Logfile of HijackThis v1.99.1
Scan saved at 7:33:27 PM, on 4/4/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\WMP54GS Wireless Network Monitor\WLService.exe
C:\Program Files\WMP54GS Wireless Network Monitor\WMP54G.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: XXX.XXX.XX.XX auto.search.msn.com
O1 - Hosts: XXX.XXX.XX.XXX search.netscape.com
O1 - Hosts: XXX.XXX.XX.XXX ieautosearch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINNT\System\BHO001.DLL
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize313.exe"
O4 - HKLM\..\Run: [Xjrwpsjz] C:\Program Files\Qdztn\Bqxv.exe
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINNT\System\WinStart001.EXE -b
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk145YYUS
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...e8b1d7686ab8d56
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/LSACD_XMLWebServices/...iveX/ofmctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3E14B86-D800-4DAA-B9FE-1855A2AD6200}: NameServer = XXX.XXX.XX.XXX,XXX.XXX.X.X
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED29B642-20B6-499C-B4CC-200B05CDD7FD}: NameServer = XXX.XXX.XX.XXX,XXX.XXX.X.X
O18 - Protocol: OWC11.mso-offdap - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINNT\system32\angelex.exe (file missing)
O23 - Service: WMP54GSVC - Unknown owner - C:\Program Files\WMP54GS Wireless Network Monitor\WLService.exe" "WMP54G.exe (file missing)


How does it look Rock Stars?!?!

The computer has a couple infections krit. Your either going to have to tell your IT department(if their is one. I have no clue what your job is.) or clean it up your self.

This computer dosen't even have an antivirus. Run the usual antispyware scans.

There isn't an IT department. (Can't you tell? )

The computer is seriously soooo slow that I wanted to know if there were infections before running the scans, because it is going to take a very long time.

Will the scans alone clean it all up?

Hi K

As RR said your best installing Antivirus, Ewido & Adaware and run them on full scans as there is a fair amount of junk showing,


O1 - Hosts: XXX.XXX.XX.XX auto.search.msn.com
O1 - Hosts: XXX.XXX.XX.XXX search.netscape.com
O1 - Hosts: XXX.XXX.XX.XXX ieautosearch
Im not sure if you have replaced the numbers with x's but they are added by IGetNet Adware, its used to redirect requests through their servers and display ads if keywords are matched.

O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINNT\System\BHO001.DLL
Another IGetNet entry, more info Here

O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll

Wintools Adware, usually quite difficult for some scanners to remove due to 3 exe files protecting each other and one part running as a Windows service but its only showing one line in the log, Goto Add/Remove screen and check for WebSearch Toolbar, TS Toolbar or Search Toolbar and remove if found then fix the entry. If you have any problems there is a fixtool from Symantec Here

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll (file missing)
This is a Bargain Buddy/Cashback entry but the file is missing so it may of already been removed, Check the Add/Remove screen for Bargain Buddy, Cashback ot The BullsEye Network and remove if found then fix the entry.

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize313.exe"
Adware from Avenue Media - Remove Internet Optimizer from Add/Remove screen then fix the entry and remove the Internet Optimizer folder from the Program Files area. Symantec has a fixtool Here if needed.

O4 - HKLM\..\Run: [Xjrwpsjz] C:\Program Files\Qdztn\Bqxv.exe
Might be a VX2 file, Run Adaware and then Install the VX2 cleaner plugin from Here. With it being random named its hard to know what it is but you could upload it at Jotti's or VirusTotal . After fixing remove the Qdztn folder

O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINNT\System\WinStart001.EXE -b
IGETNet, after fixing remove the WinStart001.EXE file.

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
Again might be a VX2 file. It would help if you can upload this and let us know the results before removing the AutoUpdate folder.

O8 - Extra context menu item: &Search - [url=http:// bar.mywebsearch.com/menusearch.html?p=ZNxmk145YYUS]http://bar.mywebsearch.com/menusearch.html?p=ZNxmk145YYUS[/url]
MyWebSearch related, FunWebProducts is in the 016 area so its probably come from that and can be fixed unless you want the myweb menu item.

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
Added by Microsoft initially but they are Alexa related (creates a menu item that points to a web page stored on your pc that points to an MSN search page that uses the Alexa engine ), They can be fixed or run Spybot as that will fix them.

