I posted a msg here yesterday but I cant seem to locate it this AM. I used my home PC and I am not sure if it even got thought. I'll repost and if its a duplicate I apologize I have XP with SP2 and Symantec AV10. When I go to yahoo and type in a subject in the search bar, then click it. It will go to that yahoo page that shows those subjects. But when I click on any subject it sends me to any number of shopping links instead. Places like search 9, or ebay or shop this... I ran Sym. AV and it found nothing. Then I ran Spybot and it found a Zlop something I deleted it. Then ran Ad Aware. It found nothing. Then I ran Sass exe. It ran hijack this. I briefly saw something that said Trojan C BIS or something like that then it was gone. I noticed a thing called esellerate engine.dll. I never saw that before and wonder if thats the problem. I rebooted and the problem is still there. I can post the hijack list if someone can help me, please

[Reply or follow-up to this message]

Post the log I'll see if I can point you in the right direction, MrC

Malware Removal Specialist

[Reply or follow-up to this message]

Thank you Mr Charlie...heres a hijack 2.2 scan log. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:24:34 PM, on 5/14/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\csrss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe D:\WINDOWS\system32\Ati2evxx.exe D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\SOUNDMAN.EXE D:\Program Files\Common Files\Symantec Shared\ccApp.exe D:\PROGRA~1\SYMANT~1\VPTray.exe D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe D:\WINDOWS\system32\hphmon04.exe D:\Program Files\iTunes\iTunesHelper.exe D:\Program Files\Windows Media Player\WMPNSCFG.exe D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe D:\Program Files\Bonjour\mDNSResponder.exe D:\Program Files\Symantec AntiVirus\DefWatch.exe D:\Program Files\Symantec AntiVirus\Rtvscan.exe D:\WINDOWS\System32\svchost.exe D:\Program Files\iPod\bin\iPodService.exe D:\WINDOWS\System32\alg.exe D:\Program Files\Internet Explorer\iexplore.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe D:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [HPHUPD04] "D:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [HPHmon04] D:\WINDOWS\system32\hphmon04.exe O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [StartCCC] D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176686382750 O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPH11 - HP - D:\WINDOWS\system32\HPHipm11.exe O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 5369 bytes


On Wednesday, May 14, 2008 at 3:47 pm, MrCharlie wrote:
>
>Post the log I'll see if I can point you in the right direction, MrC

[Reply or follow-up to this message]

 
Can you repost the log but this time..........

Please make sure you check the "preserve spacing button" on 
the bottom of the posting page. It's right above the "Cancel Button" !

HERE---->[X]Check this box to 
preserve your spacing, or leave it unchecked to have your text wrapped automatically. 
Tip: Don't use this option unless you really need it; use the preview feature on 
the next page if you're not sure. 

Please don't fix anything without proper guidance!!! 

MrC



Malware Removal Specialist

[Reply or follow-up to this message]

Oops..sorry Mr C...I thought that looked a bit unusual. I didnt know about that spacing button. I dont recall ever seeing that before. I will repost the log when I get home from work this evening. Thx. jd


On Thursday, May 15, 2008 at 3:59 am, MrCharlie wrote:
>
>Can you repost the log but this time..........
>
>Please make sure you check the "preserve spacing button" on
>the bottom of the posting page. It's right above the "Cancel Button" !
>
>HERE---->[X]Check this box to
>preserve your spacing, or leave it unchecked to have your text wrapped automatically.
>Tip: Don't use this option unless you really need it; use the preview feature on
>the next page if you're not sure.
>
>Please don't fix anything without proper guidance!!!
>
>MrC
>
>
>

>Malware Removal Specialist
> >"http://img.photobucket.com/albums/v257/MrChalee/unite_blue.png">

[Reply or follow-up to this message]

Also in a separate post:

Open up HJT > Open Misc. Tools Section > scroll down to "Open Uninstall Manager" 
> click "Save List" copy and paste it back here.

