PDA

View Full Version : smitfraud-C.toolbar888 & others-sneaky


sneaky
2007-05-10, 17:07
Hello, please can you help me. Like many others I seem to be struggling with this one. I used vundofix and got rid of various things. I get multiple internet page diversions and sometimes multiple popups plus my antivirus keeps signalling fresh trojans. I tried the smitfraud fix in safe mode. My computer stalls at the disk clean up stage although can still seem to carry on the smitfraud fix, but doesn't get rid of it. The etrust online scanner just crashes internet explorer. I guess things are quite bad. Here is my hijack this log. Many thanks for any help you can give me
sneaky
2007-05-10, 17:08
sorry, hand slipped before attached log.
Logfile of HijackThis v1.99.1
Scan saved at 15:56:34, on 10/05/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\Val\My Documents\programmes\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webcache.blueyonder.co.uk:8080
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar4.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\System32\qiruooqh.dll",realset
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.broadband.blueyonder.co.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160994496578
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.60-big/GoogleNav.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://213.3.7.71:8080/activex/AxisCamControl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?319
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Shaba
2007-05-11, 08:35
Hi sneaky

Rename hijackthis.exe to scanner.exe and post back a fresh hijackthis log, please :)
sneaky
2007-05-11, 19:35
Thank you for getting back to me. I think I have done this right. Renamed it, but everything still shows up as hijack this. hijack this scan results follow

Logfile of HijackThis v1.99.1
Scan saved at 18:17:51, on 11/05/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\TEMP\mshtml2.exe
C:\Documents and Settings\Val\My Documents\programmes\HijackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webcache.blueyonder.co.uk:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {09A9C77D-0AA3-4DA4-8032-603385BF5FBB} - C:\WINDOWS\System32\awvtq.dll (file missing)
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {79A9CC17-7DCE-4A54-8676-9B4B564DDBB7} - C:\WINDOWS\System32\vtutu.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar4.dll
O2 - BHO: (no name) - {D2692EE8-4795-44F4-A8FF-8FAC5D4FE947} - C:\WINDOWS\System32\jkkjigd.dll
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\System32\esybjfha.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O2 - BHO: (no name) - {ECBA9C03-19CF-468A-B975-B299200BE342} - C:\WINDOWS\System32\pmkhg.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar4.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\System32\vlnfqtkx.dll",realset
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.broadband.blueyonder.co.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160994496578
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.60-big/GoogleNav.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://213.3.7.71:8080/activex/AxisCamControl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?319
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: aedebccdfe - C:\WINDOWS\System32\aedebccdfe.dll
O20 - Winlogon Notify: jkkjigd - C:\WINDOWS\SYSTEM32\jkkjigd.dll
O20 - Winlogon Notify: vtutu - C:\WINDOWS\System32\vtutu.dll
O20 - Winlogon Notify: winjyp32 - C:\WINDOWS\SYSTEM32\winjyp32.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Shaba
2007-05-11, 19:51
Hi

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
sneaky
2007-05-11, 23:34
Thanks for reply. I ran vandofix-couldn't see how to save, but made a copy of the files it found:

C:\WINDOWS\system32\awttrqn.dll
C:\WINDOWS\system32\eanamtcy.dll
C:\WINDOWS\system32\ljjjhi.dll
C:\WINDOWS\system32\ututv.bak1
C:\WINDOWS\system32\ututv.bak2
C:\WINDOWS\system32\ututv.ini
C:\WINDOWS\system32\vtutu.dll

Then new hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 22:29:03, on 11/05/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Val\My Documents\programmes\HijackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webcache.blueyonder.co.uk:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {09A9C77D-0AA3-4DA4-8032-603385BF5FBB} - C:\WINDOWS\System32\awvtq.dll (file missing)
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {79A9CC17-7DCE-4A54-8676-9B4B564DDBB7} - C:\WINDOWS\System32\vtutu.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar4.dll
O2 - BHO: (no name) - {D2692EE8-4795-44F4-A8FF-8FAC5D4FE947} - C:\WINDOWS\System32\jkkjigd.dll
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\System32\esybjfha.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O2 - BHO: (no name) - {ECBA9C03-19CF-468A-B975-B299200BE342} - C:\WINDOWS\System32\pmkhg.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar4.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\System32\vlnfqtkx.dll",realset
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.broadband.blueyonder.co.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160994496578
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.60-big/GoogleNav.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://213.3.7.71:8080/activex/AxisCamControl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?319
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: aedebccdfe - C:\WINDOWS\System32\aedebccdfe.dll
O20 - Winlogon Notify: jkkjigd - C:\WINDOWS\SYSTEM32\jkkjigd.dll
O20 - Winlogon Notify: winjyp32 - C:\WINDOWS\SYSTEM32\winjyp32.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
sneaky
2007-05-11, 23:44
Found the vundofix log:


VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 20:06:35 07/05/2007

Listing files found while scanning....

