's. I can remove another one if you'll tell me which one. I only saw one older one. Thank you again. Sheree


----------



## Cookiegal (Aug 27, 2003)

Download RootkitRevealer from *here* (link is at the very bottom of the page).
Unzip it to your desktop.
Open the RootkitRevealer folder and double-click *rootkitrevealer.exe*
Click the *Scan* button (bottom right)
It may take a while to scan (don't do anything while it's running)
When it's done, go up to *File - Save*. Choose to save it to your desktop.
Open *RootkitRevealer.txt* on your desktop and copy the entire contents and paste them here.


----------



## Sheree1313 (Jul 27, 2003)

I already downloaded it before. Remove it and download it again, or use the one I already have.


----------



## Sheree1313 (Jul 27, 2003)

HKLM\S-1-5-21-3229490137-3548314886-2509992977-1005\RemoteAccess\InternetProfile	6/7/2005 9:43 PM	9 bytes	Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\CLSID\{3782D402-1413-2B4D-D5B93EB7648B29D4}\{9536055C-1E13-65AB-BABDBD84391B7DD3}\{70487E18-04C4-4686-6F59FE851A688CA9}*	2/1/2006 12:58 PM	0 bytes	Key name contains embedded nulls (*)
HKLM\SOFTWARE\Support.com\SETUP\ProviderList\BellSouth\monitoring\profiles\LastUpdated	3/24/2006 8:43 PM	50 bytes	Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\All Users\Application Data\Support.com\Profiles\JIJO\{BellSouth}\upload.que	3/24/2006 8:49 PM	10.17 KB	Hidden from Windows API.


----------



## Sheree1313 (Jul 27, 2003)

While rootkit revealer was scanning, i saw it scan C:\Program Files\Suppac 2\cache, just thought I'd tell you. I thought that was deleted.


----------



## Cookiegal (Aug 27, 2003)

Boot to safe mode and run Killbox on this folder:

*C:\Program Files\Suppac 2*

How are things running?


----------



## Sheree1313 (Jul 27, 2003)

ok i did. i guess they are running fine. Did you see my previous questions? I wonder if its all really gone or will it come back because its embedded deep in the registry or somewhere. I sure do appreciate your help.


----------



## Cookiegal (Aug 27, 2003)

If the fixes were run correctly then for all intents and purposes, it should be gone. 

Can you post the last scan log you did from Ewido please?


----------



## Sheree1313 (Jul 27, 2003)

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:41:11 PM, 3/24/2006
+ Report-Checksum: BE1056E7

+ Scan result:

HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10DE&DEV_0181&SUBSYS_00000000&REV_C1\4&3b90381f&0&48F0\\CompatibleIDs -> Adware.LZIO : Error during cleaning


::Report End


---------------------------------------------------------
ewido anti-malware - Process report
---------------------------------------------------------

+ Created on: 9:33:02 PM, 3/25/2006
+ Report-Checksum: 7BE29F05

0: System Process
4: System Process
436: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
568: C:\WINDOWS\system32\rundll32.exe
572: \SystemRoot\System32\smss.exe
620: System Process
624: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
644: \??\C:\WINDOWS\system32\winlogon.exe
688: C:\WINDOWS\system32\services.exe
692: C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
700: C:\WINDOWS\system32\lsass.exe
832: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
872: C:\WINDOWS\system32\svchost.exe
912: C:\WINDOWS\system32\svchost.exe
968: C:\Program Files\QuickTime\qttask.exe
980: C:\WINDOWS\system32\RUNDLL32.EXE
1000: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE
1052: C:\WINDOWS\System32\svchost.exe
1208: System Process
1300: System Process
1428: C:\WINDOWS\system32\spoolsv.exe
1544: System Process
1584: C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
1596: C:\Program Files\Alwil Software\Avast4\ashServ.exe
1636: C:\WINDOWS\system32\cisvc.exe
1680: C:\Program Files\ewido anti-malware\ewidoctrl.exe
1692: C:\Program Files\ewido anti-malware\ewidoguard.exe
1752: C:\WINDOWS\system32\nvsvc32.exe
1776: C:\WINDOWS\Explorer.EXE
1820: C:\WINDOWS\System32\svchost.exe
1908: System Process
2612: C:\Program Files\Support.com\bin\tgcmd.exe
3040: C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
4244: C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
4992: C:\Program Files\ewido anti-malware\SecuritySuite.exe


----------



## Sheree1313 (Jul 27, 2003)

Here it is again

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:55:50 PM, 3/25/2006
+ Report-Checksum: A8AA7FD

+ Scan result:

HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10DE&DEV_0181&SUBSYS_00000000&REV_C1\4&3b90381f&0&48F0\\CompatibleIDs -> Adware.LZIO : Error during cleaning


::Report End


----------



## Cookiegal (Aug 27, 2003)

I am attaching a fixSheree.zip file to this post. Unzip it to your desktop then double click on the fixSheree.reg file and, at the prompt, allow it to enter into the registry.

