Author Topic: need help with vundo, winfixer, and winlogon (Read 2207 times)

Whit · « **on:** September 19, 2006, 10:09:24 PM »

I have tried the following to only discover vundo and winfixer (and the winlogon error) remaining and my computer still very sluggish:

Adaware
Spybot S&D
Symantec's Vundo fix
Symantec's Virtumonde fix
Uniblue's Registry Booster
Uniblue's WinTasks
Uniblue's SpeedUpMyPC
Re-installing Windows XP SP2

Then at seemingly random times, I get a winlogon error:

says something like "winlogon referenced (hexadecimal) memory at (hexdecimal) and it cannot be read".

I click on OK, it seems to shut down, then it gives me a black screen (computer and monitor still on), and just sits there until i hit the power button after about 10 minutes. doesn't reboot regardless of how long i let it sit. However, if i don't click OK and continue using Explorer, the sluggishness is most gone.

The winlogon error most often occurs when I am looking up information online through Internet Explorer or downloading a file from a site. It once occurred when I was playing MS Flight Simulator 2004.

I have heard HiJackThis is useful for others to help me. I downloaded 1.99 I think. Here is the log I just ran:

Logfile of HijackThis v1.99.1
Scan saved at 22:54:43, on 19/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CE\nmSvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\1146781927\ee\AOLSoftware.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\common files\aol\1146781927\ee\aim6.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\ziptemp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\system32\awtsp.dll
O2 - BHO: (no name) - {2ECD0C91-3CF1-4C3D-BD59-BC7802156D14} - C:\WINDOWS\system32\mopoouec.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\ffyvosdh.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146781927\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\ziptemp\AIM95\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awtsp - C:\WINDOWS\system32\awtsp.dll
O20 - Winlogon Notify: lqtuivqi - C:\WINDOWS\SYSTEM32\lqtuivqi.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: rqsftexu - C:\WINDOWS\SYSTEM32\rqsftexu.dll
O20 - Winlogon Notify: vonbxdjv - C:\WINDOWS\SYSTEM32\vonbxdjv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

guestolo · « **Reply #1 on:** September 19, 2006, 10:22:44 PM »

Please download [color=\"blue\"]VundoFix.exe[/color]
to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

Whit · « **Reply #2 on:** September 20, 2006, 12:14:03 AM »

VundoFix V6.1.5

Checking Java version...

Scan started at 0:57:48 20/9/2006

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\eaakrfoc.exe
C:\WINDOWS\SYSTEM32\gbtpuydc.exe
C:\WINDOWS\SYSTEM32\kllrkxwl.exe

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\eaakrfoc.exe
C:\WINDOWS\SYSTEM32\eaakrfoc.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\gbtpuydc.exe
C:\WINDOWS\SYSTEM32\gbtpuydc.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\kllrkxwl.exe
C:\WINDOWS\SYSTEM32\kllrkxwl.exe Has been deleted!

Performing Repairs to the registry.
Done!

Logfile of HijackThis v1.99.1
Scan saved at 1:13:14, on 20/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CE\nmSvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\AOL\1146781927\ee\AOLSoftware.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\ziptemp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\system32\awtsp.dll
O2 - BHO: (no name) - {2ECD0C91-3CF1-4C3D-BD59-BC7802156D14} - C:\WINDOWS\system32\mopoouec.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\ffyvosdh.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146781927\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\ziptemp\AIM95\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awtsp - C:\WINDOWS\system32\awtsp.dll
O20 - Winlogon Notify: lqtuivqi - C:\WINDOWS\SYSTEM32\lqtuivqi.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: rqsftexu - C:\WINDOWS\SYSTEM32\rqsftexu.dll
O20 - Winlogon Notify: vonbxdjv - C:\WINDOWS\SYSTEM32\vonbxdjv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

guestolo · « **Reply #3 on:** September 20, 2006, 07:41:43 AM »

Did you knowingly install Covenant Eyes?
"internet accountability" software. Surveillance software that tracks all activities, logs keystrokes, etc. http://www.covenanteyes.com/about.php

Can you do the following please
Download this file - Combofix.exe and save it too desktop

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Also, can I see an uninstall list from Hijackthis
Open Hijackthis>>Open Misc tools section>>Open Uninstall manager
Click the SAVE LIST... button
Save this list too desktop then copy>>Paste back here the whole contents also

Whit · « **Reply #4 on:** September 20, 2006, 06:33:14 PM »

[quote name='guestolo' date='Sep 20 2006, 07:41 AM' post='204181']
Did you knowingly install Covenant Eyes?
"internet accountability" software. Surveillance software that tracks all activities, logs keystrokes, etc. http://www.covenanteyes.com/about.php

Yes, I did install Covenant Eyes. I"ll run the combofix and post the results you requested this evening.

Whit · « **Reply #5 on:** September 20, 2006, 07:01:19 PM »

COMBOFIX

Whitney Roberts - 06-09-20 19:40:38.51 Service Pack 2
ComboFix 06.09.20 - Running from: "C:\Documents and Settings\Whitney Roberts\Desktop"
Command switches used ::

((((((((((((((((((((((((((((((( Files Created from 2006-08-20 to 2006-09-20 ))))))))))))))))))))))))))))))))))