C:\WINDOWS\System32\awvtq.dll
C:\WINDOWS\System32\jirlrvxa.dll
C:\WINDOWS\System32\qtvwa.bak1
C:\WINDOWS\System32\qtvwa.bak2
C:\WINDOWS\System32\qtvwa.ini

Beginning removal...

Attempting to delete C:\WINDOWS\System32\awvtq.dll
C:\WINDOWS\System32\awvtq.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\qtvwa.bak1
C:\WINDOWS\System32\qtvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\qtvwa.bak2
C:\WINDOWS\System32\qtvwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\qtvwa.ini
C:\WINDOWS\System32\qtvwa.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 20:21:09 07/05/2007

Listing files found while scanning....

C:\WINDOWS\System32\ghkmp.bak1
C:\WINDOWS\System32\ghkmp.ini
C:\WINDOWS\system32\hjtsnfbo.dll
C:\WINDOWS\System32\pmkhg.dll

Beginning removal...

Attempting to delete C:\WINDOWS\System32\ghkmp.bak1
C:\WINDOWS\System32\ghkmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\ghkmp.ini
C:\WINDOWS\System32\ghkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjtsnfbo.dll
C:\WINDOWS\system32\hjtsnfbo.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\pmkhg.dll
C:\WINDOWS\System32\pmkhg.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\System32\pmkhg.dll
C:\WINDOWS\System32\pmkhg.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 20:36:40 07/05/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 19:38:07 11/05/2007

Listing files found while scanning....

C:\WINDOWS\system32\awttrqn.dll
C:\WINDOWS\System32\eanamtcy.dll
C:\WINDOWS\system32\ljjjjhi.dll
C:\WINDOWS\System32\ututv.bak1
C:\WINDOWS\System32\ututv.bak2
C:\WINDOWS\System32\ututv.ini
C:\WINDOWS\System32\vtutu.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awttrqn.dll
C:\WINDOWS\system32\awttrqn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjjjhi.dll
C:\WINDOWS\system32\ljjjjhi.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\ututv.bak1
C:\WINDOWS\System32\ututv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\ututv.bak2
C:\WINDOWS\System32\ututv.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\ututv.ini
C:\WINDOWS\System32\ututv.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\vtutu.dll
C:\WINDOWS\System32\vtutu.dll Has been deleted!

Performing Repairs to the registry.
Done!
Shaba
2007-05-12, 11:07
Hi

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste the 2 entries below into the top 2 boxes

C:\WINDOWS\SYSTEM32\jkkjigd.dll
C:\WINDOWS\SYSTEM32\winjyp32.dll

Click Add Files and Click Close Window
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.[/list]

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

Please click this link-->Jotti (http://virusscan.jotti.org/)

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\System32\aedebccdfe.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/flash/index_en.html

Post:

- a fresh HijackThis log
- vundofix report
- virustotal/jotti report
sneaky
2007-05-12, 12:32
Thanks for reply.

vundofix report


VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 20:06:35 07/05/2007

Listing files found while scanning....

C:\WINDOWS\System32\awvtq.dll
C:\WINDOWS\System32\jirlrvxa.dll
C:\WINDOWS\System32\qtvwa.bak1
C:\WINDOWS\System32\qtvwa.bak2
C:\WINDOWS\System32\qtvwa.ini

Beginning removal...

Attempting to delete C:\WINDOWS\System32\awvtq.dll
C:\WINDOWS\System32\awvtq.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\qtvwa.bak1
C:\WINDOWS\System32\qtvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\qtvwa.bak2
C:\WINDOWS\System32\qtvwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\qtvwa.ini
C:\WINDOWS\System32\qtvwa.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 20:21:09 07/05/2007

Listing files found while scanning....

C:\WINDOWS\System32\ghkmp.bak1
C:\WINDOWS\System32\ghkmp.ini
C:\WINDOWS\system32\hjtsnfbo.dll
C:\WINDOWS\System32\pmkhg.dll

Beginning removal...

Attempting to delete C:\WINDOWS\System32\ghkmp.bak1
C:\WINDOWS\System32\ghkmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\ghkmp.ini
C:\WINDOWS\System32\ghkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjtsnfbo.dll
C:\WINDOWS\system32\hjtsnfbo.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\pmkhg.dll
C:\WINDOWS\System32\pmkhg.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\System32\pmkhg.dll
C:\WINDOWS\System32\pmkhg.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 20:36:40 07/05/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 19:38:07 11/05/2007

Listing files found while scanning....

