gomyron removal please?

Hi all:

Whew. Got this far, with your help - now I'm hoping I can carry on with understanding and removing gomyron.

I have a Pentium III, 60 MHz, 192 MB of RAM and can follow very basic, (Read primitive), instructions.

I'm so glad to have found you people and really appreciate your patience!

Thanks,

Ann

 

chaslang - thank you:

Read & Run Me First: "Do not post logs directly inline with your message" - does this mean I Post that I am sending a series of 3 logs, at a time, and then Post the logs, separately, in groups of three?

Appreciate you,

Ann

 

Hi chaslang:

Oh - I see - thanks.

I'll Google 'How to make an attachment', so I don't bother the heck out of you.

I don't have enough memory to download all of those programs because I still have ALL the HJT, Ccleaner, etc., etc. logfiles, from the previous Malware removal steps.

Will I delete all of those and then begin this proceedure or do you want to see any of them first?

Many thanks,

Ann

 

Hi again:

A 'virtual memory' warning has come up a few times and said that I may not be able to download because of that and the man I got the computer from said I have pretty-much no memory to use.

Thanks.

Ann

 

Hi chasling:

Thanks. I don't know what OS is, but this is a Hewlett Packard, (If they even exist anymore), and is very, very slow and old.

I don't have Word or Office or any of those programs. It does say Windows XP Pro version 2002 but I only use it for email and seeing what amazing stuff is on the web.

It has been wonderful to have it. It's taken me from being shut-in to elation - when it's healthy and it's surely stretching my concentration to the max, following all the Instructions, for restoration.

So, I really do appreciate your help.

Thanks again.

Ann

 

Hi chaslang:

Under Properties, General:

System:
Microsoft Windws XP
Professional
Version 2002
Service Pack 2

Registered to:
Anne

76487-022-3266846-22964

Computer:
Intel Pentium III processor
601 MHz 192 MB of RAM

I copied what it says there.

Thanks,

Ann

 

FW: LOST: Madeleine McCann from Ann

Hello all:

Chaslang's been helping me, so far, with Malware removal.

Did all the Steps, but when I unplugged modem and opened Safe Mode - I was not prepared for all the 'choices' I saw - I don't know which one to click on, to run Ccleaner, etc. First time I saw Safe Mode!

Pentium III, Windows XP SP2, 601 MHz, 192 MB RAM.

Thanks so much - what a chore!

Ann

 

Hi Chaslang:

So sorry! This is really a challenge for me. I do appreciate all your help.

I did get into Safe Mode with Networking and tried to run Ccleaner - but a window said, "A device attached to the system is not functioning".

Could that be any more nebulous?

I've unplugged the modem twice and checked-off "Start in Normal Mode" to try to make the huge text (the whole screen) smaller but that's not working. (What have I done?).

I can't thank you enough and I'm really doing the best I can.

Truly,

Ann

 

Chaslang:

I think I'm stuck in Safe Mode.

When I went to run Ccleaner, in Safe Mode, the text was too large to accommodate the sub-menu choices, so I backed out of there and highlighted Normal Mode, then Enter, then re-booted again.

It still looks the same and on the ATF site, the cursor is a vertical line, so nothing happens with that program.

A whole new meaning to "One step at a time"? (Really sorry. I have the printed instructions at all times, but these little things that come up are not explained, which is why I have to ask what's up).

Please know that I appreciate your time and effort. You have helped me tremendously, just by your walking me through these steps and I would not have believed I could understand any of it without your patience and reasoning.

Thank you.

Ann

 

Hi chaslang:

Did that and the text is still huge.

Thanks.

Ann

 

Chasling:

Right-clicked on screen, "Properties" and then "General" window comes up, with no options.

Right-clicked on the bottom tray, (Where text is so huge), and "Properties", then a "Custom Notifications" window comes up, listing "Current Items" and below that, "Past Items".

The tray doesn't look the same as before, either. It used to be blue, but is beige now and just so 'large'.

The screen resolution just got bigger when I slid the scale to 1024 X 768, so it's at the highest no. now and still far too large.