Then scan again with Ewido and post the log from it please.


----------



## Sheree1313 (Jul 27, 2003)

okay


----------



## Sheree1313 (Jul 27, 2003)

i can't send you the ewido file, its too big. there are over 8000 entries. May be i could send it to you by email? What do you think?


----------



## Cookiegal (Aug 27, 2003)

Zip it up and do the following please:

Go to the forum *here* and upload the zipped folder you created.

Here are the directions for uploading it:

Just click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the file on your computer. When the file is listed in the window click "Post" to upload the file.


----------



## Sheree1313 (Jul 27, 2003)

Zip it up?????


----------



## Cookiegal (Aug 27, 2003)

Actually, you won't need to zip it up as it's a text file. You can just uploaded it the way it is.


----------



## Sheree1313 (Jul 27, 2003)

okay, thanks again


----------



## Cookiegal (Aug 27, 2003)

Have you done this yet? I don't see it there.


----------



## Sheree1313 (Jul 27, 2003)

I have been trying to submit the post for hours. It keeps saying your session timed out while posting, please try to resubmit your message, which i have done for hours. Any suggestions?


----------



## Sheree1313 (Jul 27, 2003)

Apparently you didn't see my post before you emailed me.Look at my previous post.


----------



## Sheree1313 (Jul 27, 2003)

Good Lord! That sounded rude. I didn't mean for it to be rude. I'm dealing with a teenage son that is wiser than all of us and a husband and a computer.


----------



## Cookiegal (Aug 27, 2003)

Can you select a portion of the log and upload it here as an attachment so I can get an idea of the type of things it's finding.


----------



## Sheree1313 (Jul 27, 2003)

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:09:57 PM, 3/26/2006
+ Report-Checksum: 824D75DC

+ Scan result:

HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10DE&DEV_0181&SUBSYS_00000000&REV_C1\4&3b90381f&0&48F0\\CompatibleIDs -> Adware.LZIO : Error during cleaning
:mozilla.6:C:\Program Files\Support.com\backup\Co\cookies.txt\10039_546a00c29_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.7:C:\Program Files\Support.com\backup\Co\cookies.txt\10039_546a00c29_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.8:C:\Program Files\Support.com\backup\Co\cookies.txt\10039_546a00c29_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.9:C:\Program Files\Support.com\backup\Co\cookies.txt\10039_546a00c29_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.10:C:\Program Files\Support.com\backup\Co\cookies.txt\10039_546a00c29_/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.13:C:\Program Files\Support.com\backup\Co\cookies.txt\10039_546a00c29_/cookies.txt -> TrackingCookie.Pointroll : Error during cleaning
:mozilla.14:C:\Program Files\Support.com\backup\Co\cookies.txt\10039_546a00c29_/cookies.txt -> TrackingCookie.Pointroll : Error during cleaning
:mozilla.15:C:\Program Files\Support.com\backup\Co\cookies.txt\10039_546a00c29_/cookies.txt -> TrackingCookie.Pointroll : Error during cleaning
:mozilla.16:C:\Program Files\Support.com\backup\Co\cookies.txt\10039_546a00c29_/cookies.txt -> TrackingCookie.Pointroll : Error during cleaning
:mozilla.20:C:\Program Files\Support.com\backup\Co\cookies.txt\10039_546a00c29_/cookies.txt -> TrackingCookie.Serving-sys : Error during cleaning
:mozilla.29:C:\Program Files\Support.com\backup\Co\cookies.txt\10039_546a00c29_/cookies.txt -> TrackingCookie.Ru4 : Error during cleaning
:mozilla.30:C:\Program Files\Support.com\backup\Co\cookies.txt\10039_546a00c29_/cookies.txt -> TrackingCookie.Ru4 : Error during cleaning
:mozilla.48:C:\Program Files\Support.com\backup\Co\cookies.txt\10039_546a00c29_/cookies.txt -> TrackingCookie.Overture : Error during cleaning
:mozilla.51:C:\Program Files\Support.com\backup\Co\cookies.txt\10039_546a00c29_/cookies.txt -> TrackingCookie.Qksrv : Error during cleaning
:mozilla.52:C:\Program Files\Support.com\backup\Co\cookies.txt\10039_546a00c29_/cookies.txt -> TrackingCookie.Qksrv : Error during cleaning
:mozilla.54:C:\Program Files\Support.com\backup\Co\cookies.txt\10039_546a00c29_/cookies.txt -> TrackingCookie.Serving-sys : Error during cleaning
:mozilla.55:C:\Program Files\Support.com\backup\Co\cookies.txt\10039_546a00c29_/cookies.txt -> TrackingCookie.Serving-sys : Error during cleaning
:mozilla.56:C:\Program Files\Support.com\backup\Co\cookies.txt\10039_546a00c29_/cookies.txt -> TrackingCookie.Serving-sys : Error during cleaning
:mozilla.57:C:\Program Files\Support.com\backup\Co\cookies.txt\10039_546a00c29_/cookies.txt -> TrackingCookie.Serving-sys : Error during cleaning
:mozilla.58:C:\Program Files\Support.com\backup\Co\cookies.txt\10039_546a00c29_/cookies.txt -> TrackingCookie.Tribalfusion : Error during cleaning
:mozilla.59:C:\Program Files\Support.com\backup\Co\cookies.txt\10039_546a00c29_/cookies.txt -> TrackingCookie.Tribalfusion : Er