C:\WINDOWS\system32\awttrqn.dll
C:\WINDOWS\System32\eanamtcy.dll
C:\WINDOWS\system32\ljjjjhi.dll
C:\WINDOWS\System32\ututv.bak1
C:\WINDOWS\System32\ututv.bak2
C:\WINDOWS\System32\ututv.ini
C:\WINDOWS\System32\vtutu.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awttrqn.dll
C:\WINDOWS\system32\awttrqn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjjjhi.dll
C:\WINDOWS\system32\ljjjjhi.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\ututv.bak1
C:\WINDOWS\System32\ututv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\ututv.bak2
C:\WINDOWS\System32\ututv.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\ututv.ini
C:\WINDOWS\System32\ututv.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\vtutu.dll
C:\WINDOWS\System32\vtutu.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 11:03:29 12/05/2007

Listing files found while scanning....

C:\WINDOWS\System32\ddcyy.dll
C:\WINDOWS\System32\yycdd.bak1
C:\WINDOWS\System32\yycdd.ini

Beginning removal...

Attempting to delete C:\WINDOWS\System32\ddcyy.dll
C:\WINDOWS\System32\ddcyy.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\jkkjigd.dll
C:\WINDOWS\SYSTEM32\jkkjigd.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\yycdd.bak1
C:\WINDOWS\System32\yycdd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\yycdd.ini
C:\WINDOWS\System32\yycdd.ini Has been deleted!

Performing Repairs to the registry.
Done!

Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 11:23:58, on 12/05/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Documents and Settings\Val\My Documents\programmes\HijackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webcache.blueyonder.co.uk:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {09A9C77D-0AA3-4DA4-8032-603385BF5FBB} - C:\WINDOWS\System32\awvtq.dll (file missing)
O2 - BHO: (no name) - {1F901706-C3D0-40C9-9D82-C68693FAA7AF} - C:\WINDOWS\System32\ddcyy.dll (file missing)
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {79A9CC17-7DCE-4A54-8676-9B4B564DDBB7} - C:\WINDOWS\System32\vtutu.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar4.dll
O2 - BHO: (no name) - {D2692EE8-4795-44F4-A8FF-8FAC5D4FE947} - C:\WINDOWS\System32\jkkjigd.dll (file missing)
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\System32\esybjfha.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O2 - BHO: (no name) - {ECBA9C03-19CF-468A-B975-B299200BE342} - C:\WINDOWS\System32\pmkhg.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar4.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\System32\vlnfqtkx.dll",realset
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.broadband.blueyonder.co.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160994496578
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.60-big/GoogleNav.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://213.3.7.71:8080/activex/AxisCamControl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?319
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: aedebccdfe - C:\WINDOWS\System32\aedebccdfe.dll
O20 - Winlogon Notify: winjyp32 - winjyp32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Jotti report

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

Thanks for your help, I really appreciate it
Shaba
2007-05-12, 12:37
Hi

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {09A9C77D-0AA3-4DA4-8032-603385BF5FBB} - C:\WINDOWS\System32\awvtq.dll (file missing)
O2 - BHO: (no name) - {1F901706-C3D0-40C9-9D82-C68693FAA7AF} - C:\WINDOWS\System32\ddcyy.dll (file missing)
O2 - BHO: (no name) - {79A9CC17-7DCE-4A54-8676-9B4B564DDBB7} - C:\WINDOWS\System32\vtutu.dll (file missing)
O2 - BHO: (no name) - {D2692EE8-4795-44F4-A8FF-8FAC5D4FE947} - C:\WINDOWS\System32\jkkjigd.dll (file missing)
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\System32\esybjfha.dll
O2 - BHO: (no name) - {ECBA9C03-19CF-468A-B975-B299200BE342} - C:\WINDOWS\System32\pmkhg.dll (file missing)
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\System32\vlnfqtkx.dll",realset
O20 - Winlogon Notify: aedebccdfe - C:\WINDOWS\System32\aedebccdfe.dll
O20 - Winlogon Notify: winjyp32 - winjyp32.dll (file missing)

Close all windows including browser and press fix checked.

Please download the Killbox (http://download.bleepingcomputer.com/spyware/KillBox.zip).
Unzip it to the desktop.

Please run Killbox.

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\esybjfha.dll
C:\WINDOWS\System32\vlnfqtkx.dll
C:\WINDOWS\System32\aedebccdfe.dll


Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Now this file should be there -> C:\!KillBox\aedebccdfe.dll

Try to upload it to jotti

Post:

- a fresh HijackThis log
- jotti result
sneaky
2007-05-12, 12:59
Thanks for speedy reply. Carried out instructions as directed. Killbox does not have that file, but does have vlnfqtkx.dll and esybjfha.dll.

Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 11:56:10, on 12/05/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Val\My Documents\programmes\HijackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webcache.blueyonder.co.uk:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar4.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar4.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.broadband.blueyonder.co.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160994496578
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.60-big/GoogleNav.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://213.3.7.71:8080/activex/AxisCamControl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?319
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: aedebccdfe - C:\WINDOWS\System32\aedebccdfe.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks
Shaba
2007-05-12, 13:03
Hi

Are you sure that your hidden and system files are visible as instructed before?
sneaky
2007-05-12, 13:07
Hi

Yes double checked
Shaba
2007-05-12, 14:27
Hi

Ok.

Open HijackThis, click do a system scan only and checkmark this:

O20 - Winlogon Notify: aedebccdfe - C:\WINDOWS\System32\aedebccdfe.dll (file missing)

Close all windows including browser and press fix checked.

Reboot

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Post:

- a fresh HijackThis log
- kaspersky report
sneaky
2007-05-12, 17:30
Hi there. Wow long scan.

Kaspersky report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, May 12, 2007 4:22:34 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 12/05/2007
Kaspersky Anti-Virus database records: 318102
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 148204
Number of viruses found: 7
Number of infected objects: 29
Number of suspicious objects: 0
Duration of the scan process: 02:01:50

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Matthew's research\Application Data\desktop.ini Object is locked skipped
C:\Documents and Settings\Matthew's research\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol Object is locked skipped
C:\Documents and Settings\Matthew's research\Application Data\Macromedia\Shockwave Player\Prefs\5HDGAPPG\gmlbLegoWB.txt Object is locked skipped
C:\Documents and Settings\Matthew's research\Application Data\Macromedia\Shockwave Player\Shockwave Log Object is locked skipped
C:\Documents and Settings\Matthew's research\Application Data\Microsoft\Address Book\Matthew's research.wab Object is locked skipped
C:\Documents and Settings\Matthew's research\Application Data\Microsoft\Internet Explorer\brndlog.bak Object is locked skipped
C:\Documents and Settings\Matthew's research\Application Data\Microsoft\Internet Explorer\brndlog.txt Object is locked skipped
C:\Documents and Settings\Matthew's research\Application Data\Microsoft\Internet Explorer\Desktop.htt Object is locked skipped
C:\Documents and Settings\Matthew's research\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini Object is locked skipped
C:\Documents and Settings\Matthew's research\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf Object is locked skipped
C:\Documents and Settings\Matthew's research\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Application Data\Microsoft\Office\MSO1033.acl Object is locked skipped
C:\Documents and Settings\Matthew's research\Application Data\Microsoft\Office\MSO2057.acl Object is locked skipped
C:\Documents and Settings\Matthew's research\Application Data\Microsoft\Office\Recent\Helen Keller.LNK Object is locked skipped
C:\Documents and Settings\Matthew's research\Application Data\Microsoft\Office\Recent\My Documents.LNK Object is locked skipped
C:\Documents and Settings\Matthew's research\Application Data\Microsoft\Office\Recent\Templates.LNK Object is locked skipped
C:\Documents and Settings\Matthew's research\Application Data\Microsoft\Office\Word.pip Object is locked skipped
C:\Documents and Settings\Matthew's research\Application Data\Microsoft\Proof\CUSTOM.DIC Object is locked skipped
C:\Documents and Settings\Matthew's research\Application Data\Microsoft\Protect\CREDHIST Object is locked skipped
C:\Documents and Settings\Matthew's research\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Matthew's research\Application Data\Real\Msg\Category.dat Object is locked skipped
C:\Documents and Settings\Matthew's research\Application Data\Real\Msg\SCategory.dat Object is locked skipped
C:\Documents and Settings\Matthew's research\Application Data\Real\rnadmin\rnsystem.dat Object is locked skipped
C:\Documents and Settings\Matthew's research\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Matthew's research\Cookies\matthew's research@blueyonder[1].txt Object is locked skipped
C:\Documents and Settings\Matthew's research\Cookies\matthew's research@dcse1l8jsf9xjyo19se8nfg8p_9w4x[1].txt Object is locked skipped
C:\Documents and Settings\Matthew's research\Cookies\matthew's research@google[1].txt Object is locked skipped
C:\Documents and Settings\Matthew's research\Desktop\Address Book.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Desktop\Calculator.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Desktop\Chessmaster 10th Edition\Chessmaster 10th Edition.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Desktop\Chessmaster 10th Edition\Chessmaster Web Site.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Desktop\Chessmaster 10th Edition\Game Settings.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Desktop\Chessmaster 10th Edition\ReadMe.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Desktop\Chessmaster 10th Edition\Register.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Desktop\Chessmaster 10th Edition\Uninstall.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Desktop\Encyclopedia Standard 2002.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Desktop\Internet Explorer.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Desktop\Microsoft Word.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Desktop\Shortcut to &Search.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Classified Ads & Auctions\Bid-Up TV.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Classified Ads & Auctions\Exchange & Mart.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Classified Ads & Auctions\QXL.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Dating\Club Sirius.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Dating\Dateline.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Entertainment\Bravo.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Entertainment\Cable Guide UK TV Listings.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Entertainment\Play UK.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Entertainment\SceneOne.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Entertainment\Tickets Online.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Entertainment\Trouble.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Entertainment\UK Style.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Games\Challenge TV.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Learning & Reference\UK Horizons.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Learning & Reference\Xrefer Reference Engine.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Moving Home\Asserta Home.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Moving Home\Property Finder.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\News\BBC Online.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\News\Guardian Unlimited.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\News\ITN.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\News\The Scotsman.com.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Personal Finance\Advanced Financial Network.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Personal Finance\FTyourmoney.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Personal Finance\Prudential.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Shopping\Argos.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Shopping\Carphone Warehouse.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Shopping\clubmobile.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Shopping\Comet.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Shopping\HMV.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Shopping\Interflora.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Shopping\John Lewis.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Shopping\Kitbag.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Shopping\Marks & Spencer.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Shopping\Phones4U.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Shopping\ScreenShop.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Shopping\TV Travel Shop.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Shopping\Unbeatable.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Shopping\WHSmith.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Shopping Advice\HM Customs & Excise.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Shopping Advice\OFT Online Shopping Advice.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Shopping Advice\Which Online Shopping Guide.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Travel & Mapping\Multimap.com.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Travel & Mapping\tellmeglobaltraveller.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Travel & Mapping\The AA.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Travel & Mapping\TV Travel Shop.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Weather\BBC Online Weather Centre.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\blueyonder bookmarks\Women's Interest\Living.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\Desktop.ini Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\Links\Self Care.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\Links\Service Status.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\Links\Support.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\Links\Telewest Broadband.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Favorites\Links\Webmail.url Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Application Data\GDIPFONTCACHEV1.DAT Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Application Data\IconCache.db Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Application Data\Identities\{A04AE615-1B94-44A4-907E-41B9AE619F58}\Microsoft\Outlook Express\cleanup.log Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Application Data\Identities\{A04AE615-1B94-44A4-907E-41B9AE619F58}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Application Data\Identities\{A04AE615-1B94-44A4-907E-41B9AE619F58}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Application Data\Identities\{A04AE615-1B94-44A4-907E-41B9AE619F58}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Application Data\Identities\{A04AE615-1B94-44A4-907E-41B9AE619F58}\Microsoft\Outlook Express\Outbox.dbx Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
sneaky
2007-05-12, 17:32
and more...