No new files created in this timespan

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-20 19:42   1392345   ---hs----   C:\WINDOWS\SYSTEM32\pstwa.ini2
2006-09-20 19:41   1392345   ---hs----   C:\WINDOWS\SYSTEM32\pstwa.bak2
2006-09-20 01:29   --------   d--------   C:\Documents and Settings\Whitney Roberts\Application Data\CE
2006-09-18 22:43   1401165   ---hs----   C:\WINDOWS\SYSTEM32\pstwa.bak1
2006-09-17 22:24   --------   d--------   C:\Program Files\ICQToolbar
2006-09-17 15:54   --------   d--------   C:\Program Files\SkyTeam Travel Timetable
2006-09-16 23:44   --------   d--------   C:\Program Files\oneworldflights
2006-09-15 02:03   --------   d--------   C:\Documents and Settings\Whitney Roberts\Application Data\WeatherBug
2006-09-14 19:46   --------   d--------   C:\Program Files\Windows Media Player
2006-09-14 19:22   --------   d--------   C:\Program Files\Google
2006-09-10 19:49   --------   d--------   C:\Program Files\OfficeUpdate11
2006-09-10 19:47   --------   d--------   C:\Program Files\Microsoft Works
2006-09-10 19:47   --------   d--------   C:\Program Files\Common Files\Microsoft Shared
2006-09-10 18:49   --------   d--------   C:\Documents and Settings\Whitney Roberts\Application Data\Registry Booster
2006-09-10 13:55   --------   d--------   C:\Program Files\LIUtilities
2006-09-10 13:54   --------   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2006-09-10 13:52   --------   d--------   C:\Program Files\Common Files
2006-09-10 12:28   --------   d--------   C:\Program Files\Uniblue
2006-09-07 19:27   --------   d--------   C:\Documents and Settings\Whitney Roberts\Application Data\Lavasoft
2006-09-07 19:26   --------   d--------   C:\Program Files\Lavasoft
2006-08-21 08:21   16896   --a------   C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 05:14   23040   --a------   C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-21 05:14   128896   ---------   C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2006-08-20 18:28   --------   d--------   C:\Program Files\United TravelDesk
2006-08-20 18:28   --------   d--------   C:\Program Files\United EasySchedule for PC
2006-08-19 20:08   --------   d--h-----   C:\Program Files\InstallShield Installation Information
2006-08-19 20:08   --------   d--------   C:\Program Files\QuickTime
2006-08-19 20:03   --------   d--------   C:\Program Files\iTunes
2006-08-19 20:02   --------   d--------   C:\Program Files\iPod
2006-08-16 22:11   --------   d--------   C:\Program Files\Kodak
2006-08-16 22:06   --------   d--------   C:\Program Files\Internet Explorer
2006-07-27 09:24   679424   --a------   C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-21 04:24   72704   --a------   C:\WINDOWS\SYSTEM32\hlink.dll
2006-06-22 01:06   69120   --a------   C:\WINDOWS\SYSTEM32\ciodm.dll
2006-06-22 01:06   1435648   --a------   C:\WINDOWS\SYSTEM32\query.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Weather"="C:\\PROGRA~1\\AWS\\WEATHE~1\\Weather.exe 1"
"Sonic RecordNow!"=""
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"Aim6"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"NMSVC"="C:\\Program Files\\CE\\nmSvc.exe"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"mmtask"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1146781927\\ee\\AOLSoftware.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe"
"CTHelper"="CTHELPER.EXE"
"CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE"
"BCWipeTM Startup"="\"C:\\Program Files\\Jetico\\BCWipe\\BCWipeTM.exe\" startup"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ATIModeChange"="Ati2mdxx.exe"
"AsioReg"="REGSVR32.EXE /S CTASIO.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
"backup"="C:\\WINDOWS\\pss\\Digital Line Detect.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\DIGITA~1\\DLG.exe "
"item"="Digital Line Detect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Whitney Roberts^Start Menu^Programs^Startup^Webshots.lnk]
"backup"="C:\\WINDOWS\\pss\\Webshots.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Webshots\\Launcher.exe /t"
"item"="Webshots"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Error Nuker]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ErrorNuker"
"hkey"="HKLM"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lqtuivqi
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqsftexu
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vonbxdjv

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Completion time: Wed 20/09/2006 19:43:38.29
ComboFix.txt

HIJACKTHIS UNINSTALL LIST

Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0.8
Airliners Env 5.1
Antonov An-24RV
AOL Coach Version 1.0(Build:20030807.3)
AOL Uninstaller (Choose which Products to Remove)
ATI Control Panel
ATI Display Driver
BCWipe 3.0
Carnival Cruise Lines Tycoon 2005 - Island Hopping
Conexant SmartHSFi V.9x 56K DF PCI Modem
Covenant Eyes
Creative MediaSource
Dell Digital Jukebox Driver
Dell Media Experience
Dell Solution Center
Dell Support 5.0.0 (766)
Digital Line Detect
DVDSentry
F/A-18E
Flight Shop Converter for Microsoft Flight Simulator 98
GdiplusUpgrade
Google Earth
HijackThis 1.99.1
HP Image Zone 3.5
HP PSC & OfficeJet 3.5
HP Software Update
ICQ 5
Ilyushin IL-18D for MSFS
Ilyushin Il-86
Intel® PRO Network Adapters and Drivers
Intel® PROSet
Internet Explorer Default Page
iTunes
Jasc Paint Shop Photo Album
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2
Learn2 Player (Uninstall Only)
LiveUpdate 1.7 (Symantec Corporation)
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Flight Simulator 2000
Microsoft Flight Simulator 2002
Microsoft Flight Simulator 2004 A Century of Flight
Microsoft Flight Simulator 98
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office Basic Edition 2003
Microsoft Train Simulator
mIRC
Modem Helper
MSN Messenger 7.5
MSN Music Assistant
Musicmatch® Jukebox
Netscape Browser (remove only)
NetWaiting
Norton AntiVirus Corporate Edition
oneworld Timetables
overland
PCStage V4.6.5
PF10070 Fokker-100/70 Models V1.0
Picasa 2
PowerDVD
PSS Concorde 2004 1.1
QuickTime
Radio365
RealPlayer
RealRhapsody
SecureVideo Plug-in
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Select CashBack
SkyTeam Travel Timetable
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Sound Blaster Audigy 2
SpeedUpMyPC
Spybot - Search & Destroy 1.3
TextPad 4.7
The Planes of Airbus
TurboTax ItsDeductible 2004
TurboTax ItsDeductible 2005
UERDTOOLS
Uniblue Registry Booster
United TravelDesk
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Verizon SmartCall
Viewpoint Media Player
WeatherBug
Webshots Desktop
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinTasks
X-Plane 8.0
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar

guestolo · « **Reply #6 on:** September 20, 2006, 07:48:59 PM »

Can you do the following
We have a bit more cleaning to do

your version of Sun Java is outdated and should be updated.

Download the latest version of Java Runtime Environment (JRE) 5.0 Update 8.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement[/i]".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Don't install it yet

Open the Java icon in your Windows Control panel
Under the Cache tab, click the Clear cache

Access your add/remove programs via control panel
Remove the following
Java 2 Runtime Environment, SE v1.4.2
Select CashBack

If you didn't intentionally install the next ones, remove them too
Viewpoint Media Player
WeatherBug

Finally, remove Spybot - Search & Destroy 1.3
As it is terribly outdated, we'll up date it later

Reboot the computer afterwards
Install the latest version of Java from the installer on the desktop

Back in Windows
download [color=\"#FF0000\"]ATF-Cleaner[/color] by Atribune.
This program is for XP and Windows 2000 only
Don't run it yet

==Download and Install Spybot 1.4 from
HERE

After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and then download all updates
After update is complete, close it as we will need it later

==Download, install, and update Ewido anti-spyware[list=1]

Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Close Ewido. Do not run it yet.

