# Cannot remove viruses from computer no matter what I try!



## horn069 (Dec 11, 2004)

I have been reading in the forums on any help to remove viruses from my computer. When I have SD tea time activated, it keeps blocking registry changes, and when I do a virus scan it states that there is a virus but does not remove it. It just comes back over, and over again. From what Ive been reading is to do a scan with hijack this, and save a log file, so here it is,

{edited by Moderator: It's much too hard to read the HJT log posted in CODE tags,so I have edited and removed the tags, please just 
post any logs in the future by copy/paste directly to the reply, no tagging is needed here.}

Logfile of HijackThis v1.99.1
Scan saved at 10:51:22 AM, on 05/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://search.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1:5400;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;search.netscape.com12.129.205.209;sitefinder.verisign.com;localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mytelus.com/"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\nkwnoff5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\nkwnoff5.slt\prefs.js)
O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe C:\windows\System32\CrazyTalk.dll,DllServeMediaFile
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .exe: C:\Program Files\Internet Explorer\PLUGINS\npdap.dll
O12 - Plugin for .rar: C:\Program Files\Internet Explorer\PLUGINS\npdap.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .zip: C:\Program Files\Internet Explorer\PLUGINS\npdap.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120110558546
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by107fd.bay107.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{716A48AC-C55F-4D7C-A0D2-143314044BB5}: NameServer = 198.80.55.1 198.161.156.1
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\windows\system32\LEXBCES.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe

Also I have downloaded:
Avenger.zip
ATF cleaner
Combo scan, 
Where do I go from here, thanks in advance!


----------



## Byteman (Jan 24, 2002)

Hi, Let's see the results of this scan, please:

I don't see Tea Timer running, or SpyBot either....

In case you need them, here is how to turn TT off:

http://wiki.castlecops.com/Malware_Removal:_Temporarily_Disable_Real_Time_Monitoring_Programs

Run Spybot-S&D in Advanced Mode. 
If it is not already set to do this Go to the Mode menu select "Advanced Mode" 
On the left hand side, Click on Tools 
Then click on the Resident Icon in the List 
Uncheck "Resident TeaTimer" and OK any prompts. 
Restart your computer.


Please go *HERE* and click Kaspersky Online Scanner
Read and Accept the Agreement
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
If you see a Windows dialog asking if you want to install this software, click the Install button. 
The program will launch and then begin downloading the latest definition files,
When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it. 
Click on the Scan Settings button, and in the next window select the Extended database, and click Ok. 
Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
Copy and Paste the contents of the on line scanner results into a Reply here in your thread, along with a new HJT log and log from any other scans you run.


----------



## horn069 (Dec 11, 2004)

Here is the Scan log frm Combo scan
ComboScan v20070226.18 run by User on 2007-03-05 at 11:17:03
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information -----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.40GHz
Percentage of Memory in Use: 18%
Physical Memory (total/avail): 2047.47 MiB / 1671.16 MiB
Pagefile Memory (total/avail): 5070.84 MiB / 4799.16 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1997.21 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 76.33 GiB total, 37.89 GiB free. 
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Fixed (NTFS) - 279.47 GiB total, 205.36 GiB free.

-- Security Center --------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

UpdatesDisableNotify is set.

AV: AVG 7.5.446 v7.5.446 (GRISOFT)

-- Environment Variables --------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\User\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.1_07\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TOUCH
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
GRIP=C:\GRAVIS\GRIP
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\User
LOGONSERVER=\\TOUCH
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\ATI Technologies\ATI.ACE\;C:\Program Files\QuickTime\QTSystem\;;C:\GRAVIS\GRIP
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.1_07\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\User\LOCALS~1\Temp
TMP=C:\DOCUME~1\User\LOCALS~1\Temp
USERDOMAIN=TOUCH
USERNAME=User
USERPROFILE=C:\Documents and Settings\User
windir=C:\WINDOWS

-- User Profiles ----------------------------------------------------------------

User _(admin)_
Administrator _(admin)_

-- Add/Remove Programs ----------------------------------------------------------