C:\Documents and Settings\Matthew's research\Local Settings\Application Data\Microsoft\Money\10.0\urlmap.db Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Application Data\Musicmatch\Jukebox\UserInfo.dat Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Application Data\Musicmatch\MIM\MMCDi.xml Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\desktop.ini Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\History\desktop.ini Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\History\History.IE5\desktop.ini Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\History\History.IE5\MSHist012005102420051025\index.dat Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temp\WCESCOMM.LOG Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\$$XSLLANG_settings[1].xsl Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\$$XSLPATH_arttext[1].xsl Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\$$XSLPATH_contents[1].xsl Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\$$XSLPATH_mainhome[1].xsl Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\$$XSLPATH_textdecor[1].xsl Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\$$XSLPATH_textdecor[2].xsl Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\50x50_theinternet_icon[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\761554804[1] Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\blueyonder[1].css Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\bluey[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\chevron_grey[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\desktop.ini Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\dynhome[1].xml Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\enabler_top[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\getContent[1].jspx Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\go_icon_plus_space[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\help[1].png Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\help_136x104[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\home;dcopt=ist;sz=468x60;ord=2018246958090530[1] Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\h_homepage;dcopt=ist;sz=468x60;ord=7488820064614257[1] Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\mainhome_eestd[1].xsl&dhs=local&dhsparams=5 Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\modules[1].js Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\pngbehavior[1].htc Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\searchbar_google[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\searches[1].png Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\ser_phone_50x50icon[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\spacer[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\thumb01[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\thumb10[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\thumb10[2].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\thumb28[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\2PCDEJY7\thumb33[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\$$XSLLANG_strings[1].xsl Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\$$XSLPATH_entities[1].xsl Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\$$XSLPATH_hybrid[1].xsl Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\$$XSLPATH_mainhome[1].xsl Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\$$XSLPATH_mainhome[2].xsl Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\50x50_dialup_icon[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\761554804[1] Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\;sz=120x600;ord=5173852641980367[1] Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\blank[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\bluey[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\bluey[2].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\broadband.blueyonder.co[1] Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\broadband_o[1].png Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\channels[1].png Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\channels_o[1].png Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\chevron_orange[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\ch_main_pcguard_50[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\CodeSignPCA[1].crl Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\desktop.ini Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\dynhome[1].xml Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\feedback[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\mainhome_eestd[1].xsl&dhs=local&dhsparams=5 Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\navigation[1].css Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\searchbar_go_off[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\surround_horz[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\thumb01[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\thumb01[2].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\thumb12[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\thumb28[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\thumb33[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\thumb33[2].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\twLogo_help[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\4X8VQLIF\twLogo_home[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\$$XSLPATH_entities[1].xsl Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\$$XSLPATH_entities[2].xsl Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\$$XSLPATH_mainhome[1].xsl Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\$$XSLPATH_modules[1].xsl Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\$$XSLPATH_textdecor[1].xsl Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\50x50_broadband_icon[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\50x50_otherresources_icon[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\761569553[1] Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\761569553[2] Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\black_divide[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\bullet_expand[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\byLogo_help[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\CAI70H6J.swf Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\click%3Bh=v5_331b_3_0_%2a_y%3B22056772%3B0-0%3B0%3B10314727%3B1-468_60%3B12546763_12564659_1%3B%3B%7Esscs%3D%3f;sz=468x60;ord=518238[1].htm Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\CodeSignPCA[1].crl Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\desktop.ini Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\dotted_line_horz[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\enabler_bottom[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\footer_chevron_orange[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\help_o[1].png Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\home_help[1].jpg Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\home_home[1].jpg Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\icon_computer[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\index[1].jsp Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\navigation[1].js Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\searches_o[1].png Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\services_o[1].png Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\t011898a[1].jsm Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\thumb01[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\thumb10[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\thumb12[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\thumb12[2].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\thumb33[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\traffic_lights[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\M5Y7KHQV\tw_footer_logo[1].jpg Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\$$XSLPATH_contmods[1].xsl Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\$$XSLPATH_entities[1].xsl Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\$$XSLPATH_livemodules[1].xsl Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\$$XSLPATH_mediascript[1].js Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\$$XSLPATH_textdecor[1].xsl Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\50x50_email_icon[1].gif Object is locked skipped
sneaky
2007-05-12, 17:33
and..