Print the rest of these instructions or save them too a text file on desktop

Reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.
Sign in with your normal user account

In safe mode
========================================================
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.
====================================================

Open Spybot 1.4
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED
Reboot the computer
Can you reboot back to Safe mode please

Ewido Scan

Then run Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).

Reboot the computer back to Normal windows, let's see what we're left with

Post back all the following please
1. Post back a fresh hijackthis log
2. Post the whole report from Ewido's

Whit · « **Reply #7 on:** September 20, 2006, 08:56:12 PM »

I'll try to do all of this by Saturday. However, right now, when I boot in safe mode, the screen is black except with the white words "windows xp ........ SP 2" at the top and "safe mode" at the 4 corners of the screen. (regardless if I click on Administrator or my name). I can still run programs but through the command window in safe mode.

guestolo · « **Reply #8 on:** September 20, 2006, 08:59:02 PM »

If your having problems with running them at all in safe mode
Run them in Normal windows with all unnecessary programs running in the background
Ensure to reboot after running Ewido and Spybot please

Forgot to say, even in safe mode or safe mode command prompt
you can exit the prompt

Use Ctrl+Alt+Del to bring up task manager

In task manager use File>>>New task(Run.)
Browse to the programs

Eg... If you saved ATF-Cleaner on your desktop
Browse to C:\Documents and Settings\<user name>\Desktop
and run ATF-Cleaner.exe from there

Spybot and Ewido
will both be in C:\Program Files folder

Your looking for Ewido.exe and SpybotSD.exe

Whit · « **Reply #9 on:** September 22, 2006, 01:49:15 AM »

As I was logging into the Tech Guide, I had a System Doctor Pop-up and then a window asking me if I wanted to scan. I clicked close (red X) and not OK (the only grey/beige radio button offered). Then, it automatically tried taking me to a System Doctor page. Then I had a WinAntiVirus pop-up as I was copying and pasting the reports/logs.

Here are the logs.

EWIDO LOG (ran Ewido in "Safe Mode with Command Prompt")

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:18:03 22/9/2006

+ Scan result:

C:\Temp\sahagent-cdt1004.exe -> Adware.Sahat : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{2353FCBC-012D-487B-8BF3-865C0929FBEB} -> Adware.Virtumonde : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2353FCBC-012D-487B-8BF3-865C0929FBEB} -> Adware.Virtumonde : Cleaned with backup (quarantined).
HKU\S-1-5-21-1192523369-3736695530-3729825343-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} -> Adware.Virtumonde : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Cleaned with backup (quarantined).
:mozilla.146:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.147:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.151:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.152:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.156:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.157:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.164:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.167:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.168:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.169:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.170:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.171:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.172:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.173:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.174:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.175:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.176:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.158:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.159:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.160:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.20:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.21:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.224:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.262:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.219:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.141:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Centrport : Cleaned.
:mozilla.195:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.215:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.211:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.212:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.45:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.225:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.226:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.227:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.228:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.134:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.114:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Realtracker : Cleaned.
:mozilla.229:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.248:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.249:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.218:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.47:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.48:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.49:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.50:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.51:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.52:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.53:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.54:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.55:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.124:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.115:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.131:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.132:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.133:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.69:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned.
:mozilla.70:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned.
:mozilla.71:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned.
:mozilla.148:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.149:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.150:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.22:C:\Documents and Settings\Whitney Roberts\Application Data\Netscape\NSAE\Profiles\aunp93dg.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\SYSTEM32\ffyvosdh.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\VundoFix Backups\eaakrfoc.exe.bad -> Trojan.Small.ju : Cleaned with backup (quarantined).
C:\VundoFix Backups\gbtpuydc.exe.bad -> Trojan.Small.ju : Cleaned with backup (quarantined).
C:\VundoFix Backups\kllrkxwl.exe.bad -> Trojan.Small.ju : Cleaned with backup (quarantined).

::Report end

HIJACKTHIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 2:24:02, on 22/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\1146781927\ee\AOLSoftware.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\ziptemp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\system32\awtsp.dll
O2 - BHO: (no name) - {2ECD0C91-3CF1-4C3D-BD59-BC7802156D14} - C:\WINDOWS\system32\mopoouec.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\ffyvosdh.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146781927\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\ziptemp\AIM95\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awtsp - C:\WINDOWS\system32\awtsp.dll
O20 - Winlogon Notify: lqtuivqi - C:\WINDOWS\SYSTEM32\lqtuivqi.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: rqsftexu - C:\WINDOWS\SYSTEM32\rqsftexu.dll
O20 - Winlogon Notify: vonbxdjv - C:\WINDOWS\SYSTEM32\vonbxdjv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BTW, I clicked on "Java Plug-In" in the control panel (the only Java icon I could see) and then the "Cache Tab" to clear the cache. I did not click "Cash Back" anywhere in the plug-in or my computer because I didn't see it and couldn't find it.

guestolo · « **Reply #10 on:** September 22, 2006, 09:43:06 PM »

hi again Whit
I'm not sure if I understand this comment

Quote

BTW, I clicked on "Java Plug-In" in the control panel (the only Java icon I could see) and then the "Cache Tab" to clear the cache. I did not click "Cash Back" anywhere in the plug-in or my computer because I didn't see it and couldn't find it.

Did I ask you too click the "Cash back"

Anyways, can you do the following
Then we'll try to fix your other problems
Vundo is still present, that's why Explorer won't load in safe mode

Please download VirtumundoBeGone:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
* Save it to the Desktop
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the Desktop
* Follow the directions as indicated

This program may generate a "BLUE SCREEN OF DEATH". Do not be concerned.
Just reboot if your system freezes

The VirtumundoBeGone log VBG.txt is found on the Desktop.
Can you post that please

Also,
I want to check a few files if they are still around after you do the above
Go to either of these links
http://virusscan.jotti.org/
OR
http://www.virustotal.com/flash/index_en.html

Use the browse button and navigate to the file on your harddrive

C:\WINDOWS\SYSTEM32\lqtuivqi.dll <-this file
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Do the same for these files too please
C:\WINDOWS\SYSTEM32\rqsftexu.dll
C:\WINDOWS\SYSTEM32\vonbxdjv.dll

Whit · « **Reply #11 on:** September 23, 2006, 09:46:30 AM »

About "Cash Back", you instructed me to do that in the 20/9/06, 19:48 reply:

"Access your add/remove programs via control panel
Remove the following
Java 2 Runtime Environment, SE v1.4.2
Select CashBack"

I'll do your latest instruction by this evening.