MrC


Malware Removal Specialist

[Reply or follow-up to this message]

Okay..heres the Deckard log..I will post your requested log next. I alsop noticed 
that several of my games no longer work...the window says the .exe had been modified
Deckard's System Scanner v20071014.68
Run by dad on 2008-05-13 22:40:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

[color=red]Total Physical Memory: 511 MiB (512 MiB recommended).[/color]


-- HijackThis (run as dad.exe) -------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-13 22:41:35
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\system32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Symantec AntiVirus\VPTray.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\WINDOWS\system32\hphmon04.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\alg.exe
D:\Documents and Settings\dad\Desktop\VR\dss.exe
D:\Documents and Settings\dad\Desktop\jimmy's utilities\HJT\dad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - 
D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot 
- Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHUPD04] "D:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HPHmon04] D:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [StartCCC] D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176686382750
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 
2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile 
Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG 
Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program 
Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program 
Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program 
Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation 
- D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPH11 - HP - D:\WINDOWS\system32\hphipm11.exe
O23 - Service: SavRoam - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation 
- D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common 
Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec 
AntiVirus\Rtvscan.exe


--
End of file - 5870 bytes

-- Files created between 2008-04-13 and 2008-05-13 -----------------------------

2008-05-13 20:22:20         0 d-------- D:\WINDOWS\Prefetch
2008-05-13 00:22:46         0 dr-h----- D:\Documents and Settings\dad\Recent
2008-05-06 20:45:24         0 dr------- D:\Documents and Settings\NetworkService\Favorites
2008-04-17 22:04:02         0 d-------- D:\Program Files\AC3Filter


-- Find3M Report ---------------------------------------------------------------

2008-05-13 22:20:54         0 d-------- D:\Program Files\Symantec AntiVirus
2008-05-11 19:17:38         0 d-------- D:\Documents and Settings\dad\Application 
Data\U3
2008-04-17 21:37:53         0 d-------- D:\Program Files\DivX
2008-04-14 23:16:36         0 d-------- D:\Documents and Settings\dad\Application 
Data\GARMIN
2008-04-13 16:09:27         0 d-------- D:\Program Files\Ahead
2008-04-12 19:15:14         0 d-------- D:\Documents and Settings\dad\Application 
Data\CoreFTP
2008-04-05 01:16:17         0 d-------- D:\Program Files\Call of Duty Game of the 
Year Edition
2008-03-31 15:25:48    823296 --a------ D:\WINDOWS\system32\divx_xx0c.dll 
2008-03-31 15:25:48    823296 --a------ D:\WINDOWS\system32\divx_xx07.dll 
2008-03-31 15:25:46    802816 --a------ D:\WINDOWS\system32\divx_xx11.dll 
2008-03-31 15:25:46    831488 --a------ D:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 15:25:46    682496 --a------ D:\WINDOWS\system32\DivX.dll 
2008-03-29 18:51:19         0 d-------- D:\Program Files\MediaCoder iPhone Edition
2008-03-29 18:29:29         0 d-------- D:\Program Files\Common Files
2008-03-29 17:20:44         0 d-------- D:\Program Files\MediaCoder
2008-03-29 13:05:09    356352 --a------ D:\WINDOWS\eSellerateEngine.dll 
2008-03-29 13:04:54         0 d-------- D:\Program Files\Deskshare
2008-03-29 12:39:59         0 d-------- D:\Documents and Settings\dad\Application 
Data\Apple Computer
2008-03-29 12:05:15         0 d-------- D:\Program Files\Safari
2008-03-29 12:04:26         0 d-------- D:\Program Files\iTunes
2008-03-29 12:04:10         0 d-------- D:\Program Files\iPod
2008-03-21 14:30:08   3596288 --a------ D:\WINDOWS\system32\qt-dx331.dll
2008-03-21 14:28:54    196608 --a------ D:\WINDOWS\system32\dtu100.dll 
2008-03-21 14:28:54     81920 --a------ D:\WINDOWS\system32\dpl100.dll 
2008-03-21 14:28:20     12288 --a------ D:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [03/17/2004 
02:10 PM D:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [09/23/2004 05:27 AM D:\WINDOWS\SOUNDMAN.EXE]
"ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [04/08/2005 02:52 
PM]
"vptray"="D:\PROGRA~1\SYMANT~1\VPTray.exe" [04/17/2005 11:30 AM]
"HPDJ Taskbar Utility"="D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" 
[04/04/2002 02:03 PM]
"HPHUPD04"="D:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [04/04/2002 
02:04 PM]
"RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 06:42 
PM]
"HPHmon04"="D:\WINDOWS\system32\hphmon04.exe" [04/04/2002 02:01 PM]
"NeroFilterCheck"="D:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" 
[10/10/2007 07:51 PM]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 01:10 PM]
"KernelFaultCheck"="D:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 
11:35 AM]
"WMPNSCFG"="D:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 07:05 
PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdpua.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
""=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPHmon04"=D:\WINDOWS\system32\hphmon04.exe