I hope you find this more 'interesting' than frustrating - many thanks.

Ann

 

Hi chasling:

I went back into Start, Run, typed msconfig, as you said.

It reverts back to, "Ccleaner".

Hope this points to a solution.

Thanks very much.

Ann

 

Oh hi and thanks:

Found "Ccleaner" already typed in the Run, msconfig line, the three times I repeated that and re-typed, "msconfig".

Then saw, in "Systyem Configuration Start Up", that ALL the boxes of programs that are showed thereand ALL those little boxes, for each program ARE CHECKED.

Doesn't this mean they ALL start up with Windows, at once?

Even though I know I uninstalled and deleted so many of these a long time ago, are all listed here, and checked off. Now - each time I un-checked Obit, (Didn't even get to PPatrol - trying to stay safe, by unchecking one at a time).

Why are they still listed, and listed as running? I DID delete them and was trying to STOP Obit,to enable me to uninstall it, too, to clean up the software unnecessities.

My efforts to rid p.c. of unnecessary/seldom used software was met with this notice:

"System Configuration is in Selective or Diagnostic Start Up causing this message to be displayed and the Utility to run with every Windows Start Up.

Choose 'Normal' and undo changes."


I am trying so hard to understand more about my p.c. 'challenges', here, hoping it will help you spot the problems, easier. I do not want to overwork, or tick you, with my limited memory retention, so I write lots down, for a reference and I would never alter anything without asking you first.

I was a little nervous to use System Restore, but it gave me back my system tray and all it's goodies are in the SAME size text as before!

I've still got that danged 'balloon' (Virus-waiting-to-be-deployed, masquerading as Winwhateveritisrightnow) coming up from the tray and am eager to follow your instructions, from here.

Why aren't ALL those deleted/uninstalled programs GONE/

Why are they ALL checked-off and

Why can't I just uncheck them, so they don't work on Start Up, so I can really, for sure, get RID of them?

I give you accolades, chaslang. You're brilliant and I am SO sure, it's hard to reduce what you're so used to saying to brainers, into lowest-terms, just for me.

It doesn't go unnoticed.

Thanks for not giving up on me!

Ann

 

chaslang:

Ann, again.

I remember running Ccleaner and I didn't know how to save a report.

When I get confused, with either the Instructions or the Options, or the screen that I'm presented with, looks nothing like I was told it would look, I back-out, (Using steps I followed to get 'there') and ask what to in the face of the problem.

I often wish I could Print my own little bit of memory - it would be great to see it, once in a while. I'd surely Save it and if I came across it a week later, I'd wonder, "What on earth is this?".

I went to System Restore, for this time last week and -
it worked!!!!!!

So, could we please proceed with that Malware cleaning?

I stopped at Ccleaner, (Read & Run me), because I didn't know what to do about saving a logfile - so, I backed out of there and wrote to you.

Now that Ccleaner has finally left the MSconfig spot, I'm going to try, again, to get ATF.

Bless you.

Ann

 

Hi chaslang:

Still stuck in Malware removal.

BitDefender would not run and cannot run Panda because it needs Internet Explorer and mine says, "about:blank".

Tried to download I.E. 6 but it will not get past, "Verification of legal Windows". I already have the WGAPplugin, but it wouldn't open or anything.

P.C. is so very slow and text shows up after I type it.

Thanks, so much.

Ann

 

chaslang:

HiJack This wouldn't download. It said, "WinZip self-extractor head corrupt", every time I tried.

Couldn't find, 'Show New", anywhere.

After having trouble using Safe Mode, you said to run scans in Normal Mode, so I did, but, as Windows screen comes up, so does a small black window that says something about Windows systen 32_cmd.exe. Am I still in Safe Mode?

I have logs from Ccleaner, if you'd like.

Thanks,

Ann

Sorry for not understanding so much and appreciate the help.

 

chaslanga:

Thanks. Hope I've attached getrunkey and HJT properly.

I have nobody to show me so I really do appreciate your help.