Whit · « **Reply #12 on:** September 23, 2006, 10:29:42 AM »

I ran VBG twice: once in "Safe Mode with Command Prompt" and once in "Normal Mode"

VBG IN SAFE MODE

[09/23/2006, 10:57:38] - VirtumundoBeGone v1.5 ( VirtumundoBeGoneTechGuide)
[09/23/2006, 10:57:43] - Detected System Information:
[09/23/2006, 10:57:43] - Windows Version: 5.1.2600, Service Pack 2
[09/23/2006, 10:57:43] - Current Username: Whitney Roberts (Admin)
[09/23/2006, 10:57:43] - Windows is in SAFE mode with Networking.
[09/23/2006, 10:57:43] - Searching for Browser Helper Objects:
[09/23/2006, 10:57:43] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[09/23/2006, 10:57:43] - BHO 2: {2353FCBC-012D-487B-8BF3-865C0929FBEB} (ATLDistrib Object)
[09/23/2006, 10:57:43] - ALERT: Found ATLDistrib Object!
[09/23/2006, 10:57:43] - BHO 3: {2ECD0C91-3CF1-4C3D-BD59-BC7802156D14} ()
[09/23/2006, 10:57:43] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/23/2006, 10:57:43] - Checking for HKLM\...\Winlogon\Notify\mopoouec
[09/23/2006, 10:57:43] - Key not found: HKLM\...\Winlogon\Notify\mopoouec, continuing.
[09/23/2006, 10:57:43] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} ()
[09/23/2006, 10:57:43] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/23/2006, 10:57:43] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[09/23/2006, 10:57:43] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[09/23/2006, 10:57:43] - BHO 5: {549B5CA7-4A86-11D7-A4DF-000874180BB3} ()
[09/23/2006, 10:57:43] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/23/2006, 10:57:43] - No filename found. Continuing.
[09/23/2006, 10:57:43] - BHO 6: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[09/23/2006, 10:57:43] - BHO 7: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[09/23/2006, 10:57:43] - BHO 8: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[09/23/2006, 10:57:43] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/23/2006, 10:57:43] - Checking for HKLM\...\Winlogon\Notify\ffyvosdh
[09/23/2006, 10:57:43] - Key not found: HKLM\...\Winlogon\Notify\ffyvosdh, continuing.
[09/23/2006, 10:57:43] - BHO 9: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} ()
[09/23/2006, 10:57:43] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/23/2006, 10:57:43] - No filename found. Continuing.
[09/23/2006, 10:57:43] - Finished Searching Browser Helper Objects
[09/23/2006, 10:57:43] - *** Detected ATLDistrib Object
[09/23/2006, 10:57:43] - Trying to remove ATLDistrib Object...
[09/23/2006, 10:57:44] - Terminating Process: IEXPLORE.EXE
[09/23/2006, 10:57:45] - Terminating Process: RUNDLL32.EXE
[09/23/2006, 10:57:45] - Disabling Automatic Shell Restart
[09/23/2006, 10:57:45] - Terminating Process: EXPLORER.EXE
[09/23/2006, 10:57:45] - Suspending the NT Session Manager System Service
[09/23/2006, 10:57:45] - Terminating Windows NT Logon/Logoff Manager
[09/23/2006, 10:57:45] - Re-enabling Automatic Shell Restart
[09/23/2006, 10:57:45] - File to disable: C:\WINDOWS\system32\awtsp.dll
[09/23/2006, 10:57:45] - Renaming C:\WINDOWS\system32\awtsp.dll -> C:\WINDOWS\system32\awtsp.dll.vir
[09/23/2006, 10:57:45] - File successfully renamed!
[09/23/2006, 10:57:45] - Removing HKLM\...\Browser Helper Objects\{2353FCBC-012D-487B-8BF3-865C0929FBEB}
[09/23/2006, 10:57:45] - Removing HKCR\CLSID\{2353FCBC-012D-487B-8BF3-865C0929FBEB}
[09/23/2006, 10:57:45] - Adding Kill Bit for ActiveX for GUID: {2353FCBC-012D-487B-8BF3-865C0929FBEB}
[09/23/2006, 10:57:45] - Deleting ATLEvents/MSEvents Registry entries
[09/23/2006, 10:57:45] - Removing HKLM\...\Winlogon\Notify\awtsp
[09/23/2006, 10:57:45] - Searching for Browser Helper Objects:
[09/23/2006, 10:57:45] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[09/23/2006, 10:57:45] - BHO 2: {2ECD0C91-3CF1-4C3D-BD59-BC7802156D14} ()
[09/23/2006, 10:57:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/23/2006, 10:57:45] - Checking for HKLM\...\Winlogon\Notify\mopoouec
[09/23/2006, 10:57:45] - Key not found: HKLM\...\Winlogon\Notify\mopoouec, continuing.
[09/23/2006, 10:57:45] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[09/23/2006, 10:57:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/23/2006, 10:57:45] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[09/23/2006, 10:57:45] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[09/23/2006, 10:57:45] - BHO 4: {549B5CA7-4A86-11D7-A4DF-000874180BB3} ()
[09/23/2006, 10:57:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/23/2006, 10:57:45] - No filename found. Continuing.
[09/23/2006, 10:57:45] - BHO 5: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[09/23/2006, 10:57:45] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[09/23/2006, 10:57:45] - BHO 7: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[09/23/2006, 10:57:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/23/2006, 10:57:45] - Checking for HKLM\...\Winlogon\Notify\ffyvosdh
[09/23/2006, 10:57:45] - Key not found: HKLM\...\Winlogon\Notify\ffyvosdh, continuing.
[09/23/2006, 10:57:45] - BHO 8: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} ()
[09/23/2006, 10:57:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/23/2006, 10:57:45] - No filename found. Continuing.
[09/23/2006, 10:57:45] - Finished Searching Browser Helper Objects
[09/23/2006, 10:57:45] - Finishing up...
[09/23/2006, 10:57:45] - A restart is needed.
[09/23/2006, 10:57:45] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[09/23/2006, 10:58:04] - Attempting to Restart via STOP error (Blue Screen!)