-- End of Deckard's System Scanner: finished at 2008-05-13 22:42:29 ------------









On Thursday, May 15, 2008 at 5:27 pm, MrCharlie wrote:

>

>Also in a separate post:

>

>Open up HJT > Open Misc. Tools Section > scroll down to "Open Uninstall Manager" 

>> click "Save List" copy and paste it back here.

>

>MrC

>

>


>Malware Removal Specialist

>
>"http://img.photobucket.com/albums/v257/MrChalee/unite_blue.png">
 

[Reply or follow-up to this message]

and heres the uninstall list from HJT
AC3Filter (remove only)
Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 8.1.1
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
AquaMark3
Arles Image Web Page Creator 7.3.1
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG Anti-Spyware 7.5
Battlecraft 1942
Battlefield 1942
Battlefield 1942: Secret Weapons of WWII
Battlefield 1942: The Road To Rome
Battlefield Vietnam(TM)
Battlefield Vietnam: WW2 Mod
Bonjour
Call of Duty Game of the Year Edition
Core FTP LE 1.3c
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Garmin MapSource
Google Earth
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
HP Photo and Imaging 1.0 - HP Photosmart Printer Series
Intel(R) PRO Network Adapters and Drivers
iTunes
Jane's Combat Simulations WWII Fighters
LiveUpdate 2.6 (Symantec Corporation)
MapSource - North American City Select v4.01
Marine Sharpshooter
Marine Sharpshooter II: Jungle Warfare
MediaCoder 0.6.1
MediaCoder iPhone Edition
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2000 Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Nero Suite
Pacific Fighters
Photo Story 3 for Windows
Photosmart Printer 130,230,7150,7350,7550 (Remove only)
PowerDVD
PunkBuster for Battlefield 1942
PunkBuster for Battlefield Vietnam
Realtek High Definition Audio Driver
Safari
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Spybot - Search & Destroy 1.4
Symantec AntiVirus
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
XMLinst








On Thursday, May 15, 2008 at 6:05 pm, Jim Dekan wrote:

>

>

>


>Okay..heres the Deckard log..I will post your requested log next. I alsop noticed 

>that several of my games no longer work...the window says the .exe had been modified

>Deckard's System Scanner v20071014.68

>Run by dad on 2008-05-13 22:40:33

>Computer is in Normal Mode.

>--------------------------------------------------------------------------------

>

>[color=red]Total Physical Memory: 511 MiB (512 MiB recommended).[/color]

>

>

>-- HijackThis (run as dad.exe) -------------------------------------------------

>

>Unable to find log (file not found); running clone.

>-- HijackThis Clone ------------------------------------------------------------

>

>

>Emulating logfile of Trend Micro HijackThis v2.0.2

>Scan saved at 2008-05-13 22:41:35

>Platform: Windows XP Service Pack 2 (5.01.2600)

>MSIE: Internet Explorer (6.00.2900.2180)

>Boot mode: Normal

>

>Running processes:

>D:\WINDOWS\system32\smss.exe

>D:\WINDOWS\system32\csrss.exe

>D:\WINDOWS\system32\winlogon.exe

>D:\WINDOWS\system32\services.exe

>D:\WINDOWS\system32\lsass.exe

>D:\WINDOWS\system32\ati2evxx.exe

>D:\WINDOWS\system32\svchost.exe

>D:\WINDOWS\system32\svchost.exe

>D:\WINDOWS\system32\svchost.exe

>D:\WINDOWS\system32\svchost.exe

>D:\WINDOWS\system32\svchost.exe

>D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

>D:\WINDOWS\system32\ati2evxx.exe

>D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

>D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

>D:\WINDOWS\system32\spoolsv.exe

>D:\WINDOWS\explorer.exe

>D:\WINDOWS\SOUNDMAN.EXE

>D:\Program Files\Common Files\Symantec Shared\ccApp.exe

>D:\Program Files\Symantec AntiVirus\VPTray.exe

>D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

>D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

>D:\WINDOWS\system32\hphmon04.exe

>D:\Program Files\iTunes\iTunesHelper.exe

>D:\Program Files\Windows Media Player\wmpnscfg.exe

>D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

>D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

>D:\Program Files\Bonjour\mDNSResponder.exe

>D:\Program Files\Symantec AntiVirus\DefWatch.exe

>D:\Program Files\Symantec AntiVirus\Rtvscan.exe

>D:\WINDOWS\system32\svchost.exe

>D:\Program Files\iPod\bin\iPodService.exe

>D:\WINDOWS\system32\alg.exe

>D:\Documents and Settings\dad\Desktop\VR\dss.exe

>D:\Documents and Settings\dad\Desktop\jimmy's utilities\HJT\dad.exe

>

>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

>O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} 
- 

>D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

>O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot 

>- Search & Destroy\SDHelper.dll

>O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

>O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

>O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"

>O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe

>O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

>O4 - HKLM\..\Run: [HPHUPD04] "D:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

>O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

>O4 - HKLM\..\Run: [HPHmon04] D:\WINDOWS\system32\hphmon04.exe

>O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe

>O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

>O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"

>O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

>O4 - HKCU\..\Run: [StartCCC] D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

>O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe

>O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - 
http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

>O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

>O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab

>O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176686382750

>O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

>O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 

>2007\aawservice.exe

>O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile 

>Device Support\bin\AppleMobileDeviceService.exe

>O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\ati2evxx.exe

>O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe

>O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG 

>Anti-Spyware 7.5\guard.exe

>O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe

>O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program 

>Files\Common Files\Symantec Shared\ccEvtMgr.exe

>O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - 
D:\Program 

>Files\Common Files\Symantec Shared\ccPwdSvc.exe

>O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program 

>Files\Common Files\Symantec Shared\ccSetMgr.exe

>O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation 

>- D:\Program Files\Symantec AntiVirus\DefWatch.exe

>O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe

>O23 - Service: Pml Driver HPH11 - HP - D:\WINDOWS\system32\hphipm11.exe

>O23 - Service: SavRoam - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe

>O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation 

>- D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

>O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program 
Files\Common 

>Files\Symantec Shared\SPBBC\SPBBCSvc.exe

>O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec 

>AntiVirus\Rtvscan.exe

>

>

>--

>End of file - 5870 bytes

>

>-- Files created between 2008-04-13 and 2008-05-13 -----------------------------

>

>2008-05-13 20:22:20         0 d-------- D:\WINDOWS\Prefetch

>2008-05-13 00:22:46         0 dr-h----- D:\Documents and Settings\dad\Recent

>2008-05-06 20:45:24         0 dr------- D:\Documents and Settings\NetworkService\Favorites

>2008-04-17 22:04:02         0 d-------- D:\Program Files\AC3Filter

>

>

>-- Find3M Report ---------------------------------------------------------------

>

>2008-05-13 22:20:54         0 d-------- D:\Program Files\Symantec AntiVirus

>2008-05-11 19:17:38         0 d-------- D:\Documents and Settings\dad\Application 

>Data\U3

>2008-04-17 21:37:53         0 d-------- D:\Program Files\DivX

>2008-04-14 23:16:36         0 d-------- D:\Documents and Settings\dad\Application 

>Data\GARMIN

>2008-04-13 16:09:27         0 d-------- D:\Program Files\Ahead

>2008-04-12 19:15:14         0 d-------- D:\Documents and Settings\dad\Application 