--> "C:\Program Files\Creative\SBLive\Program\Ctzapxx.EXE" /X /U /S 
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6}\setup.exe" -l0x9 
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58582977-44D2-44A0-A09B-031CC2AE5938}\setup.exe" -l0x9 
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88E5FCB8-5F25-11D5-B16F-0800460222F0}\setup.exe" -l0x9 UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A731533B-B325-4D9C-91A4-D93C8E294C19}\setup.exe" -l0x9 
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9 
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D76298C2-E532-4A11-BCFF-76F3F19DA84D}\setup.exe" UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9 
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9 
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AceFTP 3 Freeware --> C:\WINDOWS\iun6002.exe "C:\Program Files\Visicom Media\AceFTP 3 Freeware\irunin.ini"
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~2\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~2\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Illustrator 10 --> "C:\Program Files\InstallShield Installation Information\{412033BC-44CF-48D9-B813-4B835101F4D3}\setup.exe"
Adobe MPEG Encoder --> MsiExec.exe /I{9811A185-3D3D-11D6-9E14-00036D172B00}
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Premiere 6.5 --> C:\WINDOWS\UNINST.EXE -f"C:\Program Files\Adobe\Premiere 6.5\DeIsL1.isu" -c"C:\Program Files\Adobe\Premiere 6.5\Uninst.dll"
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Advanced RealMedia Export Plug-in for Premiere 6.0 --> C:\Program Files\Adobe\Premiere 6.5\Plug-ins\RNCompiler\rnuninst.exe RealNetworks|RNCompiler|6.0
Age of Empires III --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97} 
AsusUpdate --> C:\windows\IsUninst.exe -f"C:\Program Files\ASUS\AsusUpdate\Uninst.isu"
AsusUpdate --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{587178E7-B1DF-494E-9838-FA4DD36E873C}\Setup.exe" -l0x9 
ATI Catalyst Control Center --> MsiExec.exe /I{6E06A57A-6728-4CFB-AA9A-5149F9C9ADB3}
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe" 
ATI Decoder --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{471E555C-08AC-4DF1-BAAA-D8D818136297} /l1033 
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_classISPLAY -clean
ATI HFX Pack --> C:\WINDOWS\unvise32.exe C:\WINDOWS\unhfxati.log
ATI Multimedia Center 9.03 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{8988F5D0-C83F-41F4-B41B-86031F9B37F5} /l1033 
ATI Parental Control & Encoder --> MsiExec.exe /I{90437E5F-0A9E-4B63-AD8B-D232897D18BF}
ATI Remote Wonder 3.03 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{8F36E44A-E6E7-41B7-B6F6-4637BF84EFA5} 
AuthorScript Engine 1.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{752CA503-E29F-4610-A1A4-B21CDC58EF8D} /l1033 
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
BHA B's DVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BC95E989-C31D-4F98-8071-22A323013315}\SETUP.EXE" -l0x9 
BHA B's Recorder GOLD 5.09 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{87CFE0AD-EAF0-40D1-B5CF-EDC527DAB7D2}\SETUP.EXE" -l0x9 
BHODemon 2.0.0.23 --> "C:\Program Files\BHODemon 2\unins000.exe"
Browser Hijack Retaliator 4.5.0 Build 471 --> "C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\unins000.exe"
ConTEXT --> "C:\Program Files\ConTEXT\unins000.exe"
Creative AudioHQ --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9 /remove
Creative Diagnostics --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A731533B-B325-4D9C-91A4-D93C8E294C19}\setup.exe" -l0x9 /remove
Creative MiniDisc Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9 /remove
Creative PlayCenter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6}\setup.exe" -l0x9 /remove
Creative Recorder --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9 /remove
Creative Surround Mixer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58582977-44D2-44A0-A09B-031CC2AE5938}\setup.exe" -l0x9 /remove
Creative WaveStudio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
DAO --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{438D221C-5B5B-4E4B-B7BD-A86512E5B6C1} 
DAO --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74} 
DH Driver Cleaner Professional Edition --> C:\Program Files\Driver Cleaner Pro\Uninst.exe
Digital Music Player --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{90FD71BA-7D1B-4EB5-B822-FE7F782C197C}\setup.exe" -l0x9 
DivX 4.02 Codec --> "C:\Program Files\DivXCodec\uninstall.exe"
Doom 3 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EEFB15EB-FE8B-47DF-A496-1C4D1420294A} 
Download Plugin for Mozilla, Opera, Netscape --> C:\Program Files\Download Plugin\DlPlugin-Moz\setup2.exe -u
DVD-RAM Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}\SETUP.EXE" DVD-RAM Driver
EA SPORTS online 2006 --> F:\EA SPORTS\EASOUNInstaller.exe
Far Cry --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D6DBDC2A-E72C-4284-B6AD-6B3B61B4DABC} 
GearDrivers --> rundll32.exe C:\windows\system32\UNINSTALL\UninstWDM.dll,UninstInitialize
Gecko Runtime Environment (1.4f_2003062408) --> C:\WINDOWS\GREUninstall.exe /ua "1.4f_2003062408" /app GREUser
Ghost Recon --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D89EF3B3-6F17-4665-B7A9-A4235A6DC787}\Setup.exe" 
GUIDE PLUS+(TM) for Windows® System - ATI --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{99D34763-7E45-4FE5-8424-28DBC3A5F0BF}\setup.exe" 
Half-Life(R) 2 --> MsiExec.exe /I{D45EC259-4A19-4656-B588-C2C360DD18EA}
Hex Workshop --> C:\windows\uninst.exe -f"C:\Program Files\Hex Workshop\DeIsL1.isu"
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 1.99.1 --> C:\DOCUME~1\User\LOCALS~1\Temp\Rar$EX00.829\HijackThis.exe /uninstall
Hotfix for Windows Media Format SDK (KB902344) --> "C:\windows\$NtUninstallKB902344$\spuninst\spuninst.exe"
HP LaserJet 1200 Uninstaller --> C:\Program Files\Hewlett-Packard\LaserJet All-in-one\Uninstall\1200\EnvSetup.exe uninst12.ini
iMesh 6 --> C:\PROGRA~1\IMESHA~1\iMesh6\UNWISE.EXE C:\PROGRA~1\IMESHA~1\iMesh6\INSTALL.LOG
Intel Application Accelerator --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9984DF60-1C5B-11D3-ACA1-908A4FC10801}\Setup.exe" -INTELUNINST
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
Internet Call Director --> C:\PROGRA~1\INTERN~2\UNINST~1.EXE C:\PROGRA~1\INTERN~2\INSTALL.LOG
InterVideo WinDVD 4 --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
iPod for Windows 2006-03-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB} /l1033 
iPod for Windows 2006-06-28 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BD57EA4D-026E-4F08-9B93-080E282B81FE} /l1033 
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{54C0D94A-F467-4ABC-9D02-6E58748668D4} /l1033 
Java 2 Runtime Environment, SE v1.4.1_02 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFCE5837-FC21-11D6-9D24-00010240CE95}\setup.exe" Anytext
Java 2 Runtime Environment, SE v1.4.1_07 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CA532E73-1BB7-11D8-9D6A-00010240CE95}\setup.exe" Anytext
KPT Vector Effects 1.5 --> C:\WINDOWS\IsUninst.exe -f"c:\program files\adobe\illustrator 10\plug-ins\VE15Unin.isu"
Lavasoft Reghance 2.1 --> C:\PROGRA~1\LAVASO~1\UNWISE.EXE C:\PROGRA~1\LAVASO~1\INSTALL.LOG
Lernout & Hauspie TruVoice American English TTS Engine --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
Lock On: Modern Air Combat --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E90DCEE9-DC27-401B-A7AC-B0AFF5B34E4D}\setup.exe" -l0x9 
Macromedia Director MX --> C:\PROGRA~1\MACROM~1\DIRECT~1\UNWISE.EXE C:\PROGRA~1\MACROM~1\DIRECT~1\install.log
Macromedia Dreamweaver MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B4AB829-DFD3-436D-B808-D9733D76C590}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" -l0x9 mmUninstall
Macromedia Fireworks MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{930B2432-43D4-11D5-9871-00C04F8EEB39}\Setup.exe" -l0x9 UNINSTALL
Macromedia Flash MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3BE480ED-E17A-431A-981C-5C2EDDBCD3BF}\Setup.exe" -l0x9 UNINSTALL
Macromedia Flash Player 8 --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe
Macromedia FreeHand 10 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4D826618-59C6-11D4-976E-00C04F8EEB39}\Setup.exe" -l0x9 UNINSTALL
MatchWare Mediator 7 Std Installation --> C:\PROGRA~1\MEDIAT~1\UNWISE.EXE C:\PROGRA~1\MEDIAT~1\INSTALL.LOG
Medal of Honor Allied Assault --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0DEA94ED-915A-4834-A87E-388D012C8E02}\Setup.exe" -l0x9 
Medal of Honor Pacific Assault(tm) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56CFA833-F44F-4199-8C58-7F8B38F2BC7B}\Setup.exe" -l0x9 -removeonly
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Web Components --> MsiExec.exe /I{90260409-6000-11D3-8CFE-0050048383C9}
Mihov Gallery Creator 0.9.2 --> "C:\Program Files\Mihov Gallery Creator\unins000.exe"
Mozilla Firefox (0.8.) --> C:\WINDOWS\UninstallFirefox.exe /ua "0.8. (en)"
Mozilla Firefox (1.0.7) --> C:\windows\UninstallFirefox.exe /ua "1.0.7 (en-US)"
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
muvee autoProducer 3.5 magicMoments - ATI --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{38FC0BC3-0CA1-4A9A-A1F8-B44B543780BA}\setup.exe" -l0x9 
Netscape (7.1) --> C:\WINDOWS\NSUninst.exe /ua "7.1b1 (en)"
NHL® 2003 --> C:\Program Files\EA SPORTS\NHL 2003\EAUninstall.exe
NHL07 --> F:\EA SPORTS\NHL07\EAUninstall.exe
OpenMG Limited Patch 3.4-04-17-06-01 --> C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix3.4-04-17-06-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 3.4.01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{26C849AB-1865-412D-B87D-B18BC5CB6C60}\setup.exe" -l0x9 UNINSTALL
PACE System Files --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{608E51B7-06CD-4A2E-92D7-F77BA172E504}\setup.exe" -l0x9 FromUninstall
Painkiller Gold Edition --> C:\WINDOWS\unvise32.exe f:\dreamcatcher\uninstal.log
Painkiller Special Edition --> C:\WINDOWS\unvise32.exe f:\DreamCatcher\Painkiller Special Edition\uninstal.log
Pinnacle Hollywood FX 4.6 --> C:\WINDOWS\unvise32.exe C:\Program Files\Pinnacle\Hollywood FX 4.6\uninstal.log
Pinnacle Hollywood FX for Studio --> C:\WINDOWS\unvise32.exe F:\Hollywood FX for Studio\5.5\uninstal.log
Pinnacle PCI Performance Enhancer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3E5A81BA-4702-490A-B729-0BFF6E7CBF96}\setup.exe" -l0x9 
PIXELA ImageMixer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{13413C6C-C640-40B8-917E-CA3062826B18}\setup.exe" 
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Prey --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A785BBA7-3FB9-4D81-BC35-4A2028915ACB}\setup.exe" -l0x9 -removeonly
Quake 4(TM) --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{152B782A-05F3-48EC-9AAC-4D3EB68D9E20} 
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033 
Return to Castle Wolfenstein --> C:\PROGRA~1\RETURN~1\Uninstall\Unwise.exe /u C:\PROGRA~1\RETURN~1\Uninstall\Install.log
Rise of Nations --> "F:\Microsoft Games\Rise of Nations\Uninstal.exe" /runtemp /uninstall
Shareaza version 2.2.1.0 --> "C:\Program Files\Shareaza\Uninstall\unins000.exe"
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Sony Sound Forge 7.0 --> MsiExec.exe /I{0712667C-A171-49AE-A098-4ACDA28625F8}
Sound Blaster Live! --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9115E7DB-3B29-445A-802D-11E0AA945B7F}\SETUP.EXE" -l0x9 
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Star Wars Galactic Battlegrounds: Saga --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{10133CDD-50B9-4783-B336-8B48F3653715}\Setup.exe" -l0x9 
Star Wars Republic Commando --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DFAE9340-E8BB-4433-9A08-C8334DAFE1B9}\Setup.exe" -l0x9 
Steam(TM) --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Studio 9 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E491AB7-4589-48CA-9CBB-874CB2788391}\Setup.exe" -l0x9 UNINSTALL
Swift 3D Version 4.00 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{604B0B0F-68C6-440D-AA74-B69314F86ADA} 
SWiSHmax --> C:\windows\unvise32.exe C:\Program Files\SWiSHmax\uninstal.log
Tiger Woods PGA TOUR 06 --> F:\EA SPORTS\Tiger Woods PGA TOUR 06\EAUninstall.exe
Tiger Woods PGA TOUR 2004 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7E91306C-899F-45F3-B5E9-4B480A27A63D}\Setup.exe" -l0x9 uninstallme
TitanTV Client components for ATI --> MsiExec.exe /I{F6882759-2522-4744-A117-615651ADE66F}
Ulead Photo Express 4.0 My Custom Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{21BCE515-D5A3-11D4-8E33-0010B53EC668}\SETUP.EXE" 
Unreal II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{626F32D6-007C-41D5-8157-9509AB1428BE}\Setup.exe" -l0x9 
Visual Communicator Bin Files --> MsiExec.exe /I{64887FC8-F0AD-42B5-B052-3E52D64CA4B3}
Visual Communicator Web --> MsiExec.exe /X{B9EFA5D1-A460-4F22-88AB-A48C652AE3C5}
Voice Editor --> C:\windows\uninst.exe -f"C:\Program Files\Winbond\Voice Editor\DeIsL1.isu" -c"C:\Program Files\Winbond\Voice Editor\_ISREG32.DLL"
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Format SDK Hotfix - KB891122 --> "C:\windows\$NtUninstallKB891122$\spuninst\spuninst.exe"
WinKeeper Pro 5.6 --> "C:\Program Files\WinKeeper\unins000.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WordPerfect Office 2002 OEM --> C:\WINDOWS\Corel\uninst32.exe
XoftSpySE --> C:\Program Files\XoftSpySE\uninstall.exe
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

-- End of ComboScan: finished at 2007-03-05 at 11:18:27 -------------------------

The files I cannot delete are:
fccyyxv.dll
ddabb.dll
vhpudamc.dll
ddabc.dll
When I disable fccyyxv.dll it enables ddabb.dll, and vice vers in tool bar cop, and when I Use BHO Demon, I am able to disable these files but cant remove them, any ideas?


----------



## Byteman (Jan 24, 2002)

Hi, Did you read what is in my last reply about CODE tags?


I see now that you have a Vundo infection, I can help with that. 

I will fix the ComboScan log for you.

There is a tool I need you to download.


----------



## Byteman (Jan 24, 2002)

OK- VUNDO FIX

Please download *VundoFix.exe* to your desktop.
Double-click *VundoFix.exe* to run it.
Click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click *OK*.
Turn your computer back on.
Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. 
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.


----------



## horn069 (Dec 11, 2004)

Sorry about the code tags, will reframe from using them to post scan logs. I really appreciate your input, and would like to know what tool do I need to download, thank you! I see what I need thanks again for your time Byteman, will try the download now.


----------



## horn069 (Dec 11, 2004)

Here is the scan log from Hijack this, after I ran the Vundofix program:

Logfile of HijackThis v1.99.1
Scan saved at 11:58:55 AM, on 05/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\MsPMSPSv.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Desktop\User.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://search.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1:5400;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;search.netscape.com12.129.205.209;sitefinder.verisign.com;localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mytelus.com/"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\nkwnoff5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\nkwnoff5.slt\prefs.js)
O2 - BHO: (no name) - {04AD4655-5846-4831-8376-D3B208DA3CB7} - C:\WINDOWS\system32\ddabc.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {768318D5-06A3-4987-81FC-8ECA2E068210} - C:\WINDOWS\system32\fccyyxv.dll (file missing)
O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe C:\windows\System32\CrazyTalk.dll,DllServeMediaFile
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .exe: C:\Program Files\Internet Explorer\PLUGINS\npdap.dll
O12 - Plugin for .rar: C:\Program Files\Internet Explorer\PLUGINS\npdap.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .zip: C:\Program Files\Internet Explorer\PLUGINS\npdap.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120110558546
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by107fd.bay107.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: ddabb - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\windows\system32\LEXBCES.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe

I may be mistaken, but I checked the registry to see if:
7683185D-06A3-4987-81FCF-8ECA2E068210 was removed, but it is still there after reboot, what else can be done?


----------



## Byteman (Jan 24, 2002)

Where is the VundoFix log?

Those Reg entries will be fixed- but I would like to see the log which you can find, see my reply where VundoFix was downloaded.


----------



## horn069 (Dec 11, 2004)

Here you go


VundoFix V6.3.12

Checking Java version...

Scan started at 11:44:38 AM 05/03/2007

Listing files found while scanning....