VBG IN NORMAL MODE

[09/23/2006, 11:12:13] - VirtumundoBeGone v1.5 ( "C:\ziptemp\VirtumundoBeGoneTechGuide.exe" )
[09/23/2006, 11:12:18] - Detected System Information:
[09/23/2006, 11:12:18] - Windows Version: 5.1.2600, Service Pack 2
[09/23/2006, 11:12:18] - Current Username: Whitney Roberts (Admin)
[09/23/2006, 11:12:18] - Windows is in NORMAL mode.
[09/23/2006, 11:12:18] - Searching for Browser Helper Objects:
[09/23/2006, 11:12:18] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[09/23/2006, 11:12:18] - BHO 2: {2ECD0C91-3CF1-4C3D-BD59-BC7802156D14} ()
[09/23/2006, 11:12:18] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/23/2006, 11:12:18] - Checking for HKLM\...\Winlogon\Notify\mopoouec
[09/23/2006, 11:12:18] - Key not found: HKLM\...\Winlogon\Notify\mopoouec, continuing.
[09/23/2006, 11:12:18] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[09/23/2006, 11:12:18] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/23/2006, 11:12:18] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[09/23/2006, 11:12:18] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[09/23/2006, 11:12:18] - BHO 4: {549B5CA7-4A86-11D7-A4DF-000874180BB3} ()
[09/23/2006, 11:12:18] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/23/2006, 11:12:18] - No filename found. Continuing.
[09/23/2006, 11:12:18] - BHO 5: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[09/23/2006, 11:12:18] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[09/23/2006, 11:12:18] - BHO 7: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[09/23/2006, 11:12:18] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/23/2006, 11:12:18] - Checking for HKLM\...\Winlogon\Notify\ffyvosdh
[09/23/2006, 11:12:18] - Key not found: HKLM\...\Winlogon\Notify\ffyvosdh, continuing.
[09/23/2006, 11:12:18] - BHO 8: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} ()
[09/23/2006, 11:12:18] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/23/2006, 11:12:18] - No filename found. Continuing.
[09/23/2006, 11:12:18] - Finished Searching Browser Helper Objects
[09/23/2006, 11:12:18] - Finishing up...
[09/23/2006, 11:12:18] - Nothing found! Exiting...

Scanner results from website a little later... (still scanning as I write this)

Whit · « **Reply #13 on:** September 23, 2006, 10:45:57 AM »

AS I was scanning the last of the 3 files, the Winlogon.exe error occurred with the "The instruction at (10-character alphanumeric) referenced memory at (10-digit alphanumeric). The memory could not be written."

FILE 1 (lqtuivqi.dll)

Service
Service load: 0% 100%

File: lqtuivqi.dll
Status: INFECTED/MALWARE
MD5 19275b4f575e6b3d9cd8f1e4a77842f6
Packers detected: PE_PATCH.MORPHINE
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.Spambot
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found a variant of Win32/TrojanProxy.Agent.JZ
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Malware.Agent.18 (probable variant)

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 15Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, James Love, Gideon Pertzov, Malcolm Murray, Nigel Thomas, Wendy Dickerson, Anthony Midmore, "ethereal", Mark Rubins, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, and some people who prefer to remain anonymous... many thanks to all!

Statistics
Last file scanned at least one scanner reported something about: scvhost.exe, detected by:

Scanner Malware name
AntiVir Heuristic/Malware
ArcaVir Trojan.Ciadoor.13
Avast Win32:Ciadoor-021
AVG Antivirus BackDoor.Ciadoor.3.AD
BitDefender Backdoor.Ciadoor.13
ClamAV Trojan.Ciadoor.13.C
Dr.Web Trojan.KeyLogger.88
F-Prot Antivirus Possibly a new variant of W32/VB-EMU:VB-Dropper-based!Maximus
Fortinet W32/Ciadoor.13!tr.bdr
Kaspersky Anti-Virus Backdoor.Win32.Ciadoor.13
NOD32 a variant of Win32/Ciadoor.13
Norman Virus Control W32/Ciadoor.BAR
UNA X
VirusBuster X
VBA32 BackDoor.Cia

You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.

FILE 2 (rqsftexu.dll)

Service
Service load: 0% 100%

File: rqsftexu.dll
Status: INFECTED/MALWARE
MD5 259497254cf96b77e8264885bb847bd2
Packers detected: -
Scanner results
AntiVir Found Trojan/Proxy.Agent.JZ.2
ArcaVir Found Trojan.Proxy.Agent.Jz
Avast Found nothing
AVG Antivirus Found Proxy.FRP
BitDefender Found Trojan.Proxy.Agent.JZ
ClamAV Found nothing
Dr.Web Found Trojan.Spambot
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Proxy.Win32.Agent.jz
NOD32 Found Win32/TrojanProxy.Agent.JZ
Norman Virus Control Found W32/Agent.AWPF
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Malware.Agent.18 (probable variant)

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 15Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, James Love, Gideon Pertzov, Malcolm Murray, Nigel Thomas, Wendy Dickerson, Anthony Midmore, "ethereal", Mark Rubins, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, and some people who prefer to remain anonymous... many thanks to all!

Statistics
Last file scanned at least one scanner reported something about: sxs.rar, detected by:

Scanner Malware name
AntiVir Trojan/Dldr.Delf.avo
ArcaVir X
Avast Win32:Qqpass-AK
AVG Antivirus PSW.Delf.2.AI
BitDefender Generic.Malware.SPPkg.615EE5EB
ClamAV X
Dr.Web Trojan.DownLoader.12452
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 probably a variant of Win32/PSW.QQPass.JF
Norman Virus Control X
UNA X
VirusBuster X
VBA32 Trojan.DownLoader.12452

You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.

FILE 3 (vonbxdjv.dll)

Service
Service load: 0% 100%

File: vonbxdjv.dll
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 259497254cf96b77e8264885bb847bd2
Packers detected: -
Scanner results
AntiVir Found Trojan/Proxy.Agent.JZ.2
ArcaVir Found Trojan.Proxy.Agent.Jz
Avast Found nothing
AVG Antivirus Found Proxy.FRP
BitDefender Found Trojan.Proxy.Agent.JZ
ClamAV Found nothing
Dr.Web Found Trojan.Spambot
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Proxy.Win32.Agent.jz
NOD32 Found Win32/TrojanProxy.Agent.JZ
Norman Virus Control Found W32/Agent.AWPF
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Malware.Agent.18 (probable variant)

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 15Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, James Love, Gideon Pertzov, Malcolm Murray, Nigel Thomas, Wendy Dickerson, Anthony Midmore, "ethereal", Mark Rubins, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, and some people who prefer to remain anonymous... many thanks to all!