C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\bg[1].jpg Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\broadband[1].png Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\byLogo_home[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\CANI073X.swf Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\CAPWSNH1.swf Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\desktop.ini Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\dotted_line_vert[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\dynhome[1].xml Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\dynhome[2].xml Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\go_enabler[1].jpg Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\help[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\help_136x60[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\home_help_o[1].jpg Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\home_home_o[1].jpg Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\mainhome_eestd[1].xsl&dhs=local&dhsparams=5 Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\mainhome_eestd[2].xsl&dhs=local&dhsparams=5 Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\modules[1].css Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\more_enabler[1].jpg Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\motive[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\ringtones_logos[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\search_white[1].jpg Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\services[1].png Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\t011898a[1].jtn Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\thumb10[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\thumb12[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\thumb28[1].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\Content.IE5\QL2L4VYP\thumb28[2].gif Object is locked skipped
C:\Documents and Settings\Matthew's research\Local Settings\Temporary Internet Files\desktop.ini Object is locked skipped
C:\Documents and Settings\Matthew's research\My Documents\desktop.ini Object is locked skipped
C:\Documents and Settings\Matthew's research\My Documents\Helen Keller.doc Object is locked skipped
C:\Documents and Settings\Matthew's research\My Documents\My Music\Desktop.ini Object is locked skipped
C:\Documents and Settings\Matthew's research\My Documents\My Music\Sample Music.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\My Documents\My Pictures\Desktop.ini Object is locked skipped
C:\Documents and Settings\Matthew's research\My Documents\My Pictures\Sample Pictures.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\My Documents\The Learning Company\Mavis Beacon\User\Matthew's research.rec Object is locked skipped
C:\Documents and Settings\Matthew's research\ntuser.dat Object is locked skipped
C:\Documents and Settings\Matthew's research\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Matthew's research\ntuser.ini Object is locked skipped
C:\Documents and Settings\Matthew's research\Recent\Desktop.ini Object is locked skipped
C:\Documents and Settings\Matthew's research\Recent\Helen Keller.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\SendTo\Compressed (zipped) Folder.ZFSendToTarget Object is locked skipped
C:\Documents and Settings\Matthew's research\SendTo\Desktop (create shortcut).DeskLink Object is locked skipped
C:\Documents and Settings\Matthew's research\SendTo\desktop.ini Object is locked skipped
C:\Documents and Settings\Matthew's research\SendTo\Mail Recipient.MAPIMail Object is locked skipped
C:\Documents and Settings\Matthew's research\SendTo\My Documents.mydocs Object is locked skipped
C:\Documents and Settings\Matthew's research\Start Menu\desktop.ini Object is locked skipped
C:\Documents and Settings\Matthew's research\Start Menu\Programs\Accessories\Accessibility\desktop.ini Object is locked skipped
C:\Documents and Settings\Matthew's research\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Start Menu\Programs\Accessories\Command Prompt.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Start Menu\Programs\Accessories\desktop.ini Object is locked skipped
C:\Documents and Settings\Matthew's research\Start Menu\Programs\Accessories\Entertainment\desktop.ini Object is locked skipped
C:\Documents and Settings\Matthew's research\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Start Menu\Programs\Accessories\Notepad.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Start Menu\Programs\Accessories\Synchronize.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Start Menu\Programs\Accessories\Tour Windows XP.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Start Menu\Programs\Accessories\Windows Explorer.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Start Menu\Programs\desktop.ini Object is locked skipped
C:\Documents and Settings\Matthew's research\Start Menu\Programs\Remote Assistance.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Start Menu\Programs\Startup\desktop.ini Object is locked skipped
C:\Documents and Settings\Matthew's research\Start Menu\Programs\Windows Media Player.lnk Object is locked skipped
C:\Documents and Settings\Matthew's research\Templates\amipro.sam Object is locked skipped
C:\Documents and Settings\Matthew's research\Templates\excel.xls Object is locked skipped
C:\Documents and Settings\Matthew's research\Templates\excel4.xls Object is locked skipped
C:\Documents and Settings\Matthew's research\Templates\lotus.wk4 Object is locked skipped
C:\Documents and Settings\Matthew's research\Templates\powerpnt.ppt Object is locked skipped
C:\Documents and Settings\Matthew's research\Templates\presenta.shw Object is locked skipped
C:\Documents and Settings\Matthew's research\Templates\quattro.wb2 Object is locked skipped