C:\Documents and settings\User\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
C:\Documents and settings\User\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
C:\WINDOWS\system32\cbadd.ini
C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\fccyyxv.dll
C:\WINDOWS\system32\hjipodix.ini
C:\WINDOWS\system32\jlnmp.ini
C:\WINDOWS\system32\nrjmxeeu.dll
C:\WINDOWS\system32\oxkawxuv.ini
C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\pweqmsws.exe
C:\WINDOWS\system32\ueexmjrn.ini
C:\WINDOWS\system32\vuxwakxo.dll
C:\WINDOWS\system32\wvuspoo.dll
C:\WINDOWS\system32\xidopijh.dll

Beginning removal...

Attempting to delete C:\Documents and settings\User\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
C:\Documents and settings\User\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt Has been deleted!

Attempting to delete C:\Documents and settings\User\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
C:\Documents and settings\User\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbadd.ini
C:\WINDOWS\system32\cbadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\ddabc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fccyyxv.dll
C:\WINDOWS\system32\fccyyxv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjipodix.ini
C:\WINDOWS\system32\hjipodix.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jlnmp.ini
C:\WINDOWS\system32\jlnmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\nrjmxeeu.dll
C:\WINDOWS\system32\nrjmxeeu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oxkawxuv.ini
C:\WINDOWS\system32\oxkawxuv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\pmnlj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pweqmsws.exe
C:\WINDOWS\system32\pweqmsws.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ueexmjrn.ini
C:\WINDOWS\system32\ueexmjrn.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vuxwakxo.dll
C:\WINDOWS\system32\vuxwakxo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvuspoo.dll
C:\WINDOWS\system32\wvuspoo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xidopijh.dll
C:\WINDOWS\system32\xidopijh.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.12

Checking Java version...

Scan started at 12:11:36 PM 05/03/2007

Listing files found while scanning....

No infected files were found.

This is the second scan log, the first one must of got replaced by this one, will this do?


----------



## Byteman (Jan 24, 2002)

Post a brand new HJT log now please


----------



## horn069 (Dec 11, 2004)

Here you go.

Logfile of HijackThis v1.99.1
Scan saved at 12:40:12 PM, on 05/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\MsPMSPSv.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://search.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1:5400;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;search.netscape.com12.129.205.209;sitefinder.verisign.com;localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mytelus.com/"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\nkwnoff5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\nkwnoff5.slt\prefs.js)
O2 - BHO: (no name) - {04AD4655-5846-4831-8376-D3B208DA3CB7} - C:\WINDOWS\system32\ddabc.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {768318D5-06A3-4987-81FC-8ECA2E068210} - C:\WINDOWS\system32\fccyyxv.dll (file missing)
O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe C:\windows\System32\CrazyTalk.dll,DllServeMediaFile
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .exe: C:\Program Files\Internet Explorer\PLUGINS\npdap.dll
O12 - Plugin for .rar: C:\Program Files\Internet Explorer\PLUGINS\npdap.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .zip: C:\Program Files\Internet Explorer\PLUGINS\npdap.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120110558546
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by107fd.bay107.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{716A48AC-C55F-4D7C-A0D2-143314044BB5}: NameServer = 198.80.55.1 198.161.157.1
O20 - Winlogon Notify: ddabb - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\windows\system32\LEXBCES.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe


----------



## Byteman (Jan 24, 2002)

Hi,

Run Hijackthis again, put checks next to these items in you Hijackthis scan, that

I list below, and with ALL OTHER browser windows CLOSED including this window, hit "Fix checked":

O2 - BHO: (no name) - {04AD4655-5846-4831-8376-D3B208DA3CB7} - C:\WINDOWS\system32\ddabc.dll (file missing
O2 - BHO: (no name) - {768318D5-06A3-4987-81FC-8ECA2E068210} - C:\WINDOWS\system32\fccyyxv.dll (file missing)
O20 - Winlogon Notify: ddabb - C:\WINDOWS\

Right click on your Avenger.zip download, and select the "Extract All" from the menu, then change the location of extracting files TO> Desktop.

Please double click on Avenger.exe.

2. Copy *all the text* contained in the code box below to your Clipboard by highlighting it and pressing (*Ctrl+C*): (make sure you include Files to delete text....)
[/b] by clicking on its icon on your desktop.
 Under "*Script file to execute*" choose "*Input Script Manually*".
Now click on the *Magnifying Glass icon* which will open a new window titled "*View/edit script*" 
 Paste the text copied to clipboard into this window by pressing (*Ctrl+V*).
 Click *Done* 
 Now click on the *Green Light* to begin execution of the script 
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Unload*", The Avenger will actually *restart your system twice.*) 
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avenger's actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply.


```
Files to delete:

C:\WINDOWS\ddabb
C:\WINDOWS\system32\cbadd.ini
C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\fccyyxv.dll
C:\WINDOWS\system32\hjipodix.ini
C:\WINDOWS\system32\jlnmp.ini
C:\WINDOWS\system32\nrjmxeeu.dll
C:\WINDOWS\system32\oxkawxuv.ini
C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\pweqmsws.exe
C:\WINDOWS\system32\ueexmjrn.ini
C:\WINDOWS\system32\vuxwakxo.dll
C:\WINDOWS\system32\wvuspoo.dll
C:\WINDOWS\system32\xidopijh.dll
```
_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

This is just a precaution to see if any files remain not likely they are, so do not be concerned that Avenger does not find any of them.

Post a brand new HJT log when done. I have to go out but will check this when I get back.


----------



## horn069 (Dec 11, 2004)

Here is what I got from following your instructions:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jcgpqhjx

*******************

Script file located at: \??\C:\Program Files\jhvhrtup.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\ddabb not found!
Deletion of file C:\WINDOWS\ddabb failed!

Could not process line:
C:\WINDOWS\ddabb
Status: 0xc0000034



File C:\WINDOWS\system32\cbadd.ini not found!
Deletion of file C:\WINDOWS\system32\cbadd.ini failed!

Could not process line:
C:\WINDOWS\system32\cbadd.ini
Status: 0xc0000034



File C:\WINDOWS\system32\ddabc.dll not found!
Deletion of file C:\WINDOWS\system32\ddabc.dll failed!

Could not process line:
C:\WINDOWS\system32\ddabc.dll
Status: 0xc0000034



File C:\WINDOWS\system32\fccyyxv.dll not found!
Deletion of file C:\WINDOWS\system32\fccyyxv.dll failed!

Could not process line:
C:\WINDOWS\system32\fccyyxv.dll
Status: 0xc0000034



File C:\WINDOWS\system32\hjipodix.ini not found!
Deletion of file C:\WINDOWS\system32\hjipodix.ini failed!

Could not process line:
C:\WINDOWS\system32\hjipodix.ini
Status: 0xc0000034



File C:\WINDOWS\system32\jlnmp.ini not found!
Deletion of file C:\WINDOWS\system32\jlnmp.ini failed!

Could not process line:
C:\WINDOWS\system32\jlnmp.ini
Status: 0xc0000034



File C:\WINDOWS\system32\nrjmxeeu.dll not found!
Deletion of file C:\WINDOWS\system32\nrjmxeeu.dll failed!

Could not process line:
C:\WINDOWS\system32\nrjmxeeu.dll
Status: 0xc0000034



File C:\WINDOWS\system32\oxkawxuv.ini not found!
Deletion of file C:\WINDOWS\system32\oxkawxuv.ini failed!

Could not process line:
C:\WINDOWS\system32\oxkawxuv.ini
Status: 0xc0000034



File C:\WINDOWS\system32\pmnlj.dll not found!
Deletion of file C:\WINDOWS\system32\pmnlj.dll failed!

Could not process line:
C:\WINDOWS\system32\pmnlj.dll
Status: 0xc0000034



File C:\WINDOWS\system32\pweqmsws.exe not found!
Deletion of file C:\WINDOWS\system32\pweqmsws.exe failed!

Could not process line:
C:\WINDOWS\system32\pweqmsws.exe
Status: 0xc0000034



File C:\WINDOWS\system32\ueexmjrn.ini not found!
Deletion of file C:\WINDOWS\system32\ueexmjrn.ini failed!

Could not process line:
C:\WINDOWS\system32\ueexmjrn.ini
Status: 0xc0000034



File C:\WINDOWS\system32\vuxwakxo.dll not found!
Deletion of file C:\WINDOWS\system32\vuxwakxo.dll failed!

Could not process line:
C:\WINDOWS\system32\vuxwakxo.dll
Status: 0xc0000034



File C:\WINDOWS\system32\wvuspoo.dll not found!
Deletion of file C:\WINDOWS\system32\wvuspoo.dll failed!

Could not process line:
C:\WINDOWS\system32\wvuspoo.dll
Status: 0xc0000034



File C:\WINDOWS\system32\xidopijh.dll not found!
Deletion of file C:\WINDOWS\system32\xidopijh.dll failed!

Could not process line:
C:\WINDOWS\system32\xidopijh.dll
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

I had a peek in the C:/windows/system32 folder, and noticed that the dll files that were giving me problems are not there any more, I hope I don't make this mistake again, and am very appreciative for your help with this virus, I tried all sorts of programs, but got nowhere, until I came here, thanks again Byteman you rock! I hope we are done here after you have time to review this log.:up:


----------



## Byteman (Jan 24, 2002)

Hi, Appears that you are not using Sun Java Runtime-

Vundo Fix usually detects what version is installed.

Is there a reason why you don't, such as software or games that won't work with it?

Perhaps that is how Vundo got in, as older versions of Java are very vulnerable.

Any input?

If you need the latest version is here:

Go to  * HERE * and download the latest version of java, it's the Java Runtime Environment 6.0, 
the fourth download down.
Once you have, Uninstall all the older versions
of Java JRE you see in Control Panel> Add/Remove Programs and install the new.

Perhaps, the old version shows in Add/remove.


----------



## horn069 (Dec 11, 2004)

I was not aware that I was not running the latest java program, I believe I set up some type of java when someone needed my computer for banking info, or it needed to be installed in order to use with there website, Anyhow, I know how exactly my computer got infected, one of my kids downloaded a song, or thought it was a song, but was in a rar format setup.exe file, and proceeded to install the song thinking that it would really be a song from the setup file, that is how the computer got infected! That is when the problems started, So now we both know not to download zip, or rare, or exe files when trying to download mp3's. Thank you Bytemanfor the time that you put into helping me get rid of this virus, Iam very gratefull, and will no better for future problems on where to go for help!


----------



## Byteman (Jan 24, 2002)

Hi, I think somehow we missed the Kaspersky online scan log...if you did the scan, the log may still be saved someplace,,, if you can find it post it.

if not you will have to scan again, but it does not have to be tonite unless you want it to be.


Please go *HERE* and click Kaspersky Online Scanner
Read and Accept the Agreement
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
If you see a Windows dialog asking if you want to install this software, click the Install button. 
The program will launch and then begin downloading the latest definition files,
When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it. 
Click on the Scan Settings button, and in the next window select the Extended database, and click Ok. 
Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
Copy and Paste the contents of the on line scanner results into a Reply here in your thread, along with a new HJT log and log from any other scans you run.