Statistics
Last file scanned at least one scanner reported something about: A0000578(1).rar, detected by:

Scanner Malware name
AntiVir W32/Perlovga.A.1
ArcaVir X
Avast Win32:Perlovga
AVG Antivirus Generic.VDT
BitDefender Win32.Perlovga.A
ClamAV X
Dr.Web Trojan.Copyself
F-Prot Antivirus W32/Perlovga.A
Fortinet W32/Perlovga.A
Kaspersky Anti-Virus Virus.Win32.Perlovga.a
NOD32 X
Norman Virus Control X
UNA X
VirusBuster X
VBA32 X

You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.

guestolo · « **Reply #14 on:** September 23, 2006, 10:47:44 AM »

That's fine, can you post a fresh hijackthis log please
Just to take a look at what remains, then we'll go from there

Whit · « **Reply #15 on:** September 23, 2006, 11:22:22 AM »

Logfile of HijackThis v1.99.1
Scan saved at 12:16:55, on 23/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\1146781927\ee\AOLSoftware.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\ziptemp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2ECD0C91-3CF1-4C3D-BD59-BC7802156D14} - C:\WINDOWS\system32\mopoouec.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\ffyvosdh.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146781927\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\ziptemp\AIM95\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: lqtuivqi - C:\WINDOWS\SYSTEM32\lqtuivqi.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: rqsftexu - C:\WINDOWS\SYSTEM32\rqsftexu.dll
O20 - Winlogon Notify: vonbxdjv - C:\WINDOWS\SYSTEM32\vonbxdjv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

guestolo · « **Reply #16 on:** September 23, 2006, 01:05:41 PM »

Just had to go move a washing machine for a friend

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/ohmy.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Download The Avenger.zip by Swandog46 to your Desktop.

* Click on Avenger.zip to open the file
* Extract avenger.exe to your desktop

Copy ALL the text contained in [color=\"#3333FF\"]blue[/color] below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard

[color=\"#3333FF\"]files to delete:
C:\WINDOWS\system32\mopoouec.dll
C:\WINDOWS\SYSTEM32\rqsftexu.dll
C:\WINDOWS\SYSTEM32\vonbxdjv.dll
C:\WINDOWS\SYSTEM32\lqtuivqi.dll
C:\WINDOWS\system32\awtsp.dll.vir
C:\WINDOWS\SYSTEM32\pstwa.ini2
C:\WINDOWS\SYSTEM32\pstwa.bak2
C:\WINDOWS\SYSTEM32\pstwa.bak1

Programs to launch on reboot:
C:\ziptemp\HijackThis.exe[/color]

Now, start The Avenger program by clicking on its icon on your desktop

* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
* Paste the text copied to clipboard into this window by pressing (Ctrl+V).
* Click Done
* Now click on the Green Light to begin execution of the script
* Answer "Yes" twice when prompted.

Avenger should now Reboot your computer
Back in Windows, Hijackthis should open
Do a scan and put a tick next to the following

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: (no name) - {2ECD0C91-3CF1-4C3D-BD59-BC7802156D14} - C:\WINDOWS\system32\mopoouec.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\ffyvosdh.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?

O20 - Winlogon Notify: lqtuivqi - C:\WINDOWS\SYSTEM32\lqtuivqi.dll

O20 - Winlogon Notify: rqsftexu - C:\WINDOWS\SYSTEM32\rqsftexu.dll
O20 - Winlogon Notify: vonbxdjv - C:\WINDOWS\SYSTEM32\vonbxdjv.dll

Then click the FIX CHECKED button

After your icons and taskbar appear, reboot the computer one more time

Back in Windows
EDIT>>Can you right click on Hijackthis.exe and rename it too
scanner.exe
Post back the following
Do a fresh scan and save logfile with scanner.exe(Hijackthis)
1. Post a fresh hijackthislog
2. Post the log from Avenger located here>>C:\Avenger.txt
3. Could you also run Combofix again and post the fresh log

Whit · « **Reply #17 on:** September 23, 2006, 10:22:27 PM »

No worries. I hope the move went well.

I am a Mechanical Engineer and know little about electrical engineering and computer engineering and science. Hence, I am grateful for those more knowledgable than I am about computers.

Scanner (AKA HijackThis) LOG:

Logfile of HijackThis v1.99.1
Scan saved at 23:10:10, on 23/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\1146781927\ee\AOLSoftware.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\ziptemp\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146781927\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\ziptemp\AIM95\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: lqtuivqi - C:\WINDOWS\SYSTEM32\lqtuivqi.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: rqsftexu - C:\WINDOWS\SYSTEM32\rqsftexu.dll
O20 - Winlogon Notify: vonbxdjv - C:\WINDOWS\SYSTEM32\vonbxdjv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

AVENGER LOG

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qtfuneay

*******************

Script file located at: \??\C:\WINDOWS\system32\leelvttw.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\mopoouec.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\rqsftexu.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\vonbxdjv.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\lqtuivqi.dll deleted successfully.
File C:\WINDOWS\system32\awtsp.dll.vir deleted successfully.
File C:\WINDOWS\SYSTEM32\pstwa.ini2 deleted successfully.
File C:\WINDOWS\SYSTEM32\pstwa.bak2 deleted successfully.
File C:\WINDOWS\SYSTEM32\pstwa.bak1 deleted successfully.
Program C:\ziptemp\HijackThis.exe successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

COMBOFIX LOG

Whitney Roberts - 06-09-23 23:10:57.40 Service Pack 2
ComboFix 06.09.20 - Running from: "C:\Documents and Settings\Whitney Roberts\Desktop"
Command switches used ::

((((((((((((((((((((((((((((((( Files Created from 2006-08-23 to 2006-09-23 ))))))))))))))))))))))))))))))))))

