trojan virus problem rjlnibep.t

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.




​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note: process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm

 

Please reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

 

Attach new logs for:
GetRun
ShowNew
HJT

Have you run Spybot as directed in the Read and Run instructions?

 

Open HiJackThis, then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [system spool] C:\WINDOWS\system32\syspools.exe
O4 - HKLM\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe
O4 - HKLM\..\Run: [clcbt.exe] C:\WINDOWS\system32\clcbt.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe G
O4 - HKCU\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe G
O4 - HKCU\..\Run: [system spool] C:\WINDOWS\system32\syspools.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{134AFBA1-7E3B-4D2D-AA04-EDC60439A492}: NameServer = 202.222.66.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{31EC875F-3E44-4581-9ECE-114E5044CFD9}: NameServer = 202.222.66.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{66736960-21FF-484D-8C78-A5E34CA5C666}: NameServer = 202.222.66.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{70C51D00-A1D4-402B-8926-92AF4F7904F5}: NameServer = 202.222.66.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{74CB0378-86A1-4AF4-B839-5E7B26DA4CA5}: NameServer = 202.222.66.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{8606B390-8525-4EC3-91F9-411C0D4F721D}: NameServer = 202.222.66.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{B71FC598-1CEB-4824-A3BB-1888B4B7206D}: NameServer = 202.222.66.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F96C934A-B4C0-4427-9651-E31A5ADF3664}: NameServer = 202.222.66.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{134AFBA1-7E3B-4D2D-AA04-EDC60439A492}: NameServer = 202.222.66.1
O23 - Service: Rising Process Communication Center (RsCCenter) - Unknown owner - C:\Program Files\Rising\Rav\CCenter.exe (file missing)
After clicking Fix, exit HJT.

Boot into safe mode.

Use explorer to find these files and delete them.
C:\WINDOWS\system32\rjlnibep.t
C:\WINDOWS\system32\clcbt.exe
C:\WINDOWS\system32\alsys.exe

We may need to run Pocket KillBox to get rid of the remaining files, but post a new:
GetRun
ShowNew
HJT

 

Run this and the do the logs again (sorry):

Run this Prevx1

• Please download and install and get any updates recommend for Prevx1 DO NOT SCAN YET!!!!
• Then physically unplug you cable that connects you to the internet! DO NOT plug it back in until I tell you to do so.
• Now run a full system scan with Prevx1 in normal boot mode. Save a log of what it finds and attach it later.
• Now reboot into normal mode.

 

Use Pocket Kill Box to delete these files:

Now we need a new:
GetRun
ShowNew
HJT.

Tell us how things are running.

 

We may need to start over for this fix to work. While we are working on a fix, could you answer these questions:

1. Did you recently install this - Rising Process Communication Center? And did you uninstall it?
2. You stated that Prevx would only detect! Why is that? Did you ever have Prevx installed in the past and as such your trial period is expired? Are you sure it will not delete the problems? If it can delete the malware, please make sure you have it delete it.

You also may have to uninstall Prevx and Windows Defender (or at least disable) while trying to fix the problem because they may get in the way. You can disable/shutdown Prevx by right clicking the icon in the system tray. To disable Windows Defender use the below steps!

Disabling Windows Defender:

• Open Windows Defender
• Click Tools
• Click General Settings
• Scroll down to Real Time Protection Options
• Uncheck Turn on Real Time Protection (recommended)
• Close Windows Defender

Once your log is clean you can re-enable Windows Defender Real Time Protection.

 

Please follow all steps below in the exact order written.

Make sure the Prevx and Windows Defender are disabled as stated in the previous message.

Now Download the Registry Search Tool

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection in your antuvirus program, please allow this to run)

In the dialog that opens copy and paste in the following:

wincom32

Press 'OK'

The search will run for a while then alert you when it is finished. Press 'OK' and save the contents of the WordPad window to a text file and then attachthe file to this thread.


Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

C:\WINDOWS\system32\adirss.exe
C:\WINDOWS\system32\lnwin.exe


After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [system spool] C:\WINDOWS\system32\syspools.exe
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\system32\lnwin.exe
O4 - HKCU\..\Run: [system spool] C:\WINDOWS\system32\syspools.exe


After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• Select File, Cleanup, Delete All Backups
• Now select Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\1821.exe
C:\WINDOWS\system32\adirss.exe
C:\WINDOWS\system32\bnajrmvd.exe
C:\WINDOWS\system32\game.exe
C:\WINDOWS\system32\game0.exe
C:\WINDOWS\system32\game1.exe
C:\WINDOWS\system32\game2.exe
C:\WINDOWS\system32\game3.exe
C:\WINDOWS\system32\game4.exe
C:\WINDOWS\system32\game5.exe
C:\WINDOWS\system32\google.png.exe
C:\WINDOWS\system32\hoatxfgc.exe
C:\WINDOWS\system32\lnwin.exe
C:\WINDOWS\system32\loukpxqz.exe
C:\WINDOWS\system32\nauptupw.exe
C:\WINDOWS\system32\ojnew8t.exe
C:\WINDOWS\system32\peers.ini
C:\WINDOWS\system32\se.exe
C:\WINDOWS\system32\ss.exe
C:\WINDOWS\system32\swunilog.ini
C:\WINDOWS\system32\syspools.exe
C:\WINDOWS\system32\taskdir.exe
C:\WINDOWS\system32\w.exe
C:\WINDOWS\system32\wincom32.ini
C:\WINDOWS\system32\wincom32.sys
C:\WINDOWS\system32\wserv32.exe
C:\WINDOWS\system32\zfpjzqic.exe
C:\WINDOWS\system32\zlbw.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do receive this message, make sure you tell me!).

If Killbox does not reboot just reboot your PC yourself.


Now run Ccleaner


Now attach the below new logs and tell me how the above steps went.

1. The log from RegSrch
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

 

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Rising Process Communication Center
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteRsCCenter into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT and reboot when it tells you it needs to. We will do that further down

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now repeat the RegSrch Tool procedure and attach a new log.


It looks like you forgot to have Pocket Killbox cleanup its backups like I requested. Do the below now.


Run PocketKillbox and Select File, Cleanup, Delete All Backups

Now use Pocket Killbox again to delete the below files:
C:\WINDOWS\system32\dap.exe
C:\WINDOWS\system32\syspools.exe

Now install the below program which is much better than Windows Explorer at finding hidden files and deleting them.

ExplorerXP

Use ExplorerXP to locate and delete all the below .t files from the infection. Notice they all have the same date of Dec 18th and they are all 18015 bytes in size. You should be able to locate any others that may exist this way and delete them too. They are all copies of the syspools.exe file which allows it to keep spreading.

Code:

C:\Documents and Settings\Christopher\Desktop\GetRunkey\GetRunKey\
odmvlbmj.t    18 Dec 2006       18015  "odmvlbmj.t"
pfukktyw.t    18 Dec 2006       18015  "pfukktyw.t"
pfukktyy.t    18 Dec 2006       18015  "pfukktyy.t"
tncqgqwj.t    18 Dec 2006       18015  "tncqgqwj.t"
 
"C:\Documents and Settings\Christopher\Desktop\Shopnew\ShowNew\"
ceqdxkxw.t    18 Dec 2006       18015  "ceqdxkxw.t"
odmvlbmx.t    18 Dec 2006       18015  "odmvlbmx.t"
rjlnifdw.t    18 Dec 2006       18015  "rjlnifdw.t"
yxrlbgha.t    18 Dec 2006       18015  "yxrlbgha.t"
 
"C:\Documents and Settings\Christopher\Desktop\"
aaaaadrj.t    18 Dec 2006       18015  "aaaaadrj.t"
bcioyrvq.t    18 Dec 2006       18015  "bcioyrvq.t"
gmxjthgs.t    18 Dec 2006       18015  "gmxjthgs.t"
odmvlbml.t    18 Dec 2006       18015  "odmvlbml.t"
yxrlbghj.t    18 Dec 2006       18015  "yxrlbghj.t"
 
"C:\"
bcioywgs.t    18 Dec 2006       18015  "bcioywgs.t"
bcioywpy.t    18 Dec 2006       18015  "bcioywpy.t"
dgyrwiks.t    18 Dec 2006       18015  "dgyrwiks.t"
dgyrwqlm.t    18 Dec 2006       18015  "dgyrwqlm.t"
fkpuuxsa.t    18 Dec 2006       18015  "fkpuuxsa.t"
hogxsjyk.t    18 Dec 2006       18015  "hogxsjyk.t"
jswbqrux.t    18 Dec 2006       18015  "jswbqrux.t"
nbehmonx.t    18 Dec 2006       18015  "nbehmonx.t"
odmvlsfl.t    18 Dec 2006       18015  "odmvlsfl.t"
xvjwcbme.t    18 Dec 2006       18015  "xvjwcbme.t"
xvjwctpp.t    18 Dec 2006       18015  "xvjwctpp.t"
xvjwgeem.t    18 Dec 2006       18015  "xvjwgeem.t"
 