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http:// public.windupdates.com/get_file.php...e8b1d7686ab8d56
WindUpdates Adware

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http:// ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
FunWebProducts - Optional as it uninstalls without problems but it bundles the MyWeb Toolbar and Search Assistant and its already been used so isnt required now.

O17 - HKLM\System\CCS\Services\Tcpip\..\{E3E14B86-D800-4DAA-B9FE-1855A2AD6200}: NameServer = XXX.XXX.XX.XXX,XXX.XXX.X.X
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED29B642-20B6-499C-B4CC-200B05CDD7FD}: NameServer = XXX.XXX.XX.XXX,XXX.XXX.X.X
Again not sure if you added the X's to hide the IP address but it should be your ISP's DNS servers.

O23 - Service: ISEXEng - Unknown owner - C:\WINNT\system32\angelex.exe (file missing)
Bargain Buddy entry

Optional
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
This is often added by a tweaking tool and not a problem, There is a folder in the IE favorites menu called Links, if you remove it then its recreated but if the LinksFolderName reg value is changed or equals a blank string you can remove the Links folder without it coming back, Its fine to ignore it but If its fixed it will just return the value to default = Links.

Run Some scans and install some protection K then run Panda or another online scanner to make sure there is nothing left. Let us know if you have any problems.

Andy

Okay, I'm still working on it. There is a lot to do.

I have a question: What should I use for protection? Isn't it illegal to use free AV products on a work machine? Maybe eTrust would be okay?

I can't use Windows Defender because my computer is missing something. So maybe TeaTimer, SpywareBlaster, and DSOStop2 are the only protection that I can use.

Oh, well. Current Status...
1. CWShredder Fixed 3 problems.
2. Ewido cleaned 114 infected objects.
3. Adaware is still scanning, but has found 70 total so far. Adaware finished with 97 objects.


Oh my....

BTW - Thanks everyone!

This the new HJT log after removing over 200 infected objects.


Logfile of HijackThis v1.99.1
Scan saved at 11:04:40 PM, on 4/4/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\WMP54GS Wireless Network Monitor\WLService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\WMP54GS Wireless Network Monitor\WMP54G.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Steph\Desktop\K DOCS\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ccleaner.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Xjrwpsjz] C:\Program Files\Qdztn\Bqxv.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3E14B86-D800-4DAA-B9FE-1855A2AD6200}: NameServer = XXX.XXX.XX.XXX,XXX.XX.X.X
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED29B642-20B6-499C-B4CC-200B05CDD7FD}: NameServer = XXX.XXX.XXX.XXx,XXX.XXX.X.X
O18 - Protocol: OWC11.mso-offdap - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: WMP54GSVC - Unknown owner - C:\Program Files\WMP54GS Wireless Network Monitor\WLService.exe" "WMP54G.exe (file missing)

Hi K ,

eTrust should be fine to use, I dont think Windows Defender is essential to install with it being a beta test and the alternative products you mention especially Spybots Immunize and Spyware Blaster will help keep the pc clean.

Still these showing in the log

Run Hijack This and choose Do A System Scan then place a check next to these entries

O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)

O4 - HKLM\..\Run: [Xjrwpsjz] C:\Program Files\Qdztn\Bqxv.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http:// ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab


Close all open browser and other windows except for Hijack This and press the Fix Checked button

Then remove these folders

C:\Program Files\Qdztn\
C:\Program Files\Common Files\WinTools\

And finish off with a scan at Panda Activescan.

I'm running the Symantec Websearch Removal tool now, because it won't go away. I hope that this works. (Wish me luck)

If its the 02 that will not go away then make sure all Browser Windows are closed first before fixing the entry and if it remains try remove it in Safe mode,

Good Luck

Is she pretty now?

Logfile of HijackThis v1.99.1
Scan saved at 11:26:41 PM, on 4/4/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\WMP54GS Wireless Network Monitor\WLService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\WMP54GS Wireless Network Monitor\WMP54G.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Documents and Settings\Steph\Desktop\K DOCS\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ccleaner.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3E14B86-D800-4DAA-B9FE-1855A2AD6200}: NameServer = XXX.XXX.14.XXX,XXX.XXX.1.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED29B642-20B6-499C-B4CC-200B05CDD7FD}: NameServer = XXX.XXX.XX.XXX,XXX.XXX.1.8
O18 - Protocol: OWC11.mso-offdap - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: WMP54GSVC - Unknown owner - C:\Program Files\WMP54GS Wireless Network Monitor\WLService.exe" "WMP54G.exe (file missing)


I can't find these program files. Is that okay?