2006-09-23   10:56   188,436   --a------   C:\WINDOWS\SYSTEM32\vonbxdjv.dll
2006-09-23   10:56   188,436   --a------   C:\WINDOWS\SYSTEM32\rqsftexu.dll
2006-09-23   10:56   188,436   --a------   C:\WINDOWS\SYSTEM32\lqtuivqi.dll
2006-09-20   22:05   16,504,464   --a------   C:\jre-1_5_0_08-windows-i586-p.exe
2006-09-20   22:03   45,568   --a------   C:\ATF-Cleaner.exe
2006-09-09   11:43   131,604   --a------   C:\WINDOWS\SYSTEM32\cefcxerw.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-23 23:09   --------   d--------   C:\Documents and Settings\Whitney Roberts\Application Data\CE
2006-09-23 21:07   --------   d--------   C:\Program Files\SkyTeam Travel Timetable
2006-09-23 16:13   12400   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\secdrv.sys
2006-09-21 23:03   --------   d--------   C:\Program Files\ewido anti-spyware 4.0
2006-09-21 22:42   --------   d--------   C:\Documents and Settings\Whitney Roberts\Application Data\Yahoo!
2006-09-21 22:00   --------   d--------   C:\Program Files\Java
2006-09-21 21:59   --------   d--------   C:\Program Files\Common Files\Java
2006-09-21 21:59   --------   d--------   C:\Program Files\Common Files
2006-09-17 22:24   --------   d--------   C:\Program Files\ICQToolbar
2006-09-16 23:44   --------   d--------   C:\Program Files\oneworldflights
2006-09-15 02:03   --------   d--------   C:\Documents and Settings\Whitney Roberts\Application Data\WeatherBug
2006-09-14 19:46   --------   d--------   C:\Program Files\Windows Media Player
2006-09-14 19:22   --------   d--------   C:\Program Files\Google
2006-09-10 19:49   --------   d--------   C:\Program Files\OfficeUpdate11
2006-09-10 19:47   --------   d--------   C:\Program Files\Microsoft Works
2006-09-10 19:47   --------   d--------   C:\Program Files\Common Files\Microsoft Shared
2006-09-10 18:49   --------   d--------   C:\Documents and Settings\Whitney Roberts\Application Data\Registry Booster
2006-09-10 13:55   --------   d--------   C:\Program Files\LIUtilities
2006-09-10 13:54   --------   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2006-09-10 12:28   --------   d--------   C:\Program Files\Uniblue
2006-09-07 19:27   --------   d--------   C:\Documents and Settings\Whitney Roberts\Application Data\Lavasoft
2006-09-07 19:26   --------   d--------   C:\Program Files\Lavasoft
2006-08-21 08:21   16896   --a------   C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 05:14   23040   --a------   C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-21 05:14   128896   ---------   C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2006-08-20 18:28   --------   d--------   C:\Program Files\United TravelDesk
2006-08-20 18:28   --------   d--------   C:\Program Files\United EasySchedule for PC
2006-08-19 20:08   --------   d--h-----   C:\Program Files\InstallShield Installation Information
2006-08-19 20:08   --------   d--------   C:\Program Files\QuickTime
2006-08-19 20:03   --------   d--------   C:\Program Files\iTunes
2006-08-19 20:02   --------   d--------   C:\Program Files\iPod
2006-08-16 22:11   --------   d--------   C:\Program Files\Kodak
2006-08-16 22:06   --------   d--------   C:\Program Files\Internet Explorer
2006-07-27 09:24   679424   --a------   C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-21 04:24   72704   --a------   C:\WINDOWS\SYSTEM32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"
"Sonic RecordNow!"=""
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"Aim6"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"NMSVC"="C:\\Program Files\\CE\\nmSvc.exe"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"mmtask"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1146781927\\ee\\AOLSoftware.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe"
"CTHelper"="CTHELPER.EXE"
"CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE"
"BCWipeTM Startup"="\"C:\\Program Files\\Jetico\\BCWipe\\BCWipeTM.exe\" startup"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ATIModeChange"="Ati2mdxx.exe"
"AsioReg"="REGSVR32.EXE /S CTASIO.DLL"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
"backup"="C:\\WINDOWS\\pss\\Digital Line Detect.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\DIGITA~1\\DLG.exe "
"item"="Digital Line Detect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Whitney Roberts^Start Menu^Programs^Startup^Webshots.lnk]
"backup"="C:\\WINDOWS\\pss\\Webshots.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Webshots\\Launcher.exe /t"
"item"="Webshots"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Error Nuker]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ErrorNuker"
"hkey"="HKLM"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lqtuivqi
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqsftexu
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vonbxdjv

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Completion time: Sat 23/09/2006 23:11:53.42
ComboFix.txt
ComboFix2.txt

guestolo · « **Reply #18 on:** September 23, 2006, 10:31:31 PM »

Those files returned, but I see a new file
Can you do the following

Go ahead and delete
C:\Combofix.txt
C:\Combofix2.txt

Let's try this again
Copy ALL the text contained in [color=\"#3333FF\"]blue[/color] below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard

[color=\"#3333FF\"]files to delete:
C:\WINDOWS\SYSTEM32\vonbxdjv.dll
C:\WINDOWS\SYSTEM32\rqsftexu.dll
C:\WINDOWS\SYSTEM32\lqtuivqi.dll
C:\WINDOWS\SYSTEM32\cefcxerw.dll[/color]

Now, start The Avenger program by clicking on its icon on your desktop

* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
* Paste the text copied to clipboard into this window by pressing (Ctrl+V).
* Click Done
* Now click on the Green Light to begin execution of the script
* Answer "Yes" twice when prompted.

Avenger should now Reboot your computer
Back in Windows,

Can you post a fresh hijackthis log as well as a fresh log from Combofix please

Whit · « **Reply #19 on:** September 23, 2006, 11:51:00 PM »

AVENGER LOG

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\sikuqwiv

*******************

Script file located at: stlmvvts

Could not open script file! Error

Could not open script file! Status: 0xc000003b Abort!

