# search-daily.com redirect - hjt log



## df1975 (Sep 18, 2007)

When using Google and click on search results, I keep getting redirected to search-daily.com and other search engines. Seen this problem posted in many other areas and have tried, McAfee, Spy-Bot, Ad-aware, AVG Anti-spyware, McAfee rootdective, McAfee stinger. None have resolved the issue. It seems to be linked to winlogon.exe, there are some odd dlls running (nijfnij.dll, jphlpapi.dll) Here's the HJT log, any help is appreciated. THIS IS SUPER ANNOYING!

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:46:35 PM, on 9/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\ltmsg.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Documents and Settings\Meisel\Desktop\antivirustools\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {43C9DD0B-EB8F-437B-B528-A122A6CE2C0C} - c:\windows\system32\sdfpynjh.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {75DEBABE-E16E-48EC-B595-AB3626AEDF99} - c:\windows\system32\elxaamgh.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {A97D0B79-1675-4E52-A1C3-AC13A62C0244} - c:\windows\system32\nijfnij.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Advisor - {6A236999-ECF9-4F8D-8010-CB2A5CA11E2E} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://lmaccess.com/CitrixSessionInit/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: 
O20 - Winlogon Notify: uogpjczu - C:\Windows\SYSTEM32\nijfnij.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee\MPF\MPFSrv.exe (file missing)
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 8766 bytes


----------



## df1975 (Sep 18, 2007)

btt - a little help please.


----------



## MFDnNC (Sep 7, 2004)

*NOTE: If you have downloaded ComboFix previously please delete that version and download it again!*

Download this file :

http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. *Post that log* 

Note: 
Do not mouseclick combofix's window while its running. That may cause it to stall

=====================
Download Superantispyware (SAS) free home version

http://www.superantispyware.com/superantispywarefreevspro.html

Install it and double-click the icon on your desktop to run it.
·	It will ask if you want to update the program definitions, click Yes.
·	Under Configuration and Preferences, click the Preferences button.
·	Click the Scanning Control tab.
·	Under Scanner Options make sure the following are checked:
o	Close browsers before scanning
o	Scan for tracking cookies
o	Terminate memory threats before quarantining.
o	Please leave the others as they were.
o	Click the Close button to leave the control center screen.
·	On the main screen, under Scan for Harmful Software click Scan your computer.
·	On the left check C:\Fixed Drive.
·	On the right, under Complete Scan, choose Perform Complete Scan.
·	Click Next to start the scan. Please be patient while it scans your computer.
·	After the scan is complete a summary box will appear. Click OK.
·	Make sure everything in the white box has a check next to it, then click Next.
·	It will quarantine what it found and if it asks if you want to reboot, click Yes.
·	To retrieve the removal information for me please do the following:
o	After reboot, double-click the SUPERAntispyware icon on your desktop.
o	Click Preferences. Click the Statistics/Logs tab.
o	Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o	It will open in your default text editor (such as Notepad/Wordpad).
o	Please highlight everything in the notepad, then right-click and choose copy.
·	Click close and close again to exit the program.
·	*Please paste that information here for me regardless of what it finds with a new HijackThis log*.

This will take some time!!!!!!!!


----------



## df1975 (Sep 18, 2007)

thanks for your help, the dll's I saw seem to be causing the issue but they are still there and google still re-directs. Here are the logs.

Combo fix log:
ComboFix 07-09-21 - "Meisel" 2007-09-20 21:17:52.1 - *FAT32*x86 
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.79 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\MEISEL\APPLIC~1\macromedia\Flash Player\#SharedObjects\T3VALBNF\www.broadcaster.com
C:\DOCUME~1\MEISEL\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\MEISEL\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Windows\system32\_000008_.tmp.dll
C:\Windows\system32\_000009_.tmp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DCNPQPID
-------\LEGACY_EXAMPLE
-------\LEGACY_RUNTIME
-------\LEGACY_YTNIWVME
-------\dcnpqpid
-------\ytniwvme

((((((((((((((((((((((((( Files Created from 2007-08-21 to 2007-09-21 )))))))))))))))))))))))))))))))
.