----------



## horn069 (Dec 11, 2004)

Ok, I'am on dial up, so this will take a minute or two, will post results when completed, thanks


----------



## horn069 (Dec 11, 2004)

Do you have to be connected for the scan? If not would like to disconnect while it scans because it is going to be along wait without my phone, if not will wait it out, thanks.


----------



## horn069 (Dec 11, 2004)

This is taking too long, will run scan later this evening so it will not take over my phone line, here is what I have so far:


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, March 06, 2007 11:21:27 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 6/03/2007
Kaspersky Anti-Virus database records: 277036
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 87443
Number of viruses found: 3
Number of infected objects: 13 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:21:58

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\09istzc2.default\Cache\DB54FFB4d01	Object is locked	skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\09istzc2.default\Cache\_CACHE_001_	Object is locked	skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\09istzc2.default\Cache\_CACHE_002_	Object is locked	skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\09istzc2.default\Cache\_CACHE_003_	Object is locked	skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\09istzc2.default\Cache\_CACHE_MAP_	Object is locked	skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\09istzc2.default\cert8.db	Object is locked	skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\09istzc2.default\formhistory.dat	Object is locked	skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\09istzc2.default\history.dat	Object is locked	skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\09istzc2.default\key3.db	Object is locked	skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\09istzc2.default\parent.lock	Object is locked	skipped
C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\nkwnoff5.slt\Cache\9BACA9E5d01/data.rar/DlPlugin-Moz/npdlplug.dll	Infected: not-a-virus:AdWare.Win32.PluginDL.e	skipped
C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\nkwnoff5.slt\Cache\9BACA9E5d01/data.rar/DlPlugin-Moz/setup2.exe	Infected: not-a-virus:AdWare.Win32.PluginDL.e	skipped
C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\nkwnoff5.slt\Cache\9BACA9E5d01/data.rar	Infected: not-a-virus:AdWare.Win32.PluginDL.e	skipped
C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\nkwnoff5.slt\Cache\9BACA9E5d01	RarSFX: infected - 3	skipped
C:\Documents and Settings\User\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\User\Desktop\Unused Desktop Shortcuts\mirc616.exe/data0001.bin	Infected: not-a-virus:Client-IRC.Win32.mIRC.616	skipped
C:\Documents and Settings\User\Desktop\Unused Desktop Shortcuts\mirc616.exe	mIRC: infected - 1	skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\User\Local Settings\Application Data\Shareaza\Incomplete\----- anthax 1 29.wma	Infected: Trojan-Downloader.WMA.Wimad.d	skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\MSHist012007030620070307\index.dat	Object is locked	skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\User\ntuser.dat	Object is locked	skipped
C:\Documents and Settings\User\ntuser.dat.LOG	Object is locked	skipped
C:\Program Files\Common Files\mozilla.org\GRE\1.4f_2003062408\npdlplug-1.5.0.1-0147-setup.exe/data.rar/DlPlugin-Moz/npdlplug.dll	Infected: not-a-virus:AdWare.Win32.PluginDL.e	skipped
C:\Program Files\Common Files\mozilla.org\GRE\1.4f_2003062408\npdlplug-1.5.0.1-0147-setup.exe/data.rar/DlPlugin-Moz/setup2.exe	Infected: not-a-virus:AdWare.Win32.PluginDL.e	skipped
C:\Program Files\Common Files\mozilla.org\GRE\1.4f_2003062408\npdlplug-1.5.0.1-0147-setup.exe/data.rar	Infected: not-a-virus:AdWare.Win32.PluginDL.e	skipped
C:\Program Files\Common Files\mozilla.org\GRE\1.4f_2003062408\npdlplug-1.5.0.1-0147-setup.exe	RarSFX: infected - 3	skipped
C:\Program Files\Mozilla Firefox\plugins\npdlplug.dll	Infected: not-a-virus:AdWare.Win32.PluginDL.e	skipped
C:\Program Files\Netscape\Netscape\plugins\npdlplug.dll	Infected: not-a-virus:AdWare.Win32.PluginDL.e	skipped

Scan was interrupted by user!


Will post full scan later, thanks.


----------



## Byteman (Jan 24, 2002)

Hi, You can do the scan at any time you have time, no need to pressure anybody here, the things I see so far are not to dangerous.

If your computer has an Ethernet port and you have a friend, relative etc where they would let you plug it in, have you considered bringing just the tower over there? 
You would not be installing anything if they have broadband service, it's similar to bringing a notebook machine to an airport for example and connecting to the Net over their provided service.

I usually offer that advice, didn't realize you were using the phone.

Or, if you can do this later in the evening I am always online until around 2 AM Eastern time, it's just a lot quieter for me since I have two grandkids that are extremely active, two dogs that drive me nuts, my son and his girl, all here at home so I usually can be more productive later in the evening. If that does not work for you, I can try to be around tomorrow morning after 10AM,just let me know.


----------



## horn069 (Dec 11, 2004)

I will continue later this evening, and let the complete scan take place. I will post the results first thing in the morning, around 8:00 a.m. Mst. If you have time tommorow to take a look, I would really appreciate it, also it looks as thought the Vundo virus is gone, but will verify with a full online scan, also a HJT scan when the online scan is complete, thank you.:up:


----------



## horn069 (Dec 11, 2004)

Here are complete results from Kaspersky, and HKT:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, March 07, 2007 3:23:52 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 7/03/2007
Kaspersky Anti-Virus database records: 277352
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 193857
Number of viruses found: 9
Number of infected objects: 41 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:46:25

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\nkwnoff5.slt\Cache\9BACA9E5d01/data.rar/DlPlugin-Moz/npdlplug.dll	Infected: not-a-virus:AdWare.Win32.PluginDL.e	skipped
C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\nkwnoff5.slt\Cache\9BACA9E5d01/data.rar/DlPlugin-Moz/setup2.exe	Infected: not-a-virus:AdWare.Win32.PluginDL.e	skipped
C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\nkwnoff5.slt\Cache\9BACA9E5d01/data.rar	Infected: not-a-virus:AdWare.Win32.PluginDL.e	skipped
C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\nkwnoff5.slt\Cache\9BACA9E5d01	RarSFX: infected - 3	skipped
C:\Documents and Settings\User\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\User\Desktop\Unused Desktop Shortcuts\mirc616.exe/data0001.bin	Infected: not-a-virus:Client-IRC.Win32.mIRC.616	skipped
C:\Documents and Settings\User\Desktop\Unused Desktop Shortcuts\mirc616.exe	mIRC: infected - 1	skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\User\Local Settings\Application Data\Shareaza\Incomplete\----- anthax 1 29.wma	Infected: Trojan-Downloader.WMA.Wimad.d	skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\MSHist012007030620070307\index.dat	Object is locked	skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\User\ntuser.dat	Object is locked	skipped
C:\Documents and Settings\User\ntuser.dat.LOG	Object is locked	skipped
C:\Program Files\Common Files\mozilla.org\GRE\1.4f_2003062408\npdlplug-1.5.0.1-0147-setup.exe/data.rar/DlPlugin-Moz/npdlplug.dll	Infected: not-a-virus:AdWare.Win32.PluginDL.e	skipped
C:\Program Files\Common Files\mozilla.org\GRE\1.4f_2003062408\npdlplug-1.5.0.1-0147-setup.exe/data.rar/DlPlugin-Moz/setup2.exe	Infected: not-a-virus:AdWare.Win32.PluginDL.e	skipped
C:\Program Files\Common Files\mozilla.org\GRE\1.4f_2003062408\npdlplug-1.5.0.1-0147-setup.exe/data.rar	Infected: not-a-virus:AdWare.Win32.PluginDL.e	skipped
C:\Program Files\Common Files\mozilla.org\GRE\1.4f_2003062408\npdlplug-1.5.0.1-0147-setup.exe	RarSFX: infected - 3	skipped
C:\Program Files\Mozilla Firefox\plugins\npdlplug.dll	Infected: not-a-virus:AdWare.Win32.PluginDL.e	skipped
C:\Program Files\Netscape\Netscape\plugins\npdlplug.dll	Infected: not-a-virus:AdWare.Win32.PluginDL.e	skipped
C:\System Volume Information\MountPointManagerRemoteDatabase	Object is locked	skipped
C:\System Volume Information\_restore{FFFDA87D-2BE4-4207-819A-050E67AAC19C}\RP1\A0000006.dll	Infected: not-a-virus:AdWare.Win32.Agent.at	skipped
C:\System Volume Information\_restore{FFFDA87D-2BE4-4207-819A-050E67AAC19C}\RP2\A0000027.exe	Infected: not-a-virus:AdWare.Win32.Agent.at	skipped
C:\System Volume Information\_restore{FFFDA87D-2BE4-4207-819A-050E67AAC19C}\RP2\A0000029.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.ha	skipped
C:\System Volume Information\_restore{FFFDA87D-2BE4-4207-819A-050E67AAC19C}\RP2\A0000040.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.ha	skipped
C:\System Volume Information\_restore{FFFDA87D-2BE4-4207-819A-050E67AAC19C}\RP2\A0000043.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.gf	skipped
C:\System Volume Information\_restore{FFFDA87D-2BE4-4207-819A-050E67AAC19C}\RP2\A0000046.exe	Infected: not-a-virus:AdWare.Win32.Agent.at	skipped
C:\System Volume Information\_restore{FFFDA87D-2BE4-4207-819A-050E67AAC19C}\RP2\A0000048.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.gf	skipped
C:\System Volume Information\_restore{FFFDA87D-2BE4-4207-819A-050E67AAC19C}\RP2\A0000049.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.ha	skipped
C:\System Volume Information\_restore{FFFDA87D-2BE4-4207-819A-050E67AAC19C}\RP2\A0000050.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.gf	skipped
C:\System Volume Information\_restore{FFFDA87D-2BE4-4207-819A-050E67AAC19C}\RP2\A0000056.dll	Object is locked	skipped
C:\System Volume Information\_restore{FFFDA87D-2BE4-4207-819A-050E67AAC19C}\RP2\A0000057.dll	Object is locked	skipped
C:\System Volume Information\_restore{FFFDA87D-2BE4-4207-819A-050E67AAC19C}\RP3\change.log	Object is locked	skipped
C:\VundoFix Backups\fccyyxv.dll.bad	Infected: not-a-virus:AdWare.Win32.Virtumonde.ha	skipped
C:\VundoFix Backups\nrjmxeeu.dll.bad	Infected: not-a-virus:AdWare.Win32.Virtumonde.gf	skipped
C:\VundoFix Backups\pweqmsws.exe.bad	Infected: not-a-virus:AdWare.Win32.Agent.at	skipped
C:\VundoFix Backups\vuxwakxo.dll.bad	Infected: not-a-virus:AdWare.Win32.Virtumonde.gf	skipped
C:\VundoFix Backups\wvuspoo.dll.bad	Infected: not-a-virus:AdWare.Win32.Virtumonde.ha	skipped
C:\VundoFix Backups\xidopijh.dll.bad	Infected: not-a-virus:AdWare.Win32.Virtumonde.gf	skipped
C:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINDOWS\ModemLog_Agere Win Modem.txt	Object is locked	skipped
C:\WINDOWS\SchedLgU.Txt	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\WINDOWS\Sti_Trace.log	Object is locked	skipped
C:\WINDOWS\system32\Agent.dll	Infected: not-a-virus:AdWare.Win32.Sahat.g	skipped
C:\WINDOWS\system32\config\ACEEvent.evt	Object is locked	skipped
C:\WINDOWS\system32\config\AppEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\default	Object is locked	skipped
C:\WINDOWS\system32\config\default.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\Internet.evt	Object is locked	skipped
C:\WINDOWS\system32\config\SAM	Object is locked	skipped
C:\WINDOWS\system32\config\SAM.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SecEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\software	Object is locked	skipped
C:\WINDOWS\system32\config\software.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SysEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\system	Object is locked	skipped
C:\WINDOWS\system32\config\system.LOG	Object is locked	skipped
C:\WINDOWS\system32\ctbv2.dll	Infected: not-a-virus:AdWare.Win32.Sahat.g	skipped
C:\WINDOWS\system32\h323log.txt	Object is locked	skipped
C:\WINDOWS\system32\KVI_111.dll	Infected: not-a-virus:AdWare.Win32.Sahat.g	skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG	Object is locked	skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log	Object is locked	skipped
C:\WINDOWS\system32\msmq\storage\QMLog	Object is locked	skipped
C:\WINDOWS\system32\NLNP!3.exe	Infected: not-a-virus:AdWare.Win32.IGetNet	skipped
C:\WINDOWS\system32\NLNP13.dll	Infected: not-a-virus:AdWare.Win32.IGetNet	skipped
C:\WINDOWS\system32\NLNP131.dll	Infected: not-a-virus:AdWare.Win32.IGetNet	skipped
C:\WINDOWS\system32\SHAgent.dll	Infected: not-a-virus:AdWare.Win32.Sahat.g	skipped
C:\WINDOWS\system32\szla.dll	Infected: not-a-virus:AdWare.Win32.BrowsePal.b	skipped
C:\WINDOWS\system32\szla1.exe	Infected: not-a-virus:AdWare.Win32.BrowsePal.b	skipped
C:\WINDOWS\system32\szla2.dll	Infected: not-a-virus:AdWare.Win32.BrowsePal.b	skipped
C:\WINDOWS\system32\szla2.exe	Infected: not-a-virus:AdWare.Win32.BrowsePal.b	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP	Object is locked	skipped
C:\WINDOWS\system32\Xcite.dll	Infected: not-a-virus:AdWare.Win32.BrowsePal.b	skipped
C:\WINDOWS\system32\Xcite.exe	Infected: not-a-virus:AdWare.Win32.BrowsePal.b	skipped
C:\WINDOWS\Temp\Perflib_Perfdata_4c4.dat	Object is locked	skipped
C:\WINDOWS\wiadebug.log	Object is locked	skipped
C:\WINDOWS\wiaservc.log	Object is locked	skipped
C:\WINDOWS\WindowsUpdate.log	Object is locked	skipped
F:\System Volume Information\MountPointManagerRemoteDatabase	Object is locked	skipped