"C:\WINDOWS\Downloaded Program Files\"
ceqdxykk.t    18 Dec 2006       18015  "ceqdxykk.t"
dgyrwuus.t    18 Dec 2006       18015  "dgyrwuus.t"
eihgvnsf.t    18 Dec 2006       18015  "eihgvnsf.t"
gmxjtykf.t    18 Dec 2006       18015  "gmxjtykf.t"
gmxjtyor.t    18 Dec 2006       18015  "gmxjtyor.t"
iqomrkfp.t    18 Dec 2006       18015  "iqomrkfp.t"
jswbuook.t    18 Dec 2006       18015  "jswbuook.t"
jswbuoox.t    18 Dec 2006       18015  "jswbuoox.t"
lwneoksk.t    18 Dec 2006       18015  "lwneoksk.t"
tncqgixd.t    18 Dec 2006       18015  "tncqgixd.t"
vrstepnm.t    18 Dec 2006       18015  "vrstepnm.t"
wtbidjaw.t    18 Dec 2006       18015  "wtbidjaw.t"

Now attach the below new logs and tell me how the above steps went.

1. The log from RegSrch
2. GetRunKey
3. ShowNew
4. HJT

 

Looks like you did not use ExplorerXP as I requested. Windows Explorer and Windows Search cannot find files in the Downloaded Program Files folder and the infection is still there. In addition, all of the registry keys did not delete. Probably because malware changed ownership on them. I will have to give a new type registry patch; but first you need to run ExplorerXP and delete ALL of the below:

Code:

"C:\WINDOWS\Downloaded Program Files\"
ceqdxykk.t    18 Dec 2006       18015  "ceqdxykk.t"
dgyrwuus.t    18 Dec 2006       18015  "dgyrwuus.t"
eihgvnsf.t    18 Dec 2006       18015  "eihgvnsf.t"
gmxjtykf.t    18 Dec 2006       18015  "gmxjtykf.t"
gmxjtyor.t    18 Dec 2006       18015  "gmxjtyor.t"
iqomrkfp.t    18 Dec 2006       18015  "iqomrkfp.t"
jswbuook.t    18 Dec 2006       18015  "jswbuook.t"
jswbuoox.t    18 Dec 2006       18015  "jswbuoox.t"
lwneoksk.t    18 Dec 2006       18015  "lwneoksk.t"
tncqgixd.t    18 Dec 2006       18015  "tncqgixd.t"
vrstepnm.t    18 Dec 2006       18015  "vrstepnm.t"
wtbidjaw.t    18 Dec 2006       18015  "wtbidjaw.t"

C:\WINDOWS\system32\
syspools.exe  18 Dec 2006       18015  "syspools.exe"

I'm expecting the last file in system32 may come right back or if may wait until after a reboot. Let me know what happens.

Also delete the below left over from Rising Process

Code:

"C:\WINDOWS\system32\"
ravext.dll    24 Jan 2007      106496  "RavExt.dll"

 

I did not want you to do a search from within ExplorerXP, just the file deletion by navigating to the folders.

Were those logs from after reboot?

Disable Windows Defender:

• Open Windows Defender
• Click Tools
• Click General Settings
• Scroll down to Real Time Protection Options
• Uncheck Turn on Real Time Protection (recommended)
• Close Windows Defender

Once your log is clean you can re-enable Windows Defender Real Time Protection.

Now run HJT and fix the below two lines:
O4 - HKLM\..\Run: [system spool] C:\WINDOWS\system32\syspools.exe
O4 - HKCU\..\Run: [system spool] C:\WINDOWS\system32\syspools.exe

Attach a new HJT log. I want to see if they come back.

Run Pocket Killbox and select File, Cleanup, Delete All Backups

 

Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

Run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (I explained how to do that further down).

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32\0000\LogConf
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINCOM32\0000\LogConf
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINCOM32\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINCOM32

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32\0000\LogConf
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32



To take ownership of the key do the following:

• Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the top Menu
• Select Take Ownership
• Repeat these steps for all of the registry keys given above before continue to the next steps below.
• Now leave RegistrarLite running and continue
• Now run the fixME.reg REGISTRY PATCH below in this message.
• Tell me the results. Any error messages?
• Now in RegistrarLite click View and then Refresh
• Now navigate one at a time to each of the above keys we took ownership of to make sure they were deleted.
• If any of the keys still exist, move on down to PART 2 - Setting Permissions for Everyone below!.