2007-09-20 21:15	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-09-17 09:32 d--------	C:\DOCUME~1\Amanda\APPLIC~1\McAfee
2007-09-16 19:27	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-16 18:50 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-16 15:55 d--------	C:\DOCUME~1\LOCALS~1\APPLIC~1\McAfee
2007-09-16 11:51	37,480	--a------	C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-09-16 11:51	32,008	--a------	C:\WINDOWS\system32\drivers\mferkdk.sys
2007-09-16 11:50	71,496	--a------	C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-09-16 11:50	34,184	--a------	C:\WINDOWS\system32\drivers\mfebopk.sys
2007-09-16 11:50	170,408	--a------	C:\WINDOWS\system32\drivers\mfehidk.sys
2007-09-16 11:50 d--------	C:\Program Files\McAfee.com
2007-09-16 11:49 d--------	C:\Program Files\McAfee
2007-09-16 11:49 d--------	C:\Program Files\Common Files\McAfee
2007-09-04 22:28	100,487	--a------	C:\WINDOWS\system32\sdfpynjh.dll
2007-09-03 10:16 d--hs----	C:\FOUND.001

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-20 21:35	4782	--a------	C:\Windows\compaq.reg
2007-09-19 23:12	83456	--a------	C:\Windows\system32\nijfnij.dll
2007-09-19 23:01	103424	--a------	C:\Windows\system32\paulgjit.dll
2007-09-18 22:59	124416	--a------	C:\Windows\system32\amofmsfx.dll
2007-09-15 22:50	756224	--a------	C:\Windows\system32\rebefsnm.dll
2007-09-15 22:50	68608	--a------	C:\Windows\system32\elxaamgh.dll
2007-09-15 22:50	48640	--a------	C:\Windows\system32\vswqalrz.dll
2007-09-15 22:50	46592	--a------	C:\Windows\system32\rfxeibxg.dll
2007-07-30 19:19	92504	--a------	C:\Windows\system32\dllcache\cdm.dll
2007-07-30 19:19	92504	--a------	C:\Windows\system32\cdm.dll
2007-07-30 19:19	549720	--a------	C:\Windows\system32\wuapi.dll
2007-07-30 19:19	549720	--a------	C:\Windows\system32\dllcache\wuapi.dll
2007-07-30 19:19	53080	--a------	C:\Windows\system32\wuauclt.exe
2007-07-30 19:19	53080	--a------	C:\Windows\system32\dllcache\wuauclt.exe
2007-07-30 19:19	43352	--a------	C:\Windows\system32\wups2.dll
2007-07-30 19:19	325976	--a------	C:\Windows\system32\wucltui.dll
2007-07-30 19:19	325976	--a------	C:\Windows\system32\dllcache\wucltui.dll
2007-07-30 19:19	203096	--a------	C:\Windows\system32\wuweb.dll
2007-07-30 19:19	203096	--a------	C:\Windows\system32\dllcache\wuweb.dll
2007-07-30 19:19	1712984	--a------	C:\Windows\system32\wuaueng.dll
2007-07-30 19:19	1712984	--a------	C:\Windows\system32\dllcache\wuaueng.dll
2007-07-30 19:18	33624	--a------	C:\Windows\system32\wups.dll
2007-07-30 19:18	33624	--a------	C:\Windows\system32\dllcache\wups.dll
2007-07-19 16:38	359808	--a------	C:\Windows\system32\dllcache\tcpip.sys
2007-07-04 11:22	10884472	--a------	C:\Windows\system32\SpoonUninstall.exe
2007-06-26 22:10	317440	--a------	C:\Windows\system32\dllcache\unregmp2.exe
2007-06-26 11:13	851968	--a------	C:\Windows\system32\dllcache\vgx.dll
2007-06-26 10:09	658944	--a------	C:\Windows\system32\dllcache\wininet.dll
2007-06-26 02:08	1104896	--a------	C:\Windows\system32\msxml3.dll
2007-06-26 02:08	1104896	--a------	C:\Windows\system32\dllcache\msxml3.dll
C:\Windows\system32\drivers\ngoarmjt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43C9DD0B-EB8F-437B-B528-A122A6CE2C0C}]
2007-09-04 22:28	100487	--a------	c:\windows\system32\sdfpynjh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75DEBABE-E16E-48EC-B595-AB3626AEDF99}]
2007-09-15 22:50	68608	--a------	c:\windows\system32\elxaamgh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A97D0B79-1675-4E52-A1C3-AC13A62C0244}]
2007-09-19 23:12	83456	--a------	c:\windows\system32\nijfnij.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTWinModem1"="ltmsg.exe" [2002-02-28 02:00 C:\WINDOWS\system32\ltmsg.exe]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 13:21]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 15:30]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\Windows\system32\ctfmon.exe" [2004-08-04 02:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" []