Nice Work K ,

That a clean log

Just need some AV Protection and then run an online scanner to make sure there is no leftover files.

About the files to remove, the scanners might of already removed them and just left the run commands in place, set Windows to show Hidden and System files and see if they can be found.

Reconfigure Windows to show hidden files:

click the My Computer icon then C:\Drive, Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.

Click Yes to confirm. Click OK. (Press Restore Defaults after checking for the files to hide the folders again)

Sweet! I'll finish it up in the morning.

Thanks for the help.

No Problem, I edited my last post after seeing your question about the files,

Chat to you later

Andy

I went ahead and installed AVG for the time being. I'll install eTrust tomorrow. I wanted something to keep it safe since it's clean now.

I'll double check the files again tomorrow, and start the online scanner when I leave.

There are some extra towers in the office that match mine, so I'm going to pull the memory cards and put them in my tower tomorrow. My boss isn't going to know what to do with me.

Now I just need to get the stupid thing to defrag! (3rd party tools will be needed)


I used CCleaner to clean up because the Disk Cleanup kept stalling. CCleaner actually couldn't even handle all of the crap. I had to check 1 box at a time the first round, but now it's working properly.


Thanks again. Later!
K

I just ran eTrust and it found 4 Win32/Propo. Are these false/positives by any chance?

Hi K

If its finding Propo then its worth running Blacklight or Rootkit Revealer just to make sure its not the Rootkit variant of Apropos, it's simple enough to remove if it is, Does it let you know where the files are ?

The files were in C:\Documents and Settings\username\Temp....

The file names are/were:
Win32/Propo
1. ic3plug.exe
2. jetceng.exe
3. jobueng.exe
4. solime.exe

I'll try your suggestion now. BTW, is Trojan Hunter good?


Thanks

Why can't I unzip the file with Windows 2000? Is there a trick or something?

Okay, Blacklight didn't find anything. Does that mean that I'm okay?


Bummer though is that the popups are still here, but not as bad. I just don't understand why popups are opening IE windows and I am using FF. <baffling> haha

Hi K

Ive never tried Trojan Hunter K but it sounds good and It is recommended on alot of sites, If you get the warning again for the files can you send them to me using the Suspicious file packer and I will see what they are.

Please download Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop.

Run SFP.exe.

insert full path to file(s) into the SFP window, one per line then click "Continue".

email the created .cab file to AndyManchesta[AT]hotmail.com

Hopefully CA was able to remove them and its now clean

Andy

Okay, but how do I unzip in Windows 2000? It doesn't give me the options to unzip... (I"m out of practice )

Here is a link to the sfp.exe file, just right click the link and choose Save Target As but it probably will not be needed if they have already been removed.

Logfile of HijackThis v1.99.1
Scan saved at 8:40:38 PM, on 4/6/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\WMP54GS Wireless Network Monitor\WLService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\WMP54GS Wireless Network Monitor\WMP54G.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\rundll32.exe
C:\Documents and Settings\Steph\Desktop\K DOCS\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ccleaner.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3E14B86-D800-4DAA-B9FE-1855A2AD6200}: NameServer = 151.164.14.201,161.164.1.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED29B642-20B6-499C-B4CC-200B05CDD7FD}: NameServer = 151.164.14.201,151.164.1.8
O18 - Protocol: OWC11.mso-offdap - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: WMP54GSVC - Unknown owner - C:\Program Files\WMP54GS Wireless Network Monitor\WLService.exe" "WMP54G.exe (file missing)




Okay, thanks Andy. I'll hang onto it just in case I need it. I suppose I'll run Panda now, and see what comes up.

Looking Good K , Thats a clean log, Panda would be good to check for leftover junk

I love this little guy

I'll see you in a little while, I'm leaving work now.



Later!
K

I noticed the Panda part so edited my post incase it shows any leftover junk but I'll add hyperguy back to this one

You are not going to believe this! eTrust detected 5 more Win32/Propo files about 2 minutes ago, but eTrust keeps deleting them so I can't even upload them first or anything.