C:\Documents and Settings\Matthew's research\Templates\sndrec.wav Object is locked skipped
C:\Documents and Settings\Matthew's research\Templates\winword.doc Object is locked skipped
C:\Documents and Settings\Matthew's research\Templates\winword2.doc Object is locked skipped
C:\Documents and Settings\Matthew's research\Templates\wordpfct.wpd Object is locked skipped
C:\Documents and Settings\Matthew's research\Templates\wordpfct.wpg Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Val\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Val\Local Settings\Application Data\Identities\{FEE329C1-A98A-477B-A480-E0A5012F41D0}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Val\Local Settings\Application Data\Identities\{FEE329C1-A98A-477B-A480-E0A5012F41D0}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped
C:\Documents and Settings\Val\Local Settings\Application Data\Identities\{FEE329C1-A98A-477B-A480-E0A5012F41D0}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Val\Local Settings\Application Data\Identities\{FEE329C1-A98A-477B-A480-E0A5012F41D0}\Microsoft\Outlook Express\Sent Items.dbx Object is locked skipped
C:\Documents and Settings\Val\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Val\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Val\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\Val\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\Val\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped
C:\Documents and Settings\Val\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
C:\Documents and Settings\Val\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Val\Local Settings\Temp\JET94A9.tmp Object is locked skipped
C:\Documents and Settings\Val\Local Settings\Temp\WCESCOMM.LOG Object is locked skipped
C:\Documents and Settings\Val\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Val\My Documents\programmes\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Val\My Documents\programmes\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Val\My Documents\programmes\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Val\ntuser.dat Object is locked skipped
C:\Documents and Settings\Val\NTUSER.DAT.LOG Object is locked skipped
C:\System Volume Information\_restore{399780A7-9B6E-4E9F-8183-C7D4FC00D371}\RP1470\A0264545.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\System Volume Information\_restore{399780A7-9B6E-4E9F-8183-C7D4FC00D371}\RP1472\A0266886.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\System Volume Information\_restore{399780A7-9B6E-4E9F-8183-C7D4FC00D371}\RP1474\A0267185.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped
C:\System Volume Information\_restore{399780A7-9B6E-4E9F-8183-C7D4FC00D371}\RP1474\A0267186.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.io skipped
C:\System Volume Information\_restore{399780A7-9B6E-4E9F-8183-C7D4FC00D371}\RP1474\A0267188.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{399780A7-9B6E-4E9F-8183-C7D4FC00D371}\RP1474\A0267277.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jg skipped
C:\System Volume Information\_restore{399780A7-9B6E-4E9F-8183-C7D4FC00D371}\RP1474\change.log Object is locked skipped
C:\VundoFix Backups\awttrqn.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ib skipped
C:\VundoFix Backups\hjtsnfbo.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\VundoFix Backups\jkkjigd.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jg skipped
C:\VundoFix Backups\ljjjjhi.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.io skipped
C:\WINDOWS\$_hpcst$.hpc Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\FRONTROOM.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\qomlljh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jg skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\xxyvstq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jg skipped
C:\WINDOWS\Temp\win1CE.tmp.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\WINDOWS\Temp\win1CE.tmp.exe NSIS: infected - 1 skipped
C:\WINDOWS\Temp\win258.tmp.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\WINDOWS\Temp\win258.tmp.exe NSIS: infected - 1 skipped
C:\WINDOWS\Temp\win26F.tmp.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\WINDOWS\Temp\win26F.tmp.exe NSIS: infected - 1 skipped
C:\WINDOWS\Temp\win323.tmp.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\WINDOWS\Temp\win323.tmp.exe NSIS: infected - 1 skipped
C:\WINDOWS\Temp\win5D7.tmp.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\WINDOWS\Temp\win5D7.tmp.exe NSIS: infected - 1 skipped
C:\WINDOWS\Temp\win74.tmp.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\WINDOWS\Temp\win74.tmp.exe NSIS: infected - 1 skipped
C:\WINDOWS\Temp\win748.tmp.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\WINDOWS\Temp\win748.tmp.exe NSIS: infected - 1 skipped
C:\WINDOWS\Temp\ZLT056da.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT056e1.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
sneaky
2007-05-12, 17:34
Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 16:23:52, on 12/05/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Documents and Settings\Val\My Documents\programmes\HijackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webcache.blueyonder.co.uk:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar4.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar4.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.broadband.blueyonder.co.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160994496578
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.60-big/GoogleNav.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://213.3.7.71:8080/activex/AxisCamControl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?319
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks for your help
Shaba
2007-05-12, 17:38
Hi