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [2005-09-08 19:04:16]
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2007-03-14 19:24:07]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless-G Notebook Adapter Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless-G Notebook Adapter Utility.lnk
backup=C:\Windows\pss\Wireless-G Notebook Adapter Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

R0 ytniwvme;Microsoft RPC API Helper;C:\Windows\system32\drivers\ngoarmjt.sys
R1 ClntMgmt.sys;ClntMgmt.sys;C:\Windows\system32\Drivers\ClntMgmt.sys
S2 NICSer_WPC54G;NICSer_WPC54G;C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
S3 ALiIRDA;ALi Infrared Device Driver;C:\Windows\system32\DRIVERS\alifir.sys
S3 allegro;ESS Allegro Audio Driver (WDM);C:\Windows\system32\drivers\es198x.sys
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\Windows\system32\CBTNDIS5.SYS

*Newly Created Service* - YTNIWVME
.
Contents of the 'Scheduled Tasks' folder
"2007-09-01 05:00:02 C:\Windows\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-09-15 08:24:30 C:\Windows\Tasks\McDefragTask.job"
"2007-03-09 00:41:12 C:\Windows\Tasks\McAfee Cleanup.job"
- C:\DOCUME~1\MEISEL\LOCALS~1\TEMP\MCPR.tmp\mccleanup.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-20 21:36:20
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-20 21:44:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-20 21:44
.
--- E O F ---

SuperAnitSpyware log
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/20/2007 at 10:56 PM

Application Version : 3.9.1008

Core Rules Database Version : 3310
Trace Rules Database Version: 1314

Scan type : Complete Scan
Total Scan Time : 01:01:07

Memory items scanned : 487
Memory threats detected : 2
Registry items scanned : 5832
Registry threats detected : 0
File items scanned : 40320
File threats detected : 238

Trojan.Spam-MultiSite/Gen
C:\WINDOWS\SYSTEM32\NIJFNIJ.DLL
C:\WINDOWS\SYSTEM32\NIJFNIJ.DLL

Trojan.Downloader-MultiU/Gen
C:\WINDOWS\SYSTEM32\SDFPYNJH.DLL
C:\WINDOWS\SYSTEM32\SDFPYNJH.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][5].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][5].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][3].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][4].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][5].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][3].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][3].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][3].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][3].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][3].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][3].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][4].txt
C:\Documents and Settings\Meisel\Cookies\[email protected]k[1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][4].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][4].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][4].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][2].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][1].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][4].txt
C:\Documents and Settings\Meisel\Cookies\[email protected][3].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][4].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][3].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][4].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][3].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][3].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][3].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][4].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][3].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][3].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][4].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][5].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][5].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][3].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][5].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][3].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][4].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][3].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][1].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][4].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][6].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt
C:\Documents and Settings\Amanda\Cookies\[email protected][2].txt