New files detected as Win32/Propo

C:\Program Files\Outlayer\ace.dll
C:\Program Files\Outlayer\clsvdeps.exe
C:\Program Files\Outlayer\mf3tsd32.exe
C:\Program Files\Outlayer\WinGenerics.dll
C:\WINNT\system32\vcdtus40.exe

Adaware just found "Adintelligence.Apropos Toolbar"

with there being ace.dll and WinGenerics it might be the Rootkit variant, check if you can see the Outlayer folder in Program files, if you cannot then its either been removed by CA or its hidden by the rootkit.

http://www.sysinternals.com/Files/RootkitRevealer.zip

http://www.f-secure.com/blacklight/try.shtml

If you find the folder then maybe they are leftover files that CA found but If not run Rootkit Revealer and save the log when it finishes, If it finds items download RegSearch by Bobbi Flekman Here , (Ive linked to the .exe file with you not being able to extract zipped folders)

reboot into safe mode and run regsearch.exe

On the top line type vcdtus40.exe, make sure all the boxes in the search area are checked and press OK , The search may take awhile and when its finished searching it will open the results in notepad

Also search for contextplus and adchannel and post back the notepad results.

I did find the folder in Program Files. It still has 1600 files in the folder. So I shouldn't delete the Outlayer folder?

Your best running RootkitRevealer and see if it shows clear then run the regsearch for at least this file vcdtus40.exe to find where its registry entries live so we can remove them. Try running the search in normal mode if you can see the Outlayer folder

Well I still have the same problem as before. There isn't an option to extract, and the RootkitRevealer is a zip folder. Do I need to download something to be able to extract zip folders?


EDIT: I feel like a dork, but I have never needed something to extract zip folders. lol

Sorry I forgot about that, You should be able to use programs like Winzip, Winrar or ExtractNow

Cool beans Andy. Thank you. I am home now, but I will follow your instructions tomorrow.

Good Times
K

Try Sysinternals Contig

Contig Installation:
Unzip to the Windows directory.

Contig Usage Examples (via a Command Prompt, or Start->Run):
contig -s "c:\*.*"
contig -s "d:\*.*"


Download a software-based firewall.

haha...I just replied to another post of yours stating that I will need to.

Thanks for the Contig suggestion.

I installed Zone Alarm.

Rootkit Revealer didn't find any discrepencies.

I used the Regsearcher thingy, and it found a lot of keys for the searches that you told me to search for. Should I just delete the keys that it found? My computer won't connect to the internet right now, so I'm using my boss's computer to type this.

What should I do now? I did delete two keys, but then thought that maybe that isn't what I should be doing. It found keys for all of my searches. I don't know what's going on.

Hi K,

It would be easier to comment if I saw the registry entries, I was hoping it would show a random named folder in the Software area of the registry so we find out what other files maybe on the pc but if Rootkit revealer shows clear it maybe a older variant or leftover files,

Does your Add/Remove screen have any of these listed:

Aproposmedia
AproposClient
Contextplus
Ctxpls
POP (People on Page)

post back the results from the regsearch if you can or any info on the 2 keys you removed and it might help show if there's any remaining files to remove.

Thanks

Andy

research found about 10 keys, and I only removed 2 keys so there are more to remove. Nothing shows up in Add/Remove Programs. All of the files show up either in that Outlayer Program folder (which isn't listed in Add/Remove) or in Winnt. I will try to get those files to you, but I need to connect to the server. I think that the firewall is blocking me or something. I'm kind of busy at the moment, but I will have more time a little later.

My boss doesn't know what the Outlayer folder is and told me that I can delete it if I want to. Do you think that is a good idea?

Thanks!

Id say the folder is a random named one left by Apropos with it having ace.dll and WinGenerics.dll inside it so it would be fine to remove it, If its the variant I think it is then the reg search results should show alot of info but if you can find the folders and files easy enough then its probably not active anymore.

Context plus who own Apropos did change their homepage a couple of months ago showing:



So hopefully that means no one will be getting new variants of Apropos, CA may of already removed all the files on your pc so it might be just be afew reg entries that remain but the reg search results will make that part alot easier.

Oh, goodness...I had to turn off the firewall to connect to the network!

Here are 2 of the Regsearch files, and there is one more.
[attachmentid=600][attachmentid=599]

Spybot just found:
Alexa Related C:\WINNT\Web\RELATED.HTM
(executable) Apropos Media C:\WINNT\System32\auto_update_uninstall.exe
(class ID) FunWebProducts
(interface/reg) FunWeb Product
MyWebSearch
PeopleOnPage
Target Saver
WildTangent (lots of these)

What should I do next? Just run more scans?