SCANNER (AKA HIJACKTHIS) LOG

Logfile of HijackThis v1.99.1
Scan saved at 0:42:37, on 24/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\1146781927\ee\AOLSoftware.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\ziptemp\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146781927\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\ziptemp\AIM95\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: lqtuivqi - C:\WINDOWS\SYSTEM32\lqtuivqi.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: rqsftexu - C:\WINDOWS\SYSTEM32\rqsftexu.dll
O20 - Winlogon Notify: vonbxdjv - C:\WINDOWS\SYSTEM32\vonbxdjv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

COMBOFIX LOG

Whitney Roberts - 06-09-24 0:43:07.45 Service Pack 2
ComboFix 06.09.20 - Running from: "C:\Documents and Settings\Whitney Roberts\Desktop"
Command switches used ::

((((((((((((((((((((((((((((((( Files Created from 2006-08-24 to 2006-09-24 ))))))))))))))))))))))))))))))))))

2006-09-23   10:56   188,436   --a------   C:\WINDOWS\SYSTEM32\vonbxdjv.dll
2006-09-23   10:56   188,436   --a------   C:\WINDOWS\SYSTEM32\rqsftexu.dll
2006-09-23   10:56   188,436   --a------   C:\WINDOWS\SYSTEM32\lqtuivqi.dll
2006-09-20   22:05   16,504,464   --a------   C:\jre-1_5_0_08-windows-i586-p.exe
2006-09-20   22:03   45,568   --a------   C:\ATF-Cleaner.exe
2006-09-09   11:43   131,604   --a------   C:\WINDOWS\SYSTEM32\cefcxerw.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-24 00:41   --------   d--------   C:\Documents and Settings\Whitney Roberts\Application Data\CE
2006-09-23 21:07   --------   d--------   C:\Program Files\SkyTeam Travel Timetable
2006-09-23 16:13   12400   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\secdrv.sys
2006-09-21 23:03   --------   d--------   C:\Program Files\ewido anti-spyware 4.0
2006-09-21 22:42   --------   d--------   C:\Documents and Settings\Whitney Roberts\Application Data\Yahoo!
2006-09-21 22:00   --------   d--------   C:\Program Files\Java
2006-09-21 21:59   --------   d--------   C:\Program Files\Common Files\Java
2006-09-21 21:59   --------   d--------   C:\Program Files\Common Files
2006-09-17 22:24   --------   d--------   C:\Program Files\ICQToolbar
2006-09-16 23:44   --------   d--------   C:\Program Files\oneworldflights
2006-09-15 02:03   --------   d--------   C:\Documents and Settings\Whitney Roberts\Application Data\WeatherBug
2006-09-14 19:46   --------   d--------   C:\Program Files\Windows Media Player
2006-09-14 19:22   --------   d--------   C:\Program Files\Google
2006-09-10 19:49   --------   d--------   C:\Program Files\OfficeUpdate11
2006-09-10 19:47   --------   d--------   C:\Program Files\Microsoft Works
2006-09-10 19:47   --------   d--------   C:\Program Files\Common Files\Microsoft Shared
2006-09-10 18:49   --------   d--------   C:\Documents and Settings\Whitney Roberts\Application Data\Registry Booster
2006-09-10 13:55   --------   d--------   C:\Program Files\LIUtilities
2006-09-10 13:54   --------   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2006-09-10 12:28   --------   d--------   C:\Program Files\Uniblue
2006-09-07 19:27   --------   d--------   C:\Documents and Settings\Whitney Roberts\Application Data\Lavasoft
2006-09-07 19:26   --------   d--------   C:\Program Files\Lavasoft
2006-08-21 08:21   16896   --a------   C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 05:14   23040   --a------   C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-21 05:14   128896   ---------   C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2006-08-20 18:28   --------   d--------   C:\Program Files\United TravelDesk
2006-08-20 18:28   --------   d--------   C:\Program Files\United EasySchedule for PC
2006-08-19 20:08   --------   d--h-----   C:\Program Files\InstallShield Installation Information
2006-08-19 20:08   --------   d--------   C:\Program Files\QuickTime
2006-08-19 20:03   --------   d--------   C:\Program Files\iTunes
2006-08-19 20:02   --------   d--------   C:\Program Files\iPod
2006-08-16 22:11   --------   d--------   C:\Program Files\Kodak
2006-08-16 22:06   --------   d--------   C:\Program Files\Internet Explorer
2006-07-27 09:24   679424   --a------   C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-21 04:24   72704   --a------   C:\WINDOWS\SYSTEM32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"
"Sonic RecordNow!"=""
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"Aim6"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"NMSVC"="C:\\Program Files\\CE\\nmSvc.exe"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"mmtask"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1146781927\\ee\\AOLSoftware.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe"
"CTHelper"="CTHELPER.EXE"
"CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE"
"BCWipeTM Startup"="\"C:\\Program Files\\Jetico\\BCWipe\\BCWipeTM.exe\" startup"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ATIModeChange"="Ati2mdxx.exe"
"AsioReg"="REGSVR32.EXE /S CTASIO.DLL"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
"backup"="C:\\WINDOWS\\pss\\Digital Line Detect.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\DIGITA~1\\DLG.exe "
"item"="Digital Line Detect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Whitney Roberts^Start Menu^Programs^Startup^Webshots.lnk]
"backup"="C:\\WINDOWS\\pss\\Webshots.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Webshots\\Launcher.exe /t"
"item"="Webshots"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Error Nuker]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ErrorNuker"
"hkey"="HKLM"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lqtuivqi
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqsftexu
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vonbxdjv

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20060923-230305-889
O20 - Winlogon Notify: vonbxdjv - C:\WINDOWS\SYSTEM32\vonbxdjv.dll
backup-20060923-230305-427
O20 - Winlogon Notify: rqsftexu - C:\WINDOWS\SYSTEM32\rqsftexu.dll
backup-20060923-230304-802
O20 - Winlogon Notify: lqtuivqi - C:\WINDOWS\SYSTEM32\lqtuivqi.dll
backup-20060923-230304-278
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
backup-20060923-230304-263
O15 - Trusted Zone: http://locator.cdn.imageservr.com
backup-20060923-230304-270
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
backup-20060923-230304-754
O15 - Trusted Zone: http://scanner.sysprotect.com
backup-20060923-230304-634
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20060923-230304-854
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
backup-20060923-230304-933
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
backup-20060923-230304-937
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
backup-20060923-230304-843
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
backup-20060923-230304-666
O2 - BHO: (no name) - {2ECD0C91-3CF1-4C3D-BD59-BC7802156D14} - C:\WINDOWS\system32\mopoouec.dll (file missing)
backup-20060923-230304-132
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\ffyvosdh.dll (file missing)

Completion time: Sun 24/09/2006 0:44:08.65
ComboFix.txt

News:

Author Topic: need help with vundo, winfixer, and winlogon (Read 2207 times)