*****************************************************************************
* GetRunKeys.Bat - (c) 01/28/2006 By Chaslang *
* Beta only partially supports Win9x and ME *
* 06/05/2007 Version 1.67 beta *
* - Look for DNS hijacker (aka WareOut) *
* - use swreg query for Win 2K compatibility *
*****************************************************************************
* Most of the information reported below is not necessarily bad. You must *
* not take any steps on any of these lines without consulting an expert. *
*****************************************************************************

Windows OS is

Microsoft Windows XP [Version 5.1.2600]
It's Wed July 4, 2007 11:51:28 AM

******************************************************************************
GetRunKey installation folder and files

"C:\Documents and Settings\Anne\My Documents\GetRunKey\"
getrun~1.bat Jul 4 2007 69129 "GetRunKey.bat"
grep.exe Jul 4 2007 80412 "grep.exe"
locate.com Jul 4 2007 11254 "locate.com"
ltime.exe Jul 4 2007 13184 "ltime.exe"
swreg.exe Jul 4 2007 139776 "swreg.exe"

5 items found: 5 files, 0 directories.
Total of file sizes: 313,755 bytes 306.40 K

----------------------------------------------------------------------------
Listing Standard Startup (Run) Registry Keys
----------------------------------------------------------------------------

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"FreeRAM XP"="\"C:\\Program Files\\YourWare Solutions\\FreeRAM XP Pro\\FreeRAM XP Pro.exe\" -win"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"PestPatrolCL"=""
"CookiePatrol"="C:\\PROGRA~1\\PESTPA~1\\CookiePatrol.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust PestPatrol Anti-Spyware\\PPActiveDetection.exe\""
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"RAMBooster.Net"="C:\\Program Files\\RAMBooster.Net\\RAMBooster.exe -m"
"PPMemCheck"="C:\\PROGRA~1\\PESTPA~1\\PPMemCheck.exe"
"PestPatrol Control Center"="C:\\PROGRA~1\\PESTPA~1\\PPControl.exe"
@=""
"SBCSTray"="C:\\Program Files\\Sunbelt Software\\CounterSpy\\SBCSTray.exe"
"!AVG Anti-Spyware"="\"C:\\Documents and Settings\\Anne\\Desktop\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnce]


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnceEx]


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunServices]


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunServicesOnce]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"



HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows
AppInit_DLLs REG_SZ


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
Shell REG_SZ Explorer.exe


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
System REG_SZ

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,75,e9,90,0a,70,3b,97,43,80,7c,19,23,8c,dd,5a,12,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,75,23,c9,f4,d8,25,97,69,\
d1,65,cd,12,42,e1,a6,08,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,89,\
f1,1f,5e,b1,bb,62,9b,0a,ff,e0,64,d0,ea,9f,19,b0,01,00,00,f0,de,8d,23,70,6c,\
46,23,44,64,59,68,c0,b7,37,54,74,74,87,48,62,65,4b,65,2a,97,ba,b5,31,b3,a7,\
f1,4e,e4,8b,8d,b5,09,64,d5,ed,bd,b6,84,d7,11,64,4e,1e,0c,61,2e,87,ba,a8,fe,\
3d,4c,53,a5,17,03,66,fa,89,e8,02,30,9a,77,b7,4e,51,f7,9c,c5,f1,93,6f,f1,ff,\
dd,45,66,cd,d2,ab,a5,65,5f,54,9d,ea,35,23,53,79,bf,04,a4,7e,7c,e0,08,50,77,\
bd,e1,14,5e,c1,6c,3c,36,e5,bc,b0,17,1d,dc,0c,31,84,bc,50,a8,64,f4,1e,90,e9,\
16,6c,e7,3f,b2,3c,23,8c,0b,55,b3,86,d6,b7,b4,b4,b4,3f,38,f9,a1,f4,77,97,9a,\
4e,e0,0a,eb,01,60,54,2a,0c,48,88,78,3c,4c,90,a2,96,95,cf,00,e3,f8,11,c4,77,\
95,76,9d,36,3e,31,fc,01,f8,e0,a7,82,cf,ef,dd,31,73,69,63,52,da,d1,9d,6e,27,\
ae,d0,2b,48,ef,a8,84,61,13,3d,6b,07,0f,38,17,d7,37,e7,54,46,9c,60,3b,05,23,\
b9,fe,e1,60,1d,80,dd,64,2d,a7,04,fb,17,6a,ee,4c,a5,b9,04,02,49,9e,89,d9,c2,\
34,10,81,bd,72,e5,89,93,db,61,5a,cc,f1,72,20,62,11,52,c1,0e,9e,96,e8,f7,70,\
ad,f0,d5,5b,9a,ca,4b,a2,65,38,0c,d0,dc,01,df,00,66,32,b8,fd,e2,8b,db,6b,35,\
ba,6c,4a,23,b5,d9,d2,21,41,05,e8,65,1d,af,e3,d4,e7,58,e1,39,52,7e,0c,2e,51,\
03,b9,7e,9f,a6,dc,e5,5c,66,cf,ac,aa,20,fe,20,f0,40,41,f9,d2,63,80,a0,25,c7,\
29,1e,c5,10,6b,3f,32,3e,11,21,f1,4e,15,91,0e,58,dd,a5,5c,aa,a5,69,be,55,19,\
d4,cb,28,de,97,4f,4a,a6,fb,0c,cd,c7,e8,0e,a3,10,11,78,bd,43,2e,f0,b5,e6,b9,\
2e,8d,03,31,90,52,7c,3e,fb,64,b7,74,d3,7e,5c,47,60,14,da,20,c1,a3,c2,ea,51,\
6e,14,00,00,00,12,bd,99,84,19,30,b9,90,94,29,0d,20,88,35,26,fe,34,d1,cd,b4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

----------------------------------------------------------------------------
Listing MSCONFIG Registry Keys
----------------------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"system.ini"=dword:00000000
"win.ini"=dword:00000000
"bootini"=dword:00000000
"services"=dword:00000000
"startup"=dword:00000000

----------------------------------------------------------------------------
Listing ModuleUsage Registry Keys
----------------------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MsnPUpld.dll]
".Owner"="{4F1E5B1A-2A80-42CA-8532-2D05CB959537}"
"{4F1E5B1A-2A80-42CA-8532-2D05CB959537}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/PURen-us.dll]
".Owner"="{4F1E5B1A-2A80-42CA-8532-2D05CB959537}"
"{4F1E5B1A-2A80-42CA-8532-2D05CB959537}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/wuweb.dll]
".Owner"="Unknown Owner"
"{6414512B-B978-451D-A0D8-FCFDF33E833C}"=""

----------------------------------------------------------------------------
Listing HKCU Policies Registry Keys
----------------------------------------------------------------------------

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"LinkResolveIgnoreLinkInfo"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]


[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer]

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]

----------------------------------------------------------------------------
Listing HKCU Explorer\Advanced//Hidden and SuperHidden Registry Keys
if Hidden = 0 then Hidden Files and Folders are not shown
if SuperHidden = 1 is the desired default value.
if ShowSuperHidden = 0 then System Files are not shown
if HideFileExt = 1 then File Extension are not shown
We want their values to be (from top to bottom) 1,1,1,0
----------------------------------------------------------------------------

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"SuperHidden"=dword:00000000
"ShowSuperHidden"=dword:00000000
"HideFileExt"=dword:00000001

----------------------------------------------------------------------------
Listing HKLM Policies Registry Keys
----------------------------------------------------------------------------

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000
"NoResolveSearch"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

----------------------------------------------------------------------------
Listing BHO Registry Keys
----------------------------------------------------------------------------

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

----------------------------------------------------------------------------
Listing SharedTaskScheduler Registry Keys
----------------------------------------------------------------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

----------------------------------------------------------------------------
Listing ShellExecuteHooks Registry Keys
----------------------------------------------------------------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

----------------------------------------------------------------------------
Listing ShellServiceObjectDelayLoad Registry Keys
----------------------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

