PDA

View Full Version : xlibgfl254.dll and smitfraud - I think


jeffnem
2007-05-10, 22:33
I kept getting a message that read "the application or DLL c:windows\system32\xlibgfl254.dll is not a valid windows image. Please check this against your installation diskette" when I opened various applications. I ignored it until it started shutting down my Kodak software. I have run prevx1 and smithfraudfix and have tried uninstalling and reinstalling the software, but I can't even get through the installation. Following are my HJT log and eTrust Antivirus web scanner log.
Logfile of HijackThis v1.99.1
Scan saved at 3:11:36 PM, on 5/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
C:\Program Files\PeoplePC\ISP6230\Browser\Bartshel.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\PeoplePC\ISP6230\Browser\PPShared.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.kodak.com/go/regeasysharesw_english?CDVERSION=SKU17&OS=WINXP&CDORIGIN=SKU17
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: (no name) - {709FF719-062F-5A7D-1F13-086A97732EC1} - C:\WINDOWS\system32\aslrmrc.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: C:\Program Files\PeoplePC\ISP6230\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [Services] C:\DOCUME~1\LAWREN~1\LOCALS~1\Temp\342x43.exe
O4 - HKLM\..\Run: C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [MegaPanel] C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
O4 - HKLM\..\Run: [NI.UWA6P_0001_N822M1605] "C:\Documents and Settings\Lawrence Family\Local Settings\Temporary Internet Files\Content.IE5\4DI7OD2N\WinAntiVirusPro2006FreeInstall[1].exe" -nag
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG Spirit\AGremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O15 - Trusted Zone: http://www.ktre.com
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://photo.walgreens.com/WalgreensOutlookImport.cab
O16 - DPF: {1311F62A-DE80-1EC8-3000-58DE5F04B6D7} - http://85.255.115.229/1/gdnUS1388.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {417C97CF-4AD1-3D09-7349-4DBA1796A8A3} - http://85.255.115.229/1/gdnUS1388.exe
O16 - DPF: {51D7F799-94DB-7A23-4E87-494657F60427} - http://85.255.115.229/1/gdnUS1388.exe
O16 - DPF: {6A5781A5-7600-5FA9-9BF7-39090EA1AC3F} - http://85.255.115.229/1/gdnUS1388.exe
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {730D954F-1058-44B2-6CBE-6997537B30FF} - http://85.255.115.229/1/gdnUS1388.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_games/tikgames/goldfever/goldfever.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Scan Results: 102429 files scanned. 77 viruses were detected.