>Data\CoreFTP

>2008-04-05 01:16:17         0 d-------- D:\Program Files\Call of Duty Game of the 

>Year Edition

>2008-03-31 15:25:48    823296 --a------ D:\WINDOWS\system32\divx_xx0c.dll 
>DivX, Inc.; DivX®>

>2008-03-31 15:25:48    823296 --a------ D:\WINDOWS\system32\divx_xx07.dll 
>DivX, Inc.; DivX®>

>2008-03-31 15:25:46    802816 --a------ D:\WINDOWS\system32\divx_xx11.dll 
>DivX, Inc.; DivX?>

>2008-03-31 15:25:46    831488 --a------ D:\WINDOWS\system32\divx_xx0a.dll

>2008-03-31 15:25:46    682496 --a------ D:\WINDOWS\system32\DivX.dll 
>DivX, Inc.; DivX®>

>2008-03-29 18:51:19         0 d-------- D:\Program Files\MediaCoder iPhone Edition

>2008-03-29 18:29:29         0 d-------- D:\Program Files\Common Files

>2008-03-29 17:20:44         0 d-------- D:\Program Files\MediaCoder

>2008-03-29 13:05:09    356352 --a------ D:\WINDOWS\eSellerateEngine.dll 
>eSellerate Inc.; eSellerateEngine>

>2008-03-29 13:04:54         0 d-------- D:\Program Files\Deskshare

>2008-03-29 12:39:59         0 d-------- D:\Documents and Settings\dad\Application 

>Data\Apple Computer

>2008-03-29 12:05:15         0 d-------- D:\Program Files\Safari

>2008-03-29 12:04:26         0 d-------- D:\Program Files\iTunes

>2008-03-29 12:04:10         0 d-------- D:\Program Files\iPod

>2008-03-21 14:30:08   3596288 --a------ D:\WINDOWS\system32\qt-dx331.dll

>2008-03-21 14:28:54    196608 --a------ D:\WINDOWS\system32\dtu100.dll 
>DivX, Inc.; DivX, Inc. dtu100>

>2008-03-21 14:28:54     81920 --a------ D:\WINDOWS\system32\dpl100.dll 
>DivX, Inc.; DivX, Inc. dpl100>

>2008-03-21 14:28:20     12288 --a------ D:\WINDOWS\system32\DivXWMPExtType.dll

>

>

>-- Registry Dump ---------------------------------------------------------------

>

>*Note* empty entries & legit default entries are not shown

>

>

>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

>"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [03/17/2004 

>02:10 PM D:\WINDOWS\system32\Hdaudpropshortcut.exe]

>"SoundMan"="SOUNDMAN.EXE" [09/23/2004 05:27 AM D:\WINDOWS\SOUNDMAN.EXE]

>"ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [04/08/2005 02:52 

>PM]

>"vptray"="D:\PROGRA~1\SYMANT~1\VPTray.exe" [04/17/2005 11:30 AM]

>"HPDJ Taskbar Utility"="D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" 

>[04/04/2002 02:03 PM]

>"HPHUPD04"="D:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" 
[04/04/2002 

>02:04 PM]

>"RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 06:42 

>PM]

>"HPHmon04"="D:\WINDOWS\system32\hphmon04.exe" [04/04/2002 02:01 PM]

>"NeroFilterCheck"="D:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]

>"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" 

>[10/10/2007 07:51 PM]

>"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 01:10 PM]

>"KernelFaultCheck"="D:\WINDOWS\system32\dumprep 0 -k" []

>

>[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

>"StartCCC"="D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" 
[11/10/2006 

>11:35 AM]

>"WMPNSCFG"="D:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 07:05 

>PM]

>

>[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

>"DisableRegistryTools"=0 (0x0)

>

>[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

>"System"="kdpua.exe"

>

>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

>@="Service"

>

>[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

>""=

>

>[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

>"HPHmon04"=D:\WINDOWS\system32\hphmon04.exe

>

>

>

>

>-- End of Deckard's System Scanner: finished at 2008-05-13 22:42:29 ------------

>

>

>

>

> 

[Reply or follow-up to this message]

Not much showing.
Please do this:

Enable hidden files: 
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make 
sure that "Show hidden files and folders" is checked. 
Also uncheck "Hide protected operating system files" and untick "hide extensions 
for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

----------------------------

Do a search for this file:

kdpua.exe

If you find it see if you can find any info on it then.......