----------



## df1975 (Sep 18, 2007)

HJT Log
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:55:01 PM, on 9/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\alg.exe
C:\Windows\System32\wudfhost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ltmsg.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Documents and Settings\Meisel\Desktop\antivirustools\HiJackThis_v2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\notepad.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {43C9DD0B-EB8F-437B-B528-A122A6CE2C0C} - c:\windows\system32\sdfpynjh.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {75DEBABE-E16E-48EC-B595-AB3626AEDF99} - c:\windows\system32\elxaamgh.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {A97D0B79-1675-4E52-A1C3-AC13A62C0244} - c:\windows\system32\nijfnij.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Advisor - {6A236999-ECF9-4F8D-8010-CB2A5CA11E2E} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://lmaccess.com/CitrixSessionInit/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O20 - AppInit_DLLs: 
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: uogpjczu - C:\Windows\SYSTEM32\nijfnij.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee\MPF\MPFSrv.exe (file missing)
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 9528 bytes


----------



## MFDnNC (Sep 7, 2004)

Be sure to allow these changes in TeaTimer

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis  mark them, close IE, click fix checked

O2 - BHO: (no name) - {43C9DD0B-EB8F-437B-B528-A122A6CE2C0C} - c:\windows\system32\sdfpynjh.dll

O2 - BHO: (no name) - {75DEBABE-E16E-48EC-B595-AB3626AEDF99} - c:\windows\system32\elxaamgh.dll

O2 - BHO: (no name) - {A97D0B79-1675-4E52-A1C3-AC13A62C0244} - c:\windows\system32\nijfnij.dll

O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL

O20 - AppInit_DLLs:

O20 - Winlogon Notify: uogpjczu - C:\Windows\SYSTEM32\nijfnij.dll

DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by DELETE ON REBOOT. In the "Full Path of File to Delete" box, copy and paste each of the following line(s) one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box. 
* Be sure to note the EXACT spelling of the file *

c:\windows\system32\sdfpynjh.dll
c:\windows\system32\elxaamgh.dll
c:\windows\system32\nijfnij.dll

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START  RUN  type in %temp% - OK - Edit  Select all  File  Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new hijack log from normal NOT safe mode

* How are things on the PC??????????? *


----------



## df1975 (Sep 18, 2007)

PC is running fine
one of the DLL's was deleted, other two remain.
Thanks for your help

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:24:57 PM, on 9/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\ltmsg.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\Meisel\Desktop\antivirustools\HiJackThis_v2.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {43C9DD0B-EB8F-437B-B528-A122A6CE2C0C} - c:\windows\system32\sdfpynjh.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {A97D0B79-1675-4E52-A1C3-AC13A62C0244} - c:\windows\system32\nijfnij.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Advisor - {6A236999-ECF9-4F8D-8010-CB2A5CA11E2E} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://lmaccess.com/CitrixSessionInit/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: uogpjczu - C:\Windows\SYSTEM32\nijfnij.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee\MPF\MPFSrv.exe (file missing)
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 7949 bytes


----------



## MFDnNC (Sep 7, 2004)

Make sure TeaTimer is disabled and SuperAnti is shut down

Have hijack fix these

O2 - BHO: (no name) - {43C9DD0B-EB8F-437B-B528-A122A6CE2C0C} - c:\windows\system32\sdfpynjh.dll

O2 - BHO: (no name) - {A97D0B79-1675-4E52-A1C3-AC13A62C0244} - c:\windows\system32\nijfnij.dll


----------



## df1975 (Sep 18, 2007)

also used kill box to delete....

c:\windows\system32\sdfpynjh.1
c:\windows\system32\sdfpynjh.2
c:\windows\system32\elxaamgh.dll.bak
c:\windows\system32\nijfnij.dll.bak

files that still remain...
c:\windows\system32\sdfpynjh.dll
c:\windows\system32\nijfnij.dll

updated HJT log...