Sorry, here is the 3rd search results.

[attachmentid=601]

Lets sort Apropos first then we can see where the other files are being found.

Goto Start > Run then copy and paste this:

regedit /e C:\root.txt "HKEY_LOCAL_MACHINE\SOFTWARE\CzXUFAG6JkF5"

Press Ok and it should create a text file in C:\drive called root.txt , can you post that back

This maybe? There wasn't a root.txt, just a temp.txt

If it finds the reg key the file will be called root.txt, can you extract files yet ?

Yes I can extract files, but there isn't a file called root.txt

Okay, I will go look one more time. (Sorry, I'm running back and forth between 2 computers)

No I just meant Id send a file to search for the reg entry and open in notepad, Is that random named key one of the two that you removed ?

Download the attached file and extract then double click Find.bat, if notepad is clear when it opens and that registry key isnt one you removed can you reboot the pc into safe mode and run the batch script again.

Cheers

Nope, it's not there. Is that good?

Notepad:

Cannot find the Output.txt file.
Do you want to create a new file?



I don't know what to do now, but I can't boot in Safe Mode. I don't know why, I tried earlier today to scan in Safe Mode but the machine froze when I selected Safe Mode. 20 minutes and it never booted. I haven't had time to investigate.

Im not sure if thats good as the regsearch results show that key is on the pc and it does contain info on where files are saved but maybe its one Spybot removed, that Outlayer folder might be all thats left but if we cannot export the key its difficult to be sure. There is a fixtool for Apropos from Swandog but needs running in safe mode. Hopefully you can get into safe mode at some stage if its needed but it might also be worth running SFC /SCANNOW or check the drive for errors again if you get the time. Did Pandascan find any problems ?

Thanks again Andy.

Pandascan won't scan. (I always have this problem on my home machine too) Is there another scan that you would suggest? Bitdefender maybe?

I will run research again, and see if anything else shows up. Spybot may have gotten everything.

The sfc /scannow is a good idea, but you need the installation CD to run the check. Unfortunately I don't have the CD, and my boss is not here so I will ask him another time. I will try to boot in Safe Mode again a little later when I don't need my computer.

These were the Spybot fixes. It looks like all of them.

[attachmentid=605]

Any online scan is good just to make sure there is no leftover junk, try using Trend, Bitdefender or Kaspersky's scanner if Pandascan is having problems. Safe mode might not be needed for Apropos because Rootkit Revealer didnt find any files so it probably means its not active on your pc, any entries found should be easy to remove and running regsearch again would be handy to make sure that software key isnt still there. I dont see it in the Spybot results so if its not one you removed it might be still on the pc.


Here's some setup info for other scanners if needed

TrendMicro HouseCall Java Scan

• Go HERE to run the Trend Micro HouseCall Scan.
• Click Scan now. It's free!
• Read the terms and put a Check next to Yes I accept the terms of use.
• Click the Launching HouseCall>> button.
• If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
• You may receive a Security Warning about the TrendMicro Java applet, click YES.
• Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
• Please be patient while it installs, updates, and scans your system.
• Once the scan is complete, it will take you to the summary page.
• Under Cleanup options, choose clean all detected infections automatically.
• Click the Clean now>> button.
• If anything was found you may be prompted to run the scan again, you can just close the browser window.
• Reboot the PC

BitDefender Online Scanner

• Go HERE to run BitDefender's Online scan.
• Read the terms and then click I Agree
• You may receive a Security Warning about the BitDefender ActiveX control, If you do, please allow it to install.
• On the scanning Options screen, Press Click Here To Scan and then follow the on screen prompts.
• Reboot the PC again

Kaspersky WebScanner

• Go HERE and click Kaspersky Online Scanner
• Read and Accept the Agreement
• You will be promted to install an ActiveX component from Kaspersky, Click Yes.
• If you see a Windows dialog asking if you want to install this software, click the Install button.
• The program will launch and then begin downloading the latest definition files,
• When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
• Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
• Under "Please select a target to scan:", click My Computer to start the scan.
• When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.

That sounds marvelous! I'll run all 3 and work from a different machine. Housecall is scanning right now.

Thanks again

I'd try ewido's online scanner. ^^