----------



## Cookiegal (Aug 27, 2003)

Did you run the .reg file in post no. 48?

Do you see anything in the Ewido scan log that looks like something other than cookies? If so, please post some of those entries.


----------



## Sheree1313 (Jul 27, 2003)

yes, I ran it immediately. I will look to see if anything other than cookies


----------



## Sheree1313 (Jul 27, 2003)

HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10DE&DEV_0181&SUBSYS_00000000&REV_C1\4&3b90381f&0&48F0\\CompatibleIDs -> Adware.LZIO : Error during cleaning
:mozilla.6:C:\Program 

This is the only one "NOT" cookies.


----------



## Cookiegal (Aug 27, 2003)

Are you at all familiar with the registry?


----------



## Sheree1313 (Jul 27, 2003)

yes, if i delete a key or value , however, i don't know how to replace it with whatever you're suppose to replace it with.


----------



## Cookiegal (Aug 27, 2003)

Click on Start - Run - type in regedit then click OK to open the registry editor.

Navigate to this value:

HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10DE&DEV_0181&SUBSYS_00000000&RE V_C1\*4&3b90381f&0&48F0*

Click on that value and in the list that shows in the right-hand pane you will see:

*CompatibleIDs*

Click on *CompatibleIDs *and then click on *File *and *export*. Save the file to your desktop and call it export.reg

Right click on the export.reg file on your desktop and choose "open with" then select Notepad. Copy and past the text from Notepad into a reply here please.


----------



## Sheree1313 (Jul 27, 2003)

I can't find that one. I went through the entire registry. I thought you could click on edit and find and get it that way, but i didn't get it there, so i went through the whole thing. By the way, while I was looking, I saw a ga-zillion porn, casinos, napster,coihn azn etc. Should these be removed, too?


----------



## Cookiegal (Aug 27, 2003)

Those dodgy sites are likely in areas that are being blocked so I would leave them alone.


How far did you get in locating that registry value? You have to click on the + sign to the left of each of these to open up the next one.

HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Enum
PCI
VEN_10DE&DEV_0181&SUBSYS_00000000&RE V_C1
4&3b90381f&0&48F0


----------



## Sheree1313 (Jul 27, 2003)

last night you typed 

HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10DE&DEV_0181&SUBSYS_00000000&RE V_C1\4&3b90381f&0&48F0

I couldn't find that one, I went through the entire registry. I'll look for HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Enum
PCI
VEN_10DE&DEV_0181&SUBSYS_00000000&RE V_C1
4&3b90381f&0&48F0

Thank you again for your help.


----------



## Cookiegal (Aug 27, 2003)

Sorry, I thought you knew that HKLM meant HKEY_LOCAL_MACHINE. I should have been more specific.