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:23:39 AM, on 9/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\wscntfy.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ltmsg.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Documents and Settings\Meisel\Desktop\antivirustools\HiJackThis_v2.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {43C9DD0B-EB8F-437B-B528-A122A6CE2C0C} - c:\windows\system32\sdfpynjh.dll
O2 - BHO: (no name) - {A97D0B79-1675-4E52-A1C3-AC13A62C0244} - c:\windows\system32\nijfnij.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Advisor - {6A236999-ECF9-4F8D-8010-CB2A5CA11E2E} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://lmaccess.com/CitrixSessionInit/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: uogpjczu - C:\Windows\SYSTEM32\nijfnij.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee\MPF\MPFSrv.exe (file missing)
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 6387 bytes


----------



## MFDnNC (Sep 7, 2004)

*If you have vundofix, remove it and get the current version*

Please download http://www.atribune.org/ccount/click.php?id=4 to C:\
Double-click VundoFix.exe to run it.
click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt  Even if it does not find anything.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

*Please let Vundo finish its thing, sometimes it can take multiple passes*

Post a new hijack log


----------



## df1975 (Sep 18, 2007)

Vundofix found no files

VundoFix V6.5.9

Checking Java version...

Sun Java not detected
Scan started at 4:32:48 PM 9/29/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

HJT Log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:52:10 PM, on 9/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Windows\System32\alg.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wscntfy.exe
C:\Windows\system32\ltmsg.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\WINDOWS\system32\notepad.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Meisel\Desktop\antivirustools\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {43C9DD0B-EB8F-437B-B528-A122A6CE2C0C} - c:\windows\system32\sdfpynjh.dll
O2 - BHO: (no name) - {A97D0B79-1675-4E52-A1C3-AC13A62C0244} - c:\windows\system32\nijfnij.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Advisor - {6A236999-ECF9-4F8D-8010-CB2A5CA11E2E} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://lmaccess.com/CitrixSessionInit/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: uogpjczu - C:\Windows\SYSTEM32\nijfnij.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee\MPF\MPFSrv.exe (file missing)
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 6662 bytes


----------



## MFDnNC (Sep 7, 2004)

Close SuperAnti

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis  mark them, close IE, click fix checked

O2 - BHO: (no name) - {43C9DD0B-EB8F-437B-B528-A122A6CE2C0C} - c:\windows\system32\sdfpynjh.dll

O2 - BHO: (no name) - {A97D0B79-1675-4E52-A1C3-AC13A62C0244} - c:\windows\system32\nijfnij.dll

O20 - Winlogon Notify: uogpjczu - C:\Windows\SYSTEM32\nijfnij.dll

DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by *DELETE ON REBOOT*. In the "Full Path of File to Delete" box, copy and paste each of the following line(s) one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box. 
* Be sure to note the EXACT spelling of the file *

c:\windows\system32\sdfpynjh.dll
c:\windows\system32\nijfnij.dll

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START  RUN  type in %temp% - OK - Edit  Select all  File  Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new hijack log from normal NOT safe mode

* How are things on the PC??????????? *


----------



## df1975 (Sep 18, 2007)

I created a dos boot disk and was able to delete

C:\windows\system32\sdfpynjh.dll
c:\windows\system32\elxaamgh.dll
c:\windows\system32\nijfnij.dll

They are now flagged as missing in the HJT log, I've clicked fix but am unable to remove them, are they still a problem from the HJT scan?

New HJT log....

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:24:24 PM, on 10/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\wscntfy.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ltmsg.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Windows\system32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Meisel\Desktop\antivirustools\HiJackThis_v2.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {43C9DD0B-EB8F-437B-B528-A122A6CE2C0C} - c:\windows\system32\sdfpynjh.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A97D0B79-1675-4E52-A1C3-AC13A62C0244} - c:\windows\system32\nijfnij.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Advisor - {6A236999-ECF9-4F8D-8010-CB2A5CA11E2E} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://lmaccess.com/CitrixSessionInit/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O20 - Winlogon Notify: uogpjczu - nijfnij.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee\MPF\MPFSrv.exe (file missing)
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 6674 bytes


----------



## MFDnNC (Sep 7, 2004)

Is McAfee Protection Manager preventing the changes - I do not know that product

We do need to get rid of them

Good job on the files!


----------