Please find the file and upload it 
HERE for a free scan - let me know the 
results.
If it's too busy - try here:
Click HERE

--------------------

Check Internet Explorer "Add-Ons"

1. Start Internet Explorer.
 2. On the Tools menu, click Manage Add-ons
See if any odd items there

---------------------- 

Last please run RVAXO from the link below...post the log back here:

http://forums.maddoktor2.com/index.php?showtopic=6473&st=0&#entry79205

MrC



Malware Removal Specialist

[Reply or follow-up to this message]

Hi Mr C...okay..I did as you requested, changed folder views and ran a search for 
kdpua.exe on my PC. It was not found

I checked Manage add ons and saw nothing unusual...I dont think? Here is a list.
6F74-2D53-2644-206D7942484F} BHO SD helper from Safer Networking LDT {53707062-SDhelper.dll 
Active desktop mover from Microsoft  shell32.dll
Adobe PDF Reader link listed as a BHO AcroIEhelper.dll
AXProdInfoCtl Class Symantec ActiveX Control nprdtinf.dll
Microsoftshell UI helper from Microsoft ActiveX shdocvw.dll
SearchAssistantOC from MS ActiveX Control, shdocvw.dll
Shockwave Flash Object from Abobe ActiveX Control Flash9e.ocx
WUWebControl Class  MS windows component publisher ActiveX Control wuweb.

Thats all and all are enabled. 

Then ran RVAXO Here is the log. Its real short
---RVAXO.exe Updated: [b]2008-05-15[/b]---first run--- 
[b]Uninstallers:[/b] 
 
[b]Files found:[/b] 
 
[b]Folders Found:[/b] 
 
Hosts-file was reset, If you use a custom hosts file please replace it... 
 
--------------RVAXO.exe last run--------------- 
[b]Not deleted items:[/b] 
 
--------------RVAXO.exe finished---------------- 
I think I cover all that you asked for...maybe too much...

JD






On Thursday, May 15, 2008 at 7:34 pm, MrCharlie wrote:

>

>Not much showing.

>Please do this:

>

>Enable hidden files: 

>Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and 
make 

>sure that "Show hidden files and folders" is checked. 

>Also uncheck "Hide protected operating system files" and untick "hide extensions 

>for known file types" . Now click "Apply to all folders"

>Click "Apply" then "OK"

>

>----------------------------

>

>Do a search for this file:

>

>kdpua.exe

>

>If you find it see if you can find any info on it then.......

>

>Please find the file and upload it 

>HERE for a free scan - let me know the 

>results.

>If it's too busy - try here:

>Click HERE

>

>--------------------

>

>Check Internet Explorer "Add-Ons"

>

>1. Start Internet Explorer.

> 2. On the Tools menu, click Manage Add-ons

>See if any odd items there

>

>---------------------- 

>

>Last please run RVAXO from the link below...post the log back here:

>

>http://forums.maddoktor2.com/index.php?showtopic=6473&st=0&#entry79205

>

>MrC

>

>

>


>Malware Removal Specialist

>
>"http://img.photobucket.com/albums/v257/MrChalee/unite_blue.png">
 

[Reply or follow-up to this message]

Copy and paste the text below into notepad and save it as ,fix.reg
Make sure the Save as type field says "All files".
Save it to your desktop.

REGEDIT4 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"=-

If you did it right it should look like this:




Now double click on it and allow it to merge into the registry.

----------------------

Disable this add-on:
SearchAssistantOC from MS ActiveX Control, shdocvw.dll

See if it makes any difference.  

-----------------

I had you run RVAXO because of some of the other malware you mentioned.

Let me know,  MrC


Malware Removal Specialist

[Reply or follow-up to this message]

Hello Mr C. Last night I downloaded the latest windows updates, KB890830 malicious 
software removal tool and KB950749 security update.