----------



## Sheree1313 (Jul 27, 2003)

Hey Cookiegal, we had to put mother in the hospital again. Here is the info you asked for.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_10DE&DEV_0181&SUBSYS_00000000&REV_C1\4&3b90381f&0&48F0]
"DeviceDesc"="NVIDIA GeForce4 MX 440 with AGP8X"
"LocationInformation"="PCI bus 2, device 9, function 0"
"Capabilities"=dword:00000000
"UINumber"=dword:00000001
"HardwareID"=hex(7):50,00,43,00,49,00,5c,00,56,00,45,00,4e,00,5f,00,31,00,30,\
00,44,00,45,00,26,00,44,00,45,00,56,00,5f,00,30,00,31,00,38,00,31,00,26,00,\
53,00,55,00,42,00,53,00,59,00,53,00,5f,00,30,00,30,00,30,00,30,00,30,00,30,\
00,30,00,30,00,26,00,52,00,45,00,56,00,5f,00,43,00,31,00,00,00,50,00,43,00,\
49,00,5c,00,56,00,45,00,4e,00,5f,00,31,00,30,00,44,00,45,00,26,00,44,00,45,\
00,56,00,5f,00,30,00,31,00,38,00,31,00,26,00,53,00,55,00,42,00,53,00,59,00,\
53,00,5f,00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,00,00,50,00,43,\
00,49,00,5c,00,56,00,45,00,4e,00,5f,00,31,00,30,00,44,00,45,00,26,00,44,00,\
45,00,56,00,5f,00,30,00,31,00,38,00,31,00,26,00,52,00,45,00,56,00,5f,00,43,\
00,31,00,00,00,50,00,43,00,49,00,5c,00,56,00,45,00,4e,00,5f,00,31,00,30,00,\
44,00,45,00,26,00,44,00,45,00,56,00,5f,00,30,00,31,00,38,00,31,00,00,00,50,\
00,43,00,49,00,5c,00,56,00,45,00,4e,00,5f,00,31,00,30,00,44,00,45,00,26,00,\
44,00,45,00,56,00,5f,00,30,00,31,00,38,00,31,00,26,00,43,00,43,00,5f,00,30,\
00,33,00,30,00,30,00,30,00,30,00,00,00,50,00,43,00,49,00,5c,00,56,00,45,00,\
4e,00,5f,00,31,00,30,00,44,00,45,00,26,00,44,00,45,00,56,00,5f,00,30,00,31,\
00,38,00,31,00,26,00,43,00,43,00,5f,00,30,00,33,00,30,00,30,00,00,00,00,00
"CompatibleIDs"=hex(7):50,00,43,00,49,00,5c,00,56,00,45,00,4e,00,5f,00,31,00,\
30,00,44,00,45,00,26,00,43,00,43,00,5f,00,30,00,33,00,30,00,30,00,30,00,30,\
00,00,00,50,00,43,00,49,00,5c,00,56,00,45,00,4e,00,5f,00,31,00,30,00,44,00,\
45,00,26,00,43,00,43,00,5f,00,30,00,33,00,30,00,30,00,00,00,50,00,43,00,49,\
00,5c,00,56,00,45,00,4e,00,5f,00,31,00,30,00,44,00,45,00,00,00,50,00,43,00,\
49,00,5c,00,43,00,43,00,5f,00,30,00,33,00,30,00,30,00,30,00,30,00,00,00,50,\
00,43,00,49,00,5c,00,43,00,43,00,5f,00,30,00,33,00,30,00,30,00,00,00,00,00
"ClassGUID"="{4D36E968-E325-11CE-BFC1-08002BE10318}"
"Class"="Display"
"Driver"="{4D36E968-E325-11CE-BFC1-08002BE10318}\\0001"
"Mfg"="NVIDIA"
"Service"="nv"
"ConfigFlags"=dword:00000000
"ParentIdPrefix"="5&1d2d4b61&0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_10DE&DEV_0181&SUBSYS_00000000&REV_C1\4&3b90381f&0&48F0\Device Parameters]
"VideoID"="{6474E240-7370-44F6-9F12-92060F882E4B}"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_10DE&DEV_0181&SUBSYS_00000000&REV_C1\4&3b90381f&0&48F0\LogConf]
"BasicConfigVector"=hex(a):08,01,00,00,05,00,00,00,02,00,00,00,09,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,01,00,07,00,00,00,01,03,\
01,00,00,00,00,00,00,00,00,01,01,00,00,00,00,00,00,e1,00,00,00,00,ff,ff,ff,\
e1,00,00,00,00,08,03,01,00,00,00,00,00,00,00,00,01,00,00,00,01,00,00,00,00,\
00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,81,01,00,00,00,00,00,01,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,03,01,00,04,00,\
00,00,00,00,00,08,01,00,00,00,00,00,00,f0,00,00,00,00,ff,ff,ff,f7,00,00,00,\
00,08,03,01,00,04,00,00,00,00,00,00,08,00,00,00,08,00,00,00,00,00,00,00,00,\
ff,ff,ff,ff,00,00,00,00,00,81,01,00,00,00,00,00,01,00,00,00,01,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,02,03,00,00,00,00,00,00,00,\
00,00,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"BootConfig"=hex(8):01,00,00,00,05,00,00,00,02,00,00,00,01,00,01,00,03,00,00,\
00,03,00,00,00,00,00,00,e1,00,00,00,00,00,00,00,01,03,00,04,00,00,00,00,f0,\
00,00,00,00,00,00,00,08,02,03,00,00,03,00,00,00,03,00,00,00,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_10DE&DEV_0181&SUBSYS_00000000&REV_C1\4&3b90381f&0&48F0\Control]
"ActiveService"="nv"
"FilteredConfigVector"=hex(a):68,01,00,00,05,00,00,00,02,00,00,00,09,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,01,00,0a,00,00,00,01,\
03,01,00,00,00,00,00,00,00,00,01,01,00,00,00,00,00,00,e1,00,00,00,00,ff,ff,\
ff,e1,00,00,00,00,08,03,01,00,00,00,00,00,00,00,00,01,00,00,00,01,00,00,00,\
00,00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,81,01,00,00,00,00,00,01,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,03,01,00,04,\
00,00,00,00,00,00,08,01,00,00,00,00,00,00,f0,00,00,00,00,ff,ff,ff,f7,00,00,\
00,00,08,03,01,00,04,00,00,00,00,00,00,08,00,00,00,08,00,00,00,00,00,00,00,\
00,ff,ff,ff,ff,00,00,00,00,00,81,01,00,00,00,00,00,01,00,00,00,01,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,02,03,00,00,00,00,00,00,\
00,00,00,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,01,\
03,00,01,00,00,00,0c,00,00,00,01,00,00,00,b0,03,00,00,00,00,00,00,bb,03,00,\
00,00,00,00,00,01,01,03,00,01,00,00,00,20,00,00,00,01,00,00,00,c0,03,00,00,\
00,00,00,00,df,03,00,00,00,00,00,00,01,03,03,00,00,00,00,00,00,00,02,00,01,\
00,00,00,00,00,0a,00,00,00,00,00,ff,ff,0b,00,00,00,00,00
"AllocConfig"=hex(8):01,00,00,00,05,00,00,00,02,00,00,00,00,00,00,00,08,00,00,\
00,03,01,00,00,00,00,00,e1,00,00,00,00,00,00,00,01,81,01,00,00,01,00,00,00,\
00,00,00,00,00,00,00,00,03,01,04,00,00,00,00,f0,00,00,00,00,00,00,00,08,81,\
01,00,00,01,00,00,00,01,00,00,00,00,00,00,00,02,03,00,00,15,00,00,00,15,00,\
00,00,ff,ff,ff,ff,01,03,21,00,b0,03,00,00,00,00,00,00,0c,00,00,00,01,03,21,\
00,c0,03,00,00,00,00,00,00,20,00,00,00,03,03,00,00,00,00,0a,00,00,00,00,00,\
00,00,02,00