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 3:26:51 AM, on 07/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\MsPMSPSv.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\User\Desktop\Unused Desktop Shortcuts\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://search.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1:5400;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;search.netscape.com12.129.205.209;sitefinder.verisign.com;localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mytelus.com/"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\nkwnoff5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\nkwnoff5.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe C:\windows\System32\CrazyTalk.dll,DllServeMediaFile
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .exe: C:\Program Files\Internet Explorer\PLUGINS\npdap.dll
O12 - Plugin for .rar: C:\Program Files\Internet Explorer\PLUGINS\npdap.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .zip: C:\Program Files\Internet Explorer\PLUGINS\npdap.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120110558546
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by107fd.bay107.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\windows\system32\LEXBCES.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe


----------



## Byteman (Jan 24, 2002)

Hi, Well there is sure more to do- can I see this Uninstall list produced with hijackthis please, steps are below, just post the list here in a reply.

Open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad. Copy and paste that list here.

That will help me see what we can use to get rid of malware that is left.


----------



## horn069 (Dec 11, 2004)

Here's the Uninstall list:

AceFTP 3 Freeware
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Illustrator 10
Adobe MPEG Encoder
Adobe Photoshop 7.0
Adobe Premiere 6.5
Adobe SVG Viewer 3.0
Advanced RealMedia Export Plug-in for Premiere 6.0
Age of Empires III
AsusUpdate
AsusUpdate
ATI Catalyst Control Center
ATI Control Panel
ATI Decoder
ATI Display Driver
ATI HFX Pack
ATI Multimedia Center 9.03
ATI Parental Control & Encoder
ATI Remote Wonder 3.03
AuthorScript Engine 1.0
AVG 7.5
BHA B's DVD
BHA B's Recorder GOLD 5.09
BHODemon 2.0.0.23
Browser Hijack Retaliator 4.5.0 Build 471
ConTEXT
Creative AudioHQ
Creative Diagnostics
Creative MiniDisc Center
Creative PlayCenter
Creative Recorder
Creative Surround Mixer
Creative WaveStudio
DAO
DAO
DH Driver Cleaner Professional Edition
Digital Music Player
DivX 4.02 Codec
Doom 3
Download Plugin for Mozilla, Opera, Netscape
DVD-RAM Driver
EA SPORTS online 2006
Far Cry
GearDrivers
Gecko Runtime Environment (1.4f_2003062408)
Ghost Recon
GUIDE PLUS+(TM) for Windows® System - ATI
Half-Life(R) 2
Hex Workshop
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB912475)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
HP LaserJet 1200 Uninstaller
iMesh 6
Intel Application Accelerator
InterActual Player
Internet Call Director
InterVideo WinDVD 4
iPod for Windows 2006-03-23
iPod for Windows 2006-06-28
iTunes
Java 2 Runtime Environment, SE v1.4.1_02
Java 2 Runtime Environment, SE v1.4.1_07
Kaspersky Online Scanner
KPT Vector Effects 1.5
Lavasoft Reghance 2.1
Lernout & Hauspie TruVoice American English TTS Engine
Lock On: Modern Air Combat
Macromedia Director MX
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash MX
Macromedia Flash Player 8
Macromedia FreeHand 10
MatchWare Mediator 7 Std Installation
Medal of Honor Allied Assault
Medal of Honor Pacific Assault(tm)
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB886906)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Office XP Web Components
Mihov Gallery Creator 0.9.2
Mozilla Firefox (0.8.)
Mozilla Firefox (1.0.7)
MSXML 4.0 SP2 (KB927978)
MSXML4 Parser
muvee autoProducer 3.5 magicMoments - ATI
Netscape (7.1)
NHL® 2003
NHL07
OpenMG Limited Patch 3.4-04-17-06-01
OpenMG Secure Module 3.4.01
PACE System Files
Painkiller Gold Edition
Painkiller Special Edition
Pinnacle Hollywood FX 4.6
Pinnacle Hollywood FX for Studio
Pinnacle PCI Performance Enhancer
PIXELA ImageMixer
PowerDVD
Prey
Quake 4(TM)
QuickTime
Return to Castle Wolfenstein
Rise of Nations
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926247)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
Shareaza version 2.2.1.0
Shockwave
Sony Sound Forge 7.0
Sound Blaster Live!
Spybot - Search & Destroy 1.4
Star Wars Galactic Battlegrounds: Saga
Star Wars Republic Commando
Steam(TM)
Studio 9
Swift 3D Version 4.00
SWiSHmax
Tiger Woods PGA TOUR 06
Tiger Woods PGA TOUR 2004
TitanTV Client components for ATI
Ulead Photo Express 4.0 My Custom Edition
Unreal II
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB931836)
Visual Communicator Bin Files
Visual Communicator Web
Voice Editor
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WordPerfect Office 2002 OEM
XoftSpySE
Yahoo! Messenger


----------



## Byteman (Jan 24, 2002)

Hi, For these two programs you may get some alerts, the usual Home page or start page type when you make changes...

BHO Demon is one that does that.....you can Exit the program and you should see how to turn off protections.

Not a neccessity though if you can it would be easier on you.

I don't know anything at all about this one:

Browser Hijack Retaliator 4.5.0 Build 471

Firefox extension detected in the scan: I don't have any info about that either, this may possibly be a false positive but usually Kaspersky is pretty good and dependable, if it found it is bad perhaps you could uninstall that extension. Might be an exploit there that has come in through the extension-

Post back if you need to know how to uninstall extensions in FF.

Get this free antispyware program follow the directions, update it, and scan as it says, Normal Mode for this one.

Download and scan with[/B] *SUPERAntiSypware* Free for Home Users
*alternate site*
Double-click *SUPERAntiSypware.exe* to install and use the default settings for installation.
Run SUPERAntiSypware and update the definitions before scanning by selecting "*Check for Udates*".
When done, select "*Scan for Harmful Software*".
There are three scanning options available. Choose "*Perform Complete Scan*" and click "*Next*".
When done, a Scan Summary will appear with potentially harmful items that were detected. Click "*OK*".
Place a checkmark next to items you wish to remove/quarantine and Click "*Next*".
A notification will appear that "Quarantine and Removal is Complete". Click "*OK*" and then click the "*Finish*" button to return to the main menu.
If asked to Reboot, please do.
After Reboot, double-click on SuperAnti-Spyware icon on your Desktop.
Click Preferences, Click the Statistics/Logs Tab.
Under Scanner logs, Double-click SuperAnti-Spyware Scan Log.
It will open in your default test editor (such as Notepad or WordPad).
Please Highlight everything in the Notepad, then right-click and choose copy.
In your next reply, please post those results and include a fresh Hijackthis log.
Select close to exit the program.
_Note: If you encounter any problems while downloading the updates, manually download and unzip them from *here*._


----------



## horn069 (Dec 11, 2004)

Thanks Byteman, I allready disabled BHO Demon, I just used it to disable the BHO that was causing me problems, and as for the Browser Hijack Retaliator 4.5.0 Build 471, I will just uninstall, I just used that one because it was able to restore IE to defualt settings, which in my case in did not, this was a very informative learning expierience for me, and would like to thank you for the time that you have put into this. I will download SUPERAntiSypware.exe and post my scan logs thank you.