Much to my surprise, when I loggen on tonight I found a msg on the screen that said 
that the malicious software removal tool had found a problem and removed it. It said 
it was  Trojan:w32/alureon.gen. I never heard of that one before. Anyway the yahoo 
pages seem to be working normally again and I was able to load the games that had 
their .exe altered.

I went ahead and disabled SearchAssistantOC from MS ActiveX Control anyway. I havent 
done anything with the regedit info you sent. Do you think I should do it anyway? 
So far, everything is working well and normally. If the Win update actually did solve 
the issue I still want to thank you for taking the time and effort to help me. Y'all 
provide a much needed and appreciated service and I thank you immensely. I think 
it takes a great deal of knowledge to troubleshoot someones PC problems over the 
net

JD







On Friday, May 16, 2008 at 5:59 pm, MrCharlie wrote:

>

>Copy and paste the text below into notepad and save it as ,fix.reg
>color>

>Make sure the Save as type field says "All files".

>Save it to your desktop.

>

>REGEDIT4 

>

>[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

>"System"=-

>

>If you did it right it should look like this:

>

>

>

>

>Now double click on it and allow it to merge into the registry.

>

>----------------------

>

>Disable this add-on:

>SearchAssistantOC from MS ActiveX Control, shdocvw.dll

>

>See if it makes any difference.  

>

>-----------------

>

>I had you run RVAXO because of some of the other malware you mentioned.

>

>Let me know,  MrC

>

>


>Malware Removal Specialist

>
>"http://img.photobucket.com/albums/v257/MrChalee/unite_blue.png">
 

[Reply or follow-up to this message]

Good, glad you got it straightened out.
Sounds like you had some sort of Wareout infection.

I would run that reg file to clear out this entry:

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "System"="kdpua.exe" 

The file isn't on your computer and a Google search of it only brings up your post.
It loads everytime you log on.

Good Luck,  MrC


Malware Removal Specialist

[Reply or follow-up to this message]

Good afternoon Mr C....
I did as you suggested. I copied your link to note pad and ran the fix. It took me 
several times to get that regedit icon you posted but I eventually succeeded. 

After merging, I followed the path you showed. I should have done it before I merged 
the files to see if kapua was there. After I merged them and checked the path all 
I found was [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] 
credentials. The box to the right says ab (default) (value not set) 

Is that correct??

JD







On Saturday, May 17, 2008 at 7:30 am, MrCharlie wrote:

>

>Good, glad you got it straightened out.

>Sounds like you had some sort of Wareout infection.

>

>I would run that reg file to clear out this entry:

>

>[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] 
>color=red>"System"="kdpua.exe" 

>

>The file isn't on your computer and a Google search of it only brings up your post.

>It loads everytime you log on.

>

>Good Luck,  MrC

>

>


>Malware Removal Specialist

>
>"http://img.photobucket.com/albums/v257/MrChalee/unite_blue.png">
 

[Reply or follow-up to this message]

After merging, I followed the path you showed. I should have done it before I 
merged the files to see if kapua was there. After I merged them and checked the path 
all I found was [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] 
credentials. The box to the right says ab (default) (value not set) Is that correct?? 


You're looking in the wrong place...that's a sub-key.

Double click on the Winlogon folder......and then look to the right.

-----------------

Since you are worried about it.........

If you want to put it back...same as before:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] 
"System"="kdpua.exe"

---------------------------------

Just want to put back the "system"

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] 
"System"=""

MrC

Malware Removal Specialist

[Reply or follow-up to this message]

Please forgive my ignorance. I want the register to read as YOU say. I recopied your 
last link to add "system" to the reg.  I looked in the box on the right after clicking 
winlog on. I saw what you were saying. "System" was not there. After I merged your 
new link, behold, there it was!

Thank you for tolerating my ignorance and bearing with me, Mr Charlie.....and please 
feel free to visit my site.  www.dozer.cc

JD

My deepest thank you







On Saturday, May 17, 2008 at 2:46 pm, MrCharlie wrote:

>

>After merging, I followed the path you showed. I should have done it before I 

>merged the files to see if kapua was there. After I merged them and checked the 
path 

>all I found was [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] 

>credentials. The box to the right says ab (default) (value not set) Is that correct?? 