Empty these folders:

C:\VundoFix Backups\
C:\WINDOWS\Temp\

Delete these:

C:\WINDOWS\system32\qomlljh.dll
C:\WINDOWS\system32\xxyvstq.dll

Empty Recycle Bin

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report
sneaky
2007-05-12, 18:06
Hi there

I have emptied the vundofix backup and the two dll files from system 32 folder. When I tried to empty C:\\WINDOWS\Temp I can get rid of all the files except two. When I try to delete ZLT056da.TMP and ZLT056e1.TMP it says they are being used by another person or program and can't be deleted even though I have got nothing else running. I tried to delete them in safe mode, but they don't show up in the folder in safe mode.

Do you want me to go ahead and do the kaspersky scan now anyway or is there anything else I should do first?

thanks
Val
Shaba
2007-05-12, 18:09
Hi

Yes, please do another scan with kaspersky and post its log along with a fresh HijackThis log.
sneaky
2007-05-12, 19:01
Hi

Kaspersky has been down since your last post. Is there anything comparable that I can use, or do I just have to be patient until they are up and running again?!

Thanks again
Shaba
2007-05-12, 19:07
Hi

Well you can use panda then:

Please run this online scan:

Panda ActiveScan (http://www.pandasoftware.com/activescan/com/activescan_principal.htm)

Once you are on the Panda site, click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log
sneaky
2007-05-12, 20:43
thanks for advice again. Here is the panda report

Incident Status Location

Potentially unwanted tool:Application/Leaktest.A Not disinfected C:\Documents and Settings\Val\My Documents\programmes\Leak Test.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Val\My Documents\programmes\SmitfraudFix\SmitfraudFix\Process.exe
Virus:Trj/Shutdown.Z Disinfected C:\Documents and Settings\Val\My Documents\programmes\SmitfraudFix\SmitfraudFix\restart.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Val\My Documents\programmes\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Virus:Trj/Shutdown.Z Disinfected C:\Documents and Settings\Val\My Documents\programmes\SmitfraudFix.zip[SmitfraudFix/restart.exe]
Adware:Adware/Yazzle Not disinfected C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
and the hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 19:40:07, on 12/05/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Val\My Documents\programmes\HijackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webcache.blueyonder.co.uk:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar4.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar4.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.broadband.blueyonder.co.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160994496578
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.60-big/GoogleNav.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://213.3.7.71:8080/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?319
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Shaba
2007-05-12, 20:46
Hi

Delete this:

C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe

Empty Recycle Bin

Otherwise looking good :)

Still problems?
sneaky
2007-05-12, 20:55
Internet certainly working better-no more redirections to fake antivirus software. Just running spybot again to check smitfraud doesn't show up any more. Also not getting constant trojan alerts from AVG while on internet.

Would you recommend using firefox instead of internet explorer, would I be better protected that way?

I realise I need to update to SP2, had tried not to as some evesham computers had crashed with it, but I can see I must now as have never had an infection like this before.

I am so grateful to you
sneaky
2007-05-12, 21:05
Yippee!!! All clear in Spybot S & D. Thank you Thank you Thank you
Shaba
2007-05-12, 21:12
Hi

"Would you recommend using firefox instead of internet explorer, would I be better protected that way?"

Yes, I do :) You can eg. add some add-ons like noscript and adblock which add more protection.

Then you're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) 6 Update 1 (http://java.sun.com/javase/downloads/index.jsp) and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE) 6u1...allows end-users to run Java applications".
Click the "Download" button to the right.
Read the License Agreement and then check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Reenable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topic405.html)


Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. Install also SP2.


Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/?showtutorial=48)

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean!
Shaba
2007-05-15, 10:35
Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.