----------



## horn069 (Dec 11, 2004)

Here's the SUPERAntiSpyware log:

SUPERAntiSpyware Scan Log
Generated 03/07/2007 at 09:17 PM

Application Version : 3.6.1000

Core Rules Database Version : 3196
Trace Rules Database Version: 1206

Scan type : Complete Scan
Total Scan Time : 00:57:15

Memory items scanned : 462
Memory threats detected : 0
Registry items scanned : 7604
Registry threats detected : 8
File items scanned : 48168
File threats detected : 20

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{A3D31DA2-24CA-4277-8198-11A18E8A0C9B}
HKCR\CLSID\{A3D31DA2-24CA-4277-8198-11A18E8A0C9B}
HKCR\CLSID\{A3D31DA2-24CA-4277-8198-11A18E8A0C9B}\InprocServer32
HKCR\CLSID\{A3D31DA2-24CA-4277-8198-11A18E8A0C9B}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PMNLJ.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{D6A34BF0-BD2E-4198-889A-03BFE4376D32}
HKCR\CLSID\{D6A34BF0-BD2E-4198-889A-03BFE4376D32}
HKCR\CLSID\{D6A34BF0-BD2E-4198-889A-03BFE4376D32}\InprocServer32
HKCR\CLSID\{D6A34BF0-BD2E-4198-889A-03BFE4376D32}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDABB.DLL
C:\WINDOWS\SYSTEM32\AWTQQ.DLL

Adware.Tracking Cookie
C:\Documents and Settings\User\Cookies\[email protected][1].txt
C:\Documents and Settings\User\Cookies\[email protected][1].txt
C:\Documents and Settings\User\Cookies\[email protected][2].txt

Adware.VSToolbar
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FFFDA87D-2BE4-4207-819A-050E67AAC19C}\RP1\A0000006.DLL

Trojan.Downloader-WBRock
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FFFDA87D-2BE4-4207-819A-050E67AAC19C}\RP2\A0000029.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FFFDA87D-2BE4-4207-819A-050E67AAC19C}\RP2\A0000040.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FFFDA87D-2BE4-4207-819A-050E67AAC19C}\RP2\A0000049.DLL
C:\VUNDOFIX BACKUPS\FCCYYXV.DLL.BAD
C:\VUNDOFIX BACKUPS\WVUSPOO.DLL.BAD

Trojan.Downloader-Quake11
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FFFDA87D-2BE4-4207-819A-050E67AAC19C}\RP2\A0000043.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FFFDA87D-2BE4-4207-819A-050E67AAC19C}\RP2\A0000048.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FFFDA87D-2BE4-4207-819A-050E67AAC19C}\RP2\A0000050.DLL
C:\VUNDOFIX BACKUPS\NRJMXEEU.DLL.BAD
C:\VUNDOFIX BACKUPS\VUXWAKXO.DLL.BAD
C:\VUNDOFIX BACKUPS\XIDOPIJH.DLL.BAD

Adware.MyWay
C:\WINDOWS\SYSTEM32\XCITE.DLL
C:\WINDOWS\SYSTEM32\XCITE.EXE

Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:29:31 PM, on 07/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\MsPMSPSv.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\User\Desktop\Unused Desktop Shortcuts\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://search.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1:5400;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;search.netscape.com12.129.205.209;sitefinder.verisign.com;localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mytelus.com/"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\nkwnoff5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\nkwnoff5.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe C:\windows\System32\CrazyTalk.dll,DllServeMediaFile
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PrinTray] C:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .exe: C:\Program Files\Internet Explorer\PLUGINS\npdap.dll
O12 - Plugin for .rar: C:\Program Files\Internet Explorer\PLUGINS\npdap.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .zip: C:\Program Files\Internet Explorer\PLUGINS\npdap.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120110558546
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by107fd.bay107.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{716A48AC-C55F-4D7C-A0D2-143314044BB5}: NameServer = 198.80.55.1 198.161.157.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\windows\system32\LEXBCES.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe


----------



## Byteman (Jan 24, 2002)

Hi,

The Vundo is probably getting in because you are using some older versions of Java Plugin so I suggest you do this:

Go to  * HERE * and download the latest version of java, it's the Java Runtime Environment 6.0, 
the fourth download down. *Offline download is what you want*
Once you have, Uninstall all the older versions
of Java JRE you see in Control Panel> Add/Remove Programs and install the new> find the download you just got and double click to start the Install, follow the prompts. Pie!

Next: Tomorrow at some point, I want you to re-download VundoFix, and run a new scan with the new one- here are the steps.

Just delete the old one, and along with it, the backups it keeps so those files are not detected in our scans with anything.

Please download *VundoFix.exe* to your desktop.
Double-click *VundoFix.exe* to run it.
Click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click *OK*.
Turn your computer back on.
Please post the contents of C:\*vundofix.txt* 

We are going to use a utility to hunt for and delete some files that were found pretty soon, but i want you to run a full scan of the computer with first *SpyBot Search and Destroy* and then *Ad-Aware SE* Be sure to check for Updates for each program before scanning with them. No need to post what they find, just have them fix whatever it is.

Next: After doing all that, please re-run SUPER A/S after it is updated....and post the new log from that scan.

New Hijackthis log of course, too.


----------



## horn069 (Dec 11, 2004)

Will do, thanks for your help Byteman, will post results when completed.


----------



## horn069 (Dec 11, 2004)

I have been looking at the system configuration utility, and I have this file in there and I am not sure if it belongs on my system. It is this:
vuxwakxo rundll32.exe "C:\WINDOWS\system32\vuxwakxo.dll",setvm. I have it disabled, but not sure what it is for? Could this be what is causing problems?


----------



## Byteman (Jan 24, 2002)

Hi, Well, that file was already picked up by SUPERantispyware as this: Right now, it is in the VundoFix backup folder and renamed as you see:

C:\VUNDOFIX BACKUPS\VUXWAKXO.DLL.BAD

Get the new download for VundoFix ready to run.

In msconfig, re-enable that item you have disabled. You will have to restart.

I'm not sure what will happen, probably an error message about that file missing....

Remember, System Restore which I hope you have enabled....is your friend!

You may see a message about not being able to use msconfig to put the item back in Startups- since the file is gone....in that case, just leave it unchecked for now....it will take a regedit to remove the item from the Disabled key where it is put when you "uncheck" things in msconfig.

Run Vundo Fix again, see what happens, post the log.

If it doesn't find anything run SUPER A/S again.

There is also this utility that I was going to have you post a log from so try that when you can:

Download ComboFix from *Here* or *Here* to your Desktop. 

Double click *combofix.exe * and follow the prompts.
When finished, it shall produce a log for you. Post that log and a *HiJackthis* log in your next reply
*Note: Do not mouseclick combofix's window while its running. That may cause it to stall*


----------



## horn069 (Dec 11, 2004)

Also there are some boxes that I unchecked as well that dont have a name or location in the startup tab in the system configuration utility, is this normal


----------



## Byteman (Jan 24, 2002)

Hi,, Are they blank, that is, no filename?

It's something that does happen, I have one blank in my msconfig....I just leave it alone.


----------



## horn069 (Dec 11, 2004)

yes it is, and there are a couple of them


----------



## horn069 (Dec 11, 2004)

If the Vundo Fix finds something, do I remove it, or just let the Super A/S take care of it?


----------



## Byteman (Jan 24, 2002)

Yes, that will get them!

SUPERantispyware also should but I think VundoFix should get it. It's a heck of lot faster too.


----------



## horn069 (Dec 11, 2004)

I looked back into the sytem configuration utility, and VUXWAKXO.DLL is no longer in there, and Vundo is not finished yet.


----------



## horn069 (Dec 11, 2004)

Here's the log from Vundo:

VundoFix V6.3.15

Checking Java version...

Scan started at 12:25:13 AM 08/03/2007

Listing files found while scanning....

C:\WINDOWS\system32\vhpudnmc.dll

Beginning removal...

Performing Repairs to the registry.
Done!


----------



## horn069 (Dec 11, 2004)

Running SUPER A/S Now, then I will run the combo scan and post tonight if I can stay awake, if not, first thing in the morning.


----------



## horn069 (Dec 11, 2004)

After Super A/S was complete, there were no files that it detected.

Here is the log from combo scan, and HJT:

ComboScan v20070226.18 run by User on 2007-03-08 at 08:03:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as User.exe) -------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:03:32 AM, on 08/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\MsPMSPSv.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Desktop\comboscan.exe
C:\DOCUME~1\User\Desktop\UNUSED~1\User.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://search.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1:5400;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;search.netscape.com12.129.205.209;sitefinder.verisign.com;localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mytelus.com/"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\nkwnoff5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\nkwnoff5.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe C:\windows\System32\CrazyTalk.dll,DllServeMediaFile
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PrinTray] C:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O12 - Plugin for .exe: C:\Program Files\Internet Explorer\PLUGINS\npdap.dll
O12 - Plugin for .rar: C:\Program Files\Internet Explorer\PLUGINS\npdap.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .zip: C:\Program Files\Internet Explorer\PLUGINS\npdap.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120110558546
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by107fd.bay107.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\windows\system32\LEXBCES.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe

-- Files created between 2007-02-08 and 2007-03-08 ------------------------------

2100-02-23 14:35:34 768 --a------ C:\Program Files\x73_lut.dat
2007-03-08 00:25:13 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-03-08 00:19:37 0 d-------- C:\Program Files\Common Files\Java
2007-03-08 00:19:14 0 d-------- C:\Documents and Settings\User\Application Data\Sun
2007-03-07 20:28:19 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2007-03-07 20:08:28 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-03-07 20:08:21 0 d-------- C:\Program Files\SUPERAntiSpyware<SUPERA~1>
2007-03-07 20:08:21 0 d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-03-07 20:07:50 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-03-06 08:47:07 0 d-------- C:\WINDOWS\system32\Kaspersky Lab<KASPER~1>
2007-03-05 16:10:20 0 d-------- C:\avenger
2007-03-04 22:40:39 0 d-------- C:\Program Files\Zamaan's Software<ZAMAAN~1>
2007-03-04 20:37:18 0 d-------- C:\Program Files\Enigma Software Group<ENIGMA~1>
2007-03-04 18:26:03 0 d-------- C:\Program Files\XoftSpySE<XOFTSP~1>
2007-03-04 12:54:15 0 d-------- C:\Documents and Settings\User\Application Data\RegistrySmart<REGIST~1>
2007-03-04 12:54:12 0 d-------- C:\Program Files\RegistrySmart<REGIST~1>
2007-03-04 12:11:08 0 d-------- C:\Program Files\Lavasoft RegHance<LAVASO~1>
2007-03-03 13:30:53 0 d-------- C:\Program Files\BHODemon 2<BHODEM~1>
2007-02-17 20:46:34 23721 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-02-17 20:46:34 48384 --a------ C:\WINDOWS\system32\drivers\CDR4VSD.SYS
2007-02-17 20:46:34 57136 -----n--- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-02-17 10:40:48 19392 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-02-17 10:40:48 3968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-02-09 20:03:40 73216 --a------ C:\WINDOWS\ST6UNST.EXE