>

>

>You're looking in the wrong place...that's a sub-key.

>

>Double click on the Winlogon folder......and then look to the right.

>

>-----------------

>

>Since you are worried about it.........

>

>If you want to put it back...same as before:

>

>REGEDIT4

>

>[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] 

>"System"="kdpua.exe"

>

>---------------------------------

>

>Just want to put back the "system"

>

>REGEDIT4

>

>[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] 

>"System"=""

>

>MrC

>


>Malware Removal Specialist

>
>"http://img.photobucket.com/albums/v257/MrChalee/unite_blue.png">
 

[Reply or follow-up to this message]

In fact that file and reg entry were part of the infection..the link below describes 
it (it's a Wareout infection but similar to yours):

http://www.virusbuster.hu/en/viruslab/descriptions/dnschanger.qe

Taken from that page:

The long program copies itself into the system folder using a random name starting 
with "kd". kdpua.exe<---your file

Modifies the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\System,

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "System"="kdpua.exe"<----yours showing in the DSS scan.

writing its own filename there.

It monitors the network traffis, and blocks (or redirects) certain domain names, 
URLs and file extensions. Among the redirected domain are microsoft.com and yahoo.com. 
It has a rootkit functionality, the registry key is visible, but 
the trojan file is not. That's why you couldn't find it...it was supper 
hidden!

Removal:

1/ Get the trojan filename from:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\System.


2/ Restart the computer using an install Install/Recovery CD/DVD

3/ Delete the trojan file from the system folder.

4/ Reboot the computer

5/ Clear the following registry key (with an empty string):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\System.

-------------------------------------------

Here's a link to my Preventive Maintenance:

http://forums.whatthetech.com/index.php?s=&showtopic=90294&view=findpost&p=452687

-------------

Nice website and pictures, Good Luck  MrC


Malware Removal Specialist

[Reply or follow-up to this message]

Good morning Mr C......thank you for for the detailed explaination of my problem. 
I will file away this info and links so as not to lose them....the info is very valuable 
and will help me in my learning process about what makes these things work.....and 
not work. As you can tell...I am just an old guy trying to keep up with the rest 
of the world!! LOL

Thanks again

JD







On Sunday, May 18, 2008 at 4:09 am, MrCharlie wrote:

>

>

>In fact that file and reg entry were part of the infection..the link below describes 

>it (it's a Wareout infection but similar to yours):

>

>http://www.virusbuster.hu/en/viruslab/descriptions/dnschanger.qe

>

>Taken from that page:

>

>The long program copies itself into the system folder using a random name starting 

>with "kd". 
>color=red>kdpua.exe<---your file

>

>Modifies the following registry key:

>

>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\System,

>

>[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] 
>color=red>"System"="kdpua.exe"<----yours showing in the DSS scan.

>

>writing its own filename there.

>

>It monitors the network traffis, and blocks (or redirects) certain domain names, 

>URLs and file extensions. Among the redirected domain are microsoft.com and yahoo.com. 

>It has a rootkit functionality, the registry key is visible, but 

>the trojan file is not. That's why you couldn't find it...it was supper 

>hidden!

>

>Removal:

>

>1/ Get the trojan filename from:

>

>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\System.

>

>

>2/ Restart the computer using an install Install/Recovery CD/DVD

>

>3/ Delete the trojan file from the system folder.

>

>4/ Reboot the computer

>

>5/ Clear the following registry key (with an empty string):

>

>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\System.

>

>-------------------------------------------

>

>Here's a link to my Preventive Maintenance:

>

>http://forums.whatthetech.com/index.php?s=&showtopic=90294&view=findpost&p=452687

>

>-------------

>

>Nice website and pictures, Good Luck  MrC

>

>


>Malware Removal Specialist

>
>"http://img.photobucket.com/albums/v257/MrChalee/unite_blue.png">
 

[Reply or follow-up to this message]

• Search this forum
• Start a new thread on a different subject

• Report abuse of the forum