File Infection Status Path
Anima.class-3de42e85-1a8aa474.class Java/ByteVerify!exploit infected C:\Documents and Settings\Lawrence Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
animan.class-4379dbf2-7d2c042c.class Java/ByteVerify!exploit infected C:\Documents and Settings\Lawrence Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
omfg.class-54f26534-17398c85.class Java/Shinwow.BD infected C:\Documents and Settings\Lawrence Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
loaded.exe Win32/Busky!generic infected C:\Documents and Settings\Lawrence Family\
080ddaf6.exe Win32/SillyDl.PW infected C:\Documents and Settings\Lawrence Family\Local Settings\Application Data\
08163c25.exe Win32/SillyDl.PW infected C:\Documents and Settings\Lawrence Family\Local Settings\Application Data\
136fcc85.exe Win32/SillyDl.PW infected C:\Documents and Settings\Lawrence Family\Local Settings\Application Data\
21e45506.exe Win32/SillyDl.PW infected C:\Documents and Settings\Lawrence Family\Local Settings\Application Data\
329bdc9.exe Win32/SillyDl.PW infected C:\Documents and Settings\Lawrence Family\Local Settings\Application Data\
35ed3095.exe Win32/SillyDl.PW infected C:\Documents and Settings\Lawrence Family\Local Settings\Application Data\
54319946.exe Win32/SillyDl.PW infected C:\Documents and Settings\Lawrence Family\Local Settings\Application Data\
5b4288a6.exe Win32/SilentCaller.V infected C:\Documents and Settings\Lawrence Family\Local Settings\Application Data\
663f4182.exe Win32/SillyDl.PW infected C:\Documents and Settings\Lawrence Family\Local Settings\Application Data\
78a2d856.exe Win32/SillyDl.PW infected C:\Documents and Settings\Lawrence Family\Local Settings\Application Data\
841c5d34.exe Win32/SillyDl.PW infected C:\Documents and Settings\Lawrence Family\Local Settings\Application Data\
85b6defe.exe Win32/SillyDl.PW infected C:\Documents and Settings\Lawrence Family\Local Settings\Application Data\
97217b45.exe Win32/SillyDl.PW infected C:\Documents and Settings\Lawrence Family\Local Settings\Application Data\
a67a65f3.exe Win32/SillyDl.PW infected C:\Documents and Settings\Lawrence Family\Local Settings\Application Data\
bf649707.exe Win32/SillyDl.PW infected C:\Documents and Settings\Lawrence Family\Local Settings\Application Data\
c43cb9f6.exe Win32/SilentCaller.V infected C:\Documents and Settings\Lawrence Family\Local Settings\Application Data\
cdb3eaf6.exe Win32/SillyDl.PW infected C:\Documents and Settings\Lawrence Family\Local Settings\Application Data\
db3b3c63.exe Win32/SillyDl.PW infected C:\Documents and Settings\Lawrence Family\Local Settings\Application Data\
e48dcd36.exe Win32/SillyDl.PW infected C:\Documents and Settings\Lawrence Family\Local Settings\Application Data\
f5295907.exe Win32/SillyDl.PW infected C:\Documents and Settings\Lawrence Family\Local Settings\Application Data\
fe880b5e.exe Win32/SillyDl.PW infected C:\Documents and Settings\Lawrence Family\Local Settings\Application Data\
us14info.exe Win32/Oneraw!generic infected C:\Documents and Settings\Lawrence Family\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.10\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.11\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.12\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.13\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.14\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.15\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.16\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.17\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.18\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.19\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.20\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.21\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.22\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.23\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.24\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.25\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.26\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.28\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.29\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.30\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.31\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.32\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.33\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.34\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.35\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.36\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.37\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.38\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.39\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.40\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.41\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.42\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.43\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.44\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.6\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.7\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.8\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\CONFLICT.9\
gdnUS1388.exe Win32/SillyDl.PW infected C:\WINDOWS\Downloaded Program Files\
ansfsrg.dll Win32/Busky!generic infected C:\WINDOWS\system32\
aslrmrc.dll Win32/Busky!generic infected C:\WINDOWS\system32\
cmd.ftp Win32/Sasser!FTP infected C:\WINDOWS\system32\
hosts.20060321-151320.backup Win32/Hostblock infected C:\WINDOWS\system32\drivers\etc\
Microsoft.exe Win32/Agobot.VG infected C:\WINDOWS\system32\
qfyqakn.dll Win32/Busky!generic infected C:\WINDOWS\system32\
zdj.exe Win32/Secdrop.JU infected C:\


Any and ALL help would be [B][I][U]GREATLY appreciated.
Emily
pskelley
2007-05-12, 15:19
Hi Emily and welcome to the forum, first I wish to be sure you say this information: "BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.

Next I need to tell you this is a badly infected computer, my suggestion if you still need help, is to keep it offline except when working on your problems until we get it clean.

Just a little information before we start (if we start) this item:
xlibgfl254.dll >>> http://fileinfo.prevx.com/fileinfo.asp?PXC=600d70643048

This item: O4 - HKLM\..\Run: [Services] C:\DOCUME~1\LAWREN~1\LOCALS~1\Temp\342x43.exe
may be a backdoor tojan, so you should take this information into consideration:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

This one: 85.255.115.229 in the 016 DPF >>> see this http://whois.domaintools.com/85.255.115.229 indicates at least the presense of Ukrainian hackers.

You also have this item: O4 - HKLM\..\Run: [NI.UWA6P_0001_N822M1605] "C:\Documents and Settings\Lawrence Family\Local Settings\Temporary Internet Files\Content.IE5\4DI7OD2N\WinAntiVirusPro2006FreeInstall[1].exe" -nag
which as an install for Winfixer is almost a ure sign of a Vundo infection which can be difficult to remove.
Here is a little information about that junk: Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn
http://www.revenews.com/wayneporter/archives/adware-spyware-greynets/getting_the_fix_on_winfixer_aol_network_now/

That is not all, I am wondering why this junk is running on your computer:
C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
http://www.castlecops.com/startuplist-12455.html
Why do you want Neilson to have any information from your computer???

Your AV scan shows a load of infections that need to be removed.

There is more, but those are the major issues, I would appreciate it if you would review the information and then post to let me know if you wish to proceed, this will be a difficult cleanup. If you decide to proceed, I will need three things:

1) Uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

2) C:\hijackthis\HijackThis.exe <<< rename HJT.exe to Emily.exe or whatever you wish.

3) A new HJT log created after HJT has been renamed and you have done a reboot so the change can go into effect.

Thanks
tashi
2007-05-18, 06:39
Due to lack of feedback this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.

Thank you pskelley.