----------



## Cookiegal (Aug 27, 2003)

I'm sorry to hear about your mother and wish her well.

That is your video driver and it looks legit as far as I can tell. This could likely be a false positive.


----------



## Sheree1313 (Jul 27, 2003)

Thank you, she's 79, she has many health probs and has to be hospitalized fairly often. She amazes us and comes home every time. Thank you for your help.


----------



## Cookiegal (Aug 27, 2003)

How's the computer running?


----------



## Sheree1313 (Jul 27, 2003)

It's running okay, but something is still wrong somewhere. I ran Adaware because I mailed myself an email, and when it came thru a warning popped up from avast, iframe tag found may be dangerous. So I thought somewhere there must still be a problem. Ran Adaware and not one but two trojans were found. Same ones I have been trying to remove forever. One said Trojan Horse found - C:|System Volume Information |_restore{2D063E58-819D-484F-A343, Win32:Small-MX{Trj} Then the other one was C:\!Killbox\Suppac2\Cache in file C:\Killbox\ir3ddraw.dll, Win32:Small-MX{Trj} I never found anything about the iframe tag that was what I was looking for to begin with. Imagine my surprise when I see this again. Also another problem is when I try to do a search of files within my computer, it searches for a longggggggg time and then says End Program Not Responding. Also when I copy something to wordpad and print it or whatever and try to close it, it says End Program Not Responding. Also it randomly freezes. Okay back to the trojans, do you see the exclamation point before the word Killbox? I could almost swear it wasn't there before when I tried to remove it. I think there is a worm in the cache, but, you know how smart I am. I think it was that worm I had before that started with a m? What do you think?


----------



## Cookiegal (Aug 27, 2003)

The files in C:\Killbox! are just the files that Killbox deleted. You can delete the entire folder.

The other is in system restore and we will flush out the restore points and create a new one to clean that out.

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.


----------