Here is the Registry Patch

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

PART 2 - Setting Permissions for Everyone
Run the below if some of the registry keys still exist after running the above steps.

Now I want you to use Registar Lite again to navigate to each of the below keys (one at a time) by pasting them into the Address Bar and hitting return. But this time click the Security menu item and select Edit Permissions so we can change permissions to everyone ( I describe this down below the list of registry keys).

After click Edit Permissions , here is what I expect you to see in the Group or user names area of the form:

Everyone
SYSTEM

Select Everyone by clicking on it. Now at the bottom in the Permissions box click the check box for Full Control. The click Apply and then OK to get back to the main Registrar Lite screen. Nowright click on the registry key and select Delete. The click View and Refresh. Check to see if the registry key just deleted truly deleted. If so, move on to the next to work thru the whole list. If it does not delete, I want you to boot into safe mode and repeat these exact same steps to see if we can do it from safe mode.

Then reboot your PC!

Now run GetRunKey again and attach a new log!

 

Good. Now work thru the fix with Registrar Lite!

 

Please download and use the current version of GetRunKey (just updated yesterday) and attach a new log from it.


Also tell me how things are currently working!

 

Okay! Looks good now.

List the processes by name.

Does it run okay when you boot in safe mode?
Does it run okay in normal boot mode with no connection to the internet?


Please run the below procedure and attach the requested log:

Using Sophos Anti-Rootkit

 

None of this is due to malware. These are all things that you have installed and are running by choice. Most of these I would classify as NOT NEEDED, but you have to be the one who decides on what you really need and do not need. Some of these are just convience type applications which are costing you valuable system resources.

Below you will find the processes listed with links or comments given more info. I will list the HJT line follow by a colored link or just a general comment. You should read these and decide whether you would like to stop the process from loading at startup which can be done using HijackThis to fix the registry key that loads it.


First from your snap shots, here are the items using significant resources. They really should not even be using this much all the time but something is causing some kind of strange interaction:

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

• http://www.bleepingcomputer.com/startups/Osa.exe-2924.html

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

• Installed with Apple's iTunes for Windows. Uses ~3-4MB of memory and if disabled in MSCONFIG or deleted from the registry it will re-instate itself after running iTunes a few times. Thus removing it is futile.

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

• this process is not supposed to keep using resources. Synchronizer is supposed to run briefly on user login - if there is nothing to synchronize then it will exit immediately.

O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe

• http://www.bleepingcomputer.com/startups/InkMonitor.exe-2202.html

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe

• http://www.liutilities.com/products/wintaskspro/processlibrary/hpztsb08

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

• http://www.bleepingcomputer.com/startups/NeroCheck.exe-3619.html

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

• http://www.bleepingcomputer.com/startups/Updreg.exe-5978.html

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

• http://www.bleepingcomputer.com/startups/regshave.exe-4477.html

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

• http://www.bleepingcomputer.com/startups/Ati2mdxx.exe-367.html

And here are somemore things you are running that I consider unnececesary! But again, only you know what you use and do not use.

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

• http://www.bleepingcomputer.com/startups/Atiptaxx.exe-385.html

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

• http://www.auditmypc.com/process/acrotray.asp

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

• http://www.liutilities.com/products/wintaskspro/processlibrary/adobeupdatemanager/

• http://www.bleepingcomputer.com/startups/reader_sl.exe-175.htmlO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

I would recommend that you start by at least having HJT fix the below items and then see how things look. You can then fix other items that you may not need.

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

 

Loading at startup means when your PC starts up the application runs. It may be the kind of application that remains running or it could just do something at startup and then terminate. Yes some of the things you had running were meant to possible reduce load time (like some Adobe stuff) of certain applications. But frequently we found that it is not the big of an improvement and it is not worth ALWAYS wasting system resources to have this process running for some application that you may use infrequently.

Covered in my final instructions to be posted below.

Not very good but better than having no realtime protection. Since yours is causing problems, I suggest that you uninstall it anyway.

You may have other non-malware problems within your OS. You may want to discuss them in the Software Forum. Provide them with an Event log too which may help shed some light on the problem.



If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You're welcome. Surf safely. Make sure you have a realtime blocker installed. Either freeware or paid version but have one realtime blocking tool installed.