-- Find3M Report ----------------------------------------------------------------

2007-03-08 02:30:00 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-0000000B-00001102-00000002-80651102}.dat<DVCSTA~2.DAT>
2007-03-08 02:30:00 24 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-0000000B-00001102-00000002-80651102}.dat<DVCSTA~1.DAT>
2007-03-08 00:19:37 0 d-------- C:\Program Files\Java
2007-03-08 00:14:14 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-03-07 20:28:19 0 d-------- C:\Program Files\CoreFTP
2007-03-06 00:09:18 47605 --a------ C:\Documents and Settings\User\Application Data\bhrslog.txt
2007-03-05 00:07:47 0 d-------- C:\Program Files\Grisoft
2007-02-21 00:28:22 0 d-------- C:\Program Files\SWiSHmax
2007-02-17 10:43:56 57136 --a------ C:\WINDOWS\system32\cdr4_xp.sys
2007-02-09 20:03:42 286720 -----n--- C:\WINDOWS\Setup1.exe
2007-02-09 10:08:53 0 d-------- C:\Program Files\Shareaza
2007-02-05 22:06:06 0 d-------- C:\Program Files\Eraser
2007-01-29 01:58:06 60416 --a------ C:\WINDOWS\system32\tzchange.exe
2007-01-08 18:08:10 13824 --a------ C:\WINDOWS\system32\ieudinit.exe
2007-01-04 13:09:53 110344 --a------ C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT<GDIPFO~1.DAT>
2006-12-19 14:52:18 134656 --a------ C:\WINDOWS\system32\shsvcs.dll
2006-12-19 11:16:47 333824 --a------ C:\WINDOWS\system32\wiaservc.dll

-- Registry Dump ----------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ATI Scheduler"="C:\\Program Files\\ATI Multimedia\\main\\ATISched.EXE"
"ATI DeviceDetect"="C:\\Program Files\\ATI Multimedia\\main\\ATIDtct.EXE"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CrazyTalk Serve"="rundll32.exe C:\\windows\\System32\\CrazyTalk.dll,DllServeMediaFile"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"POINTER"="point32.exe"
"IntelliType"="\"C:\\Program Files\\Microsoft Hardware\\Keyboard\\type32.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"PrinTray"="C:\\windows\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe"
"PCLEPCI"="C:\\PROGRA~1\\Pinnacle\\PPE\\PPE.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^BHODemon 2.0.lnk]
"path"="C:\\Documents and Settings\\User\\Start Menu\\Programs\\Startup\\BHODemon 2.0.lnk"
"backup"="C:\\WINDOWS\\pss\\BHODemon 2.0.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\BHODEM~1\\BHODemon.exe "
"item"="BHODemon 2.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
"path"="C:\\Documents and Settings\\User\\Start Menu\\Programs\\Startup\\PowerReg Scheduler V3.exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler V3.exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\User\\Start Menu\\Programs\\Startup\\PowerReg Scheduler V3.exe"
"item"="PowerReg Scheduler V3"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Registration Lock On]
"path"="C:\\Documents and Settings\\User\\Start Menu\\Programs\\Startup\\Registration Lock On"
"backup"="C:\\WINDOWS\\pss\\Registration Lock OnStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\User\\Start Menu\\Programs\\Startup\\Registration Lock On"
"item"="Registration Lock On"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cli"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\B'sCLiP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BSCLIP"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\B'SCLI~1\\Win2K\\BSCLIP.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADGJDet"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LTMSG"
"hkey"="HKLM"
"command"="LTMSG.exe 7"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="regsvr32 /s mqrt"
"hkey"="HKLM"
"command"="regsvr32 /s mqrt.dll"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PSDrvCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pop3trap.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Pop3trap"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\Pop3trap.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="QFSCHD100"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Corel\\WordPerfect Office 2002\\Programs\\QFSCHD100.EXE\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistrySmart]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RegistrySmart"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\RegistrySmart\\RegistrySmart.exe\" -boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TeaTimer"
"hkey"="HKCU"
"command"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdReg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\UpdReg.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\warez]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="warez"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Warez P2P Client\\warez.exe\" -h"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTHELPER"
"hkey"="HKLM"
"command"="CTHELPER.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Fax"=dword:00000002
"WmcCdsLs"=dword:00000003
"WmcCds"=dword:00000003
"Iprip"=dword:00000002
"iPodService"=dword:00000003
"ERSvc"=dword:00000002
"DVD-RAM_Service"=dword:00000002
"cisvc"=dword:00000002
"ATI Smart"=dword:00000002
"SPTISRV"=dword:00000003
"FastUserSwitchingCompatibility"=dword:00000003
"Creative Service for CDROM Access"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{768318D5-06A3-4987-81FC-8ECA2E068210}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=""
"NoBandCustomize"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source	REG_SZ file:///C:/DOCUME~1/User/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0
HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0
p2psvc	REG_MULTI_SZ p2psvc\0p2pimsvc\0p2pgasvc\0PNRPSvc\0\0

-- End of ComboScan: finished at 2007-03-08 at 08:04:41 -------------------------

Latest java is installed, and older versions are removed. Will run Spybot Search and Destroy now, then Adaware, will post results on completion.


----------



## horn069 (Dec 11, 2004)

Here's the adaware log, and the Spybot log:

The files were to big for the forum so I had to attach them.


----------



## Byteman (Jan 24, 2002)

Hi, I posted for you to download *ComboFix* in one of my replies, and asked you to run that utility, not ComboScan.

Please go back and see my post about that and run the tool and post the log. Post# 31 back in the thread here.

I'll be leaving at about 3Pm and not back till Friday evening- if you could somehow post the ComboFix that may give us enough time to finish up...if you are at work, I understand, and this may have to wait.


----------



## horn069 (Dec 11, 2004)

Here is the log from ComboFix:

"User" - 07-03-08 13:57:32 Service Pack 2
ComboFix 07-03-08 - Running from: "C:\Documents and Settings\User\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\autorun.inf
C:\WINDOWS\DOWNLO~1.\temp

((((((((((((((((((((((((((((((( Files Created from 2007-02-08 to 2007-03-08 ))))))))))))))))))))))))))))))))))

2007-03-08 00:25 d--------	C:\VundoFix Backups
2007-03-08 00:19 d--------	C:\Program Files\Common Files\Java
2007-03-08 00:19 d--------	C:\DOCUME~1\User\APPLIC~1\Sun
2007-03-07 20:28	0	--a------	C:\WINDOWS\system32\CMMGR32.EXE
2007-03-07 20:08 d--------	C:\Program Files\SUPERAntiSpyware
2007-03-07 20:08 d--------	C:\DOCUME~1\User\APPLIC~1\SUPERAntiSpyware.com
2007-03-07 20:08 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-03-07 20:07 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-03-06 08:47 d--------	C:\WINDOWS\system32\Kaspersky Lab
2007-03-05 16:10 d--------	C:\avenger
2007-03-04 22:40 d--------	C:\Program Files\Zamaan's Software
2007-03-04 20:37 d--------	C:\Program Files\Enigma Software Group
2007-03-04 18:26 d--------	C:\Program Files\XoftSpySE
2007-03-04 12:54 d--------	C:\Program Files\RegistrySmart
2007-03-04 12:54 d--------	C:\DOCUME~1\User\APPLIC~1\RegistrySmart
2007-03-04 12:11 d--------	C:\Program Files\Lavasoft RegHance
2007-03-03 13:30 d--------	C:\Program Files\BHODemon 2
2007-02-17 20:46	57,136	---------	C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-02-17 20:46	48,384	--a------	C:\WINDOWS\system32\drivers\CDR4VSD.SYS
2007-02-17 20:46	23,721	--a------	C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-02-17 10:40	3,968	--a------	C:\WINDOWS\system32\drivers\avgclean.sys
2007-02-17 10:40	19,392	--a------	C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-02-09 20:03	73,216	--a------	C:\WINDOWS\ST6UNST.EXE

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-03-08 13:35	24	--a------	C:\WINDOWS\system32\dvcstatebkp-{00000002-00000000-0000000b-00001102-00000002-80651102}.dat
2007-03-08 13:35	24	--a------	C:\WINDOWS\system32\dvcstate-{00000002-00000000-0000000b-00001102-00000002-80651102}.dat
2007-03-08 00:19	--------	d--------	C:\Program Files\java
2007-03-08 00:14	--------	d--h-----	C:\Program Files\installshield installation information
2007-03-07 20:28	--------	d--------	C:\Program Files\coreftp
2007-03-06 00:09	47605	--a------	C:\DOCUME~1\User\APPLIC~1\bhrslog.txt
2007-02-23 11:02	775680	--a------	C:\WINDOWS\system32\drivers\avg7core.sys
2007-02-23 11:02	27776	--a------	C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-02-21 00:28	--------	d--------	C:\Program Files\swishmax
2007-02-17 10:43	57136	--a------	C:\WINDOWS\system32\cdr4_xp.sys
2007-02-17 10:40	4960	--a------	C:\WINDOWS\system32\drivers\avgtdi.sys
2007-02-17 10:40	4224	--a------	C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-02-09 20:03	286720	---------	C:\WINDOWS\setup1.exe
2007-02-09 10:08	--------	d--------	C:\Program Files\shareaza
2007-02-05 22:06	--------	d--------	C:\Program Files\eraser
2007-01-04 13:09	110344	--a------	C:\DOCUME~1\User\APPLIC~1\gdipfontcachev1.dat