----------------------------------------------------------------------------
Listing Default URL Prefix Keys - a possible hijack point
----------------------------------------------------------------------------

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

----------------------------------------------------------------------------
HKEY_CURRENT_USER ZoneMap ProtocolDefaults
----------------------------------------------------------------------------

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
"shell"=dword:00000000

----------------------------------------------------------------------------
Miscellaneous Malware Detection Report
----------------------------------------------------------------------------

Checking for DNS Hijacker - aka Wareout
------------------------------------------------------------------------
DNS hijacker not found
------------------------------------------------------------------------

List of Malware found in SharedTaskScheduler
------------------------------------------------------------------------
No Malware found in SharedTaskScheduler
------------------------------------------------------------------------


List of Malware found in C:\WINDOWS\system32
------------------------------------------------------------------------
No Malware found in C:\WINDOWS\system32
------------------------------------------------------------------------


Check for Troj-Torpig-D,E,J Keylogger
------------------------------------------------------------------------
Troj-Torpig-D,E,J Keylogger was not found
------------------------------------------------------------------------


Looking for winlogonhook/conhook trojan
------------------------------------------------------------------------
winlogonhook/conhook key not found
------------------------------------------------------------------------


Looking for Miscellaneous Rootkits
------------------------------------------------------------------------
lzx32, msguard, and pe386 rootkits not found
------------------------------------------------------------------------


Looking for CmdService adware - part of ADSPY/ISearch.d.2
------------------------------------------------------------------------
CmdService adware not found
------------------------------------------------------------------------


Looking for Network_Monitor adware - part of ADSPY/ISearch.d.2
------------------------------------------------------------------------
Network_Monitor adware not found
------------------------------------------------------------------------


Looking for Trojan.Peacomm aka Downloader-BAI.sys
------------------------------------------------------------------------
Trojan.Peacomm not found
------------------------------------------------------------------------


Looking for forms of Trojan.Haxdoor
------------------------------------------------------------------------
Haxdoor Trojan, pptp form found!

"InfSection"="HPptpCam.Usb.NTWIA"
"InfSection"="HPptpCam.Usb.NTWIA"
"InfSection"="HPptpCam.Usb.NTWIA"

------------------------------------------------------------------------

 

chaslang:



Looking for Miscellaneous Rootkits
------------------------------------------------------------------------
lzx32, msguard, and pe386 rootkits not found
------------------------------------------------------------------------


Looking for CmdService adware - part of ADSPY/ISearch.d.2
------------------------------------------------------------------------
CmdService adware not found
------------------------------------------------------------------------


Looking for Network_Monitor adware - part of ADSPY/ISearch.d.2
------------------------------------------------------------------------
Network_Monitor adware not found
------------------------------------------------------------------------


Looking for Trojan.Peacomm aka Downloader-BAI.sys
------------------------------------------------------------------------
Trojan.Peacomm not found
------------------------------------------------------------------------


Looking for forms of Trojan.Haxdoor
------------------------------------------------------------------------
Haxdoor Trojan, pptp form found!

"InfSection"="HPptpCam.Usb.NTWIA"
"InfSection"="HPptpCam.Usb.NTWIA"
"InfSection"="HPptpCam.Usb.NTWIA"

------------------------------------------------------------------------


Scan saved at 3:20:15 PM, on 04/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Anne\Desktop\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Documents and Settings\Anne\Desktop\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [RAMBooster.Net] C:\Program Files\RAMBooster.Net\RAMBooster.exe -m
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Documents and Settings\Anne\Desktop\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1175008582056
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Documents and Settings\Anne\Desktop\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

I so hope this helps and is correct.

Thanks,

Ann

 

chasling:

Thank you SO much. Concentration is a real challenge for me and I did the best I could. You were so very helpful, even with my minimal understanding of the computer.

I don't have gomyron, DriveCleaner or WinFix anymore, so you manged to get me through that!

I am ever grateful.

And continue to learn as much as I can.

Bless you.

Ann