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ATI Scheduler"="C:\\Program Files\\ATI Multimedia\\main\\ATISched.EXE"
"ATI DeviceDetect"="C:\\Program Files\\ATI Multimedia\\main\\ATIDtct.EXE"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"Steam"=""
"ATI Launchpad"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CrazyTalk Serve"="rundll32.exe C:\\windows\\System32\\CrazyTalk.dll,DllServeMediaFile"
"POINTER"="point32.exe"
"IntelliType"="\"C:\\Program Files\\Microsoft Hardware\\Keyboard\\type32.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"PrinTray"="C:\\windows\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe"
"PCLEPCI"="C:\\PROGRA~1\\Pinnacle\\PPE\\PPE.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^BHODemon 2.0.lnk]
"path"="C:\\Documents and Settings\\User\\Start Menu\\Programs\\Startup\\BHODemon 2.0.lnk"
"backup"="C:\\WINDOWS\\pss\\BHODemon 2.0.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\BHODEM~1\\BHODemon.exe "
"item"="BHODemon 2.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
"path"="C:\\Documents and Settings\\User\\Start Menu\\Programs\\Startup\\PowerReg Scheduler V3.exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler V3.exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\User\\Start Menu\\Programs\\Startup\\PowerReg Scheduler V3.exe"
"item"="PowerReg Scheduler V3"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Registration Lock On]
"path"="C:\\Documents and Settings\\User\\Start Menu\\Programs\\Startup\\Registration Lock On"
"backup"="C:\\WINDOWS\\pss\\Registration Lock OnStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\User\\Start Menu\\Programs\\Startup\\Registration Lock On"
"item"="Registration Lock On"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cli"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\B'sCLiP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BSCLIP"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\B'SCLI~1\\Win2K\\BSCLIP.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADGJDet"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LTMSG"
"hkey"="HKLM"
"command"="LTMSG.exe 7"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="regsvr32 /s mqrt"
"hkey"="HKLM"
"command"="regsvr32 /s mqrt.dll"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PSDrvCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pop3trap.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Pop3trap"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\Pop3trap.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="QFSCHD100"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Corel\\WordPerfect Office 2002\\Programs\\QFSCHD100.EXE\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistrySmart]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RegistrySmart"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\RegistrySmart\\RegistrySmart.exe\" -boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TeaTimer"
"hkey"="HKCU"
"command"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdReg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\UpdReg.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\warez]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="warez"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Warez P2P Client\\warez.exe\" -h"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTHELPER"
"hkey"="HKLM"
"command"="CTHELPER.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Fax"=dword:00000002
"WmcCdsLs"=dword:00000003
"WmcCds"=dword:00000003
"Iprip"=dword:00000002
"iPodService"=dword:00000003
"ERSvc"=dword:00000002
"DVD-RAM_Service"=dword:00000002
"cisvc"=dword:00000002
"ATI Smart"=dword:00000002
"SPTISRV"=dword:00000003
"FastUserSwitchingCompatibility"=dword:00000003
"Creative Service for CDROM Access"=dword:00000002
"PACSPTISVR"=dword:00000003

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=""
"NoBandCustomize"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source	REG_SZ file:///C:/DOCUME~1/User/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0
HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0
p2psvc	REG_MULTI_SZ p2psvc\0p2pimsvc\0p2pgasvc\0PNRPSvc\0\0

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070305-160442-273 
O20 - Winlogon Notify: ddabb - C:\WINDOWS\
backup-20070305-160442-494 
O2 - BHO: (no name) - {768318D5-06A3-4987-81FC-8ECA2E068210} - C:\WINDOWS\system32\fccyyxv.dll (file missing)
backup-20070305-160442-452 
O2 - BHO: (no name) - {04AD4655-5846-4831-8376-D3B208DA3CB7} - C:\WINDOWS\system32\ddabc.dll (file missing)

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\XoftSpySE.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CrazyTalk Serve = rundll32.exe C:\windows\System32\CrazyTalk.dll,DllServeMediaFile?1?w????k??w? ?w? ?w?????????????????????U?w?????????????????????B?w, ?w?M?w?A?w?v?w?A?w????????????1???????x???????0???f???P????????????1?wf???w???????T???0???d???????d???d???????????8??????????

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-08 14:02:14


----------



## Byteman (Jan 24, 2002)

Hi, Thank you- I see the problem, but the autorun infection will require some help from an expert with that--- I hope you understand. I will ask them, if they are online now they should be able to help you. 

It may be that no one is around this late- so we can pick up tomorrow. Just let me know what you would rather do.

The infection usually is put back on your computer from a flash USB or other removable drive....if you have one of those or someone who uses this computer does connect a USB drive have it around when you are going to fix this. It could be a friend, relative, anyone who connects a removable drive to this computer....so, you may need to ask other users, and locate that removable drive if they are around. 

The infection immediately jumps to your machine without assistance, when it is plugged in, and to fix this, several things have to be done. It's not difficult, just a bit time consuming. 

There does seem to be some other malware running too, so it should all be taken care of but probably after the autorun infections is fixed....


----------



## Cookiegal (Aug 27, 2003)

I'm attaching *Getautoruns.zip* to this post. Create a new folder on your desktop and unzip it to that new folder.

You'll now have a file named *Getautoruns.bat* in that new folder. There will also be a file called *removeit.bat* but don't run that one.

*Be sure your flash drives are connected.*

Double click on *Getautoruns.bat* and let it run. It will create a file named *autos.txt*

Attach *autos.txt* to your next reply here.

Also, please go to *Start *- *Run *and type *cmd *then click OK.

Then on the black DOS like screen copy the words in bold below and then paste the line at the prompt. To paste in DOS, with the DOS screen open, click on the DOS icon at the top left of your windows and select "edit" then "paste" and hit Enter.

*cd \ & dir /a /s autorun.**

Copy and paste the results here please.

To do that:

Right-click in the black area of your DOS window. From the drop down menu click on "Edit" then click on the item "Mark" which pops up in a connected menu. Now click at the beginning of the text you want to copy. Next move to the end of the text you want to copy and click again while holding down the Shift key. Now you have "marked" the section you want to copy. Go click on the DOS icon again, select "Copy" and then "paste" it.


----------



## horn069 (Dec 11, 2004)

Here is the log for Getautoruns.bat, and the cmd dos log text:


----------



## Byteman (Jan 24, 2002)

Hi, There is nothing to do with the autoruns files, so I was advised by some who deal with those!

It looks like you have at least one protective program that may affect changes you need to make, it is a feature of SpyBot called Tea Timer, and I think I posted for you to turn this off- some time I know has passed with this thread, but you can just turn it off now, before fixing things:

*http://wiki.castlecops.com/Malware_Removal:_Temporarily_Disable_Real_Time_Monitoring_Programs*

In the list at that site, see about Tea Timer, how to steps are there.

Also, this one:

*http://russelltexas.com/malware/teatimer.htm* for help.

Look through the list at the Castlecops site above, and if you have any other programs, besides AVG Antispyware, also disable them temporarily, we want a good scan to check for malware.

Looks like this program may also lock the Registry, I am not sure:

Registry Smart --- if there is a way to turn this off, or set it not to prevent Registry changes, you should, as removing some ad and spyware does involve Registry changes.

I wish I had time to get more into this right now, but we have an event to go out to....I will be back around 8 or 9 PM. Benefit for a sick friend!

The new files you PM'd me about, should be deleted, they are definitely malware.

What is Warez P2P Client? Part of the Ares filesharing- should be taken off, it will more than likely bring you more malware.

Our advice is to never use filesharing in regard to the type of programs that is not monitored, as I have no idea about this, I point to it and you decide what you want to do with it.

Did we update the Java software- I see an older version in the last Hijackthis log....did we do this yet?

Go to  * HERE * and download the latest version of java, it's the Java Runtime Environment 6.0, 
the fourth download down.
Once you have, Uninstall all the older versions
of Java JRE you see in Control Panel> Add/Remove Programs and install the new.
If we've done that already, skip it, but you should uninstall any older versions of the Java Runtime you see in Add/Remove programs, get the download the version 6.0 first, then install it.

Need to see a new Hijackthis log, please! I looked back in the thread, and we did get the newer version of Java....so I guess we need to see an updated HJT log next.

I think also a new run of VundoFix to see if anything has come back, would be good.


----------



## horn069 (Dec 11, 2004)

There was no files to remove from the Vundofix. Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:03:54 PM, on 10/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\MsPMSPSv.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\User\Desktop\Unused Desktop Shortcuts\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://search.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1:5400;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;search.netscape.com12.129.205.209;sitefinder.verisign.com;localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mytelus.com/"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\nkwnoff5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\default\nkwnoff5.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe C:\windows\System32\CrazyTalk.dll,DllServeMediaFile
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PrinTray] C:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O12 - Plugin for .exe: C:\Program Files\Internet Explorer\PLUGINS\npdap.dll
O12 - Plugin for .rar: C:\Program Files\Internet Explorer\PLUGINS\npdap.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .zip: C:\Program Files\Internet Explorer\PLUGINS\npdap.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120110558546
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by107fd.bay107.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\windows\system32\LEXBCES.EXE

Will wait for instructions, for the tea timer, I just disabled Spybot SD in the configuration utility, so it will not run during start up.


----------



## Byteman (Jan 24, 2002)

Hi, The instructions for turning off Tea Timer are in the two links in my last reply...the clickable underlined links will take you to a page with the steps.

Did you try to uninstall PowerRegScheduler v.3?

If it was *not in* the Add/Remove Programs list, simply delete the file....

You will need to make these changes to settings, so you search for, and see hidden, system, and all files:

Because XP will not always show you hidden files and folders by default, Go to Start > Search>Files and Folders>> and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Use *Search* tool from the Start button, type in just what you see below, and have it Search on Drive C:

*PowerReg Scheduler V3.exe* And if the file is found, simply right click and delete it.

(In the last Combo log, PowerReg is disabled in msconfig....
You will probably have to go and re-checkmark the item, restart, for it to be found and then delete it--- I'm not sure!)

Don't worry if you cannot find it.

RE: Disabling SpyBot> undo what you did, and disable only the Tea Timer function, SpyBot offers good protection for Internet Explorer, you should have that running.

Were you able to Uninstall the P2P warez, or is that just a folder?
See if there is an uninstaller in the folder, try running that, if no luck just dump the whole folder.

The same for this one, you might have disabled it , in msconfig...

*C:\Program Files\Warez P2P Client\warez.exe*

This is probably part of the Ares filesharing program, I would uninstall/delete this.
Re-check it, in msconfig, you will have to restart....then delete it, if there is an Uninstaller in the folder run that, then delete the entire folder. Looks like an easy way to get infected again!

After doing that, all I would suggest doing is a scan again with each of these programs:

SUPERantispyware

SpyBot Search and Destroy and, Ad-Aware SE.

There is no need for you to post the logs of these- just run, see if they found anything, and take care of what is found.

Keep alert for signs of the Vundo trojan, it should be gone now,
What you can do, is when you have some time, run VundoFix, see what it finds, especially if you see any of those popups.

After you are fairly sure Vundo is long gone, please delete the entire VundoFix folder, there is no uninstaller, just delete the whole folder.

And, if some time goes by, and you need VundoFix once more, always *download a new copy, because it is updated fairly often*

A run of your temp file cleaner would be good to do, I use one about every two days, at the end of the day before shutting down.


----------



## horn069 (Dec 11, 2004)

Great, will get on it thanks.


----------

