Please see hijack This log and advise.

Thanks in advance!!!!



Logfile of HijackThis v1.99.1
Scan saved at 10:15:27 PM, on 5/1/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SmVubmE\command.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1136099349\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\winampcss.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\ms0544835-9305.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe
C:\PROGRA~1\COMMON~1\rquw\rquwm.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\PROGRA~1\COMMON~1\rquw\rquwa.exe
c:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Documents and Settings\JENNA\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\ayoqg.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,luvuqbd.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136099349\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Winamp Sound System] winampcss.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms0544835-9305] C:\WINDOWS\ms0544835-9305.exe
O4 - HKLM\..\Run: [wf698208.dll] RUNDLL32.EXE wf698208.dll,I2 000aae590f698208
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\RunServices: [Winamp Sound System] winampcss.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [rquw] C:\PROGRA~1\COMMON~1\rquw\rquwm.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - AppInit_DLLs: repairs303169578.dll
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\r0p8la7u1d.dll
O23 - Service: Command Service ( ) - Unknown owner - C:\WINDOWS\SmVubmE\command.exe
O23 - Service: Command Service (abc) - Unknown owner - C:\WINDOWS\SmVubmE\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Welcome
In windows control panel addremove programs uninstall surfsidekick,
newnet (newdotnet) and WebNexus if they are listed, restart the PC if prompted.

Download and run Look2Me-Destroyer: http://www.atribune.org/content/view/28/
Post its log after fallowing the next set of instructions

Start Hijackthis and place a check next to these items If there.
R3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\ayoqg.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,luvuqbd.exe
O4 - HKLM\..\Run: [Winamp Sound System] winampcss.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms0544835-9305] C:\WINDOWS\ms0544835-9305.exe
O4 - HKLM\..\Run: [wf698208.dll] RUNDLL32.EXE wf698208.dll,I2 000aae590f698208
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\RunServices: [Winamp Sound System] winampcss.exe
O4 - HKCU\..\Run: [rquw] C:\PROGRA~1\COMMON~1\rquw\rquwm.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post a new hijackthis log and the look2medestroyer log

I have followed your instructions as directed.

1. uninstalled surfsidekick (newnet and WebNexus were not present)

2. Downloaded Look2me-Destroyer, followed instructions as per the sites direction.

3. Ran Hijackthis and removed all.

4. Restarted the PC.

I have attached a new Hijackthis log and the Look2me-Destroyer log. Please advise if there is anything else I need to do.



Logfile of HijackThis v1.99.1
Scan saved at 9:22:10 PM, on 5/6/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1136099349\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\SmVubmE\command.exe
C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\SmVubmE\command.exe
C:\WINDOWS\System32\svchost.exe




Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 5/6/2006 9:02:03 PM

Infected! C:\WINDOWS\system32\g4220efoeh2c0.dll
Infected! C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0015255.dll
Infected! C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0015259.dll
Infected! C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0016261.dll
Infected! C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0016274.dll
Infected! C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0016278.dll
Infected! C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0016289.dll
Infected! C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0016293.dll
Infected! C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0016304.dll
Infected! C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0016310.dll
Infected! C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP42\A0016331.dll
Infected! C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP42\A0016335.dll
Infected! C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP42\A0016387.dll
Infected! C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP42\A0016394.dll
Infected! C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP42\A0016403.dll
Infected! C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP42\A0016421.dll
Infected! C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP42\A0016422.dll
Infected! C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP43\A0017421.dll
Infected! C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP44\A0018421.dll
Infected! C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP44\A0018438.dll
Infected! C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP44\A0018439.dll
Infected! C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP44\A0018453.dll
Infected! C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP44\A0018454.dll
Infected! C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP44\A0018466.dll
Infected! C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP44\A0018467.dll
Infected! C:\WINDOWS\system32\cbc.dll
Infected! C:\WINDOWS\system32\g4220efoeh2c0.dll
Infected! C:\WINDOWS\system32\irp2l57o1.dll
Infected! C:\WINDOWS\system32\jtpq0775e.dll
Infected! C:\WINDOWS\system32\k4pm0e71eh.dll
Infected! C:\WINDOWS\system32\l46o0ej3eho.dll
Infected! C:\WINDOWS\system32\twkwks.dll
Infected! C:\WINDOWS\System32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\g4220efoeh2c0.dll
C:\WINDOWS\system32\g4220efoeh2c0.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0015255.dll
C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0015255.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0015259.dll
C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0015259.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0016261.dll
C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0016261.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0016274.dll
C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0016274.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0016278.dll
C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0016278.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0016289.dll
C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0016289.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0016293.dll
C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0016293.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0016304.dll
C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0016304.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0016310.dll
C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP41\A0016310.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP42\A0016331.dll
C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP42\A0016331.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP42\A0016335.dll
C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP42\A0016335.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP42\A0016387.dll
C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP42\A0016387.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP42\A0016394.dll
C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP42\A0016394.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP42\A0016403.dll
C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP42\A0016403.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP42\A0016421.dll
C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP42\A0016421.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP42\A0016422.dll
C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP42\A0016422.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP43\A0017421.dll
C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP43\A0017421.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP44\A0018421.dll
C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP44\A0018421.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP44\A0018438.dll
C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP44\A0018438.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP44\A0018439.dll
C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP44\A0018439.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP44\A0018453.dll
C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP44\A0018453.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP44\A0018454.dll
C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP44\A0018454.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP44\A0018466.dll
C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP44\A0018466.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP44\A0018467.dll
C:\System Volume Information\_restore{CC1B5A98-4654-484F-B30B-50F0817928AE}\RP44\A0018467.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\cbc.dll
C:\WINDOWS\system32\cbc.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\g4220efoeh2c0.dll
C:\WINDOWS\system32\g4220efoeh2c0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\irp2l57o1.dll
C:\WINDOWS\system32\irp2l57o1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\jtpq0775e.dll
C:\WINDOWS\system32\jtpq0775e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\k4pm0e71eh.dll
C:\WINDOWS\system32\k4pm0e71eh.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\l46o0ej3eho.dll
C:\WINDOWS\system32\l46o0ej3eho.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\twkwks.dll
C:\WINDOWS\system32\twkwks.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Themes

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D2E1987C-137C-47EE-B26C-4A150A31A6E2}"
HKCR\Clsid\{D2E1987C-137C-47EE-B26C-4A150A31A6E2}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

Good so far, thats only a partial log, i need to see an entire hijackthis log.

Sorry about sending the partial log. My system appears to be running much better, no more pop ups. Here is the complete log.

Thanks.


Logfile of HijackThis v1.99.1
Scan saved at 1:03:34 PM, on 5/8/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SmVubmE\command.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SmVubmE\command.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1136099349\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
c:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\aol\1136099349\ee\aim6.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Documents and Settings\JENNA\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\ayoqg.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,luvuqbd.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136099349\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe -a
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Command Service ( ) - Unknown owner - C:\WINDOWS\SmVubmE\command.exe
O23 - Service: Command Service (abc) - Unknown owner - C:\WINDOWS\SmVubmE\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Scan with Hijackthis and fix this item
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
=================
exit hijackthis


Download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your C:\
Unzip it to a folder of its own (C:\BFU). So BFU should be on your root. In most cases this is C:\
Download qoofix.bat (http://downloads.subratam.org/Lon/qooFix.bat) (rightclick on this link and choose save as)
Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick qooFix.bat, Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
After the PC has restarted please post another hijackthis log.
Download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/
start it and paste in

SmVubmE

hit ok, wait, then when wordpad opens copy that back here please
Note: Your antivirus script protection might interfear, its safe, please allow it to run.

I ran HiJackThis and made multiple attempts to fix:

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

It would not fix the item!


I downloaded Brute Force Uninstaller, loaded qoofix.bat, ran qoofix and have attached the HiJackThis log that was run after qoofix autofix. See Below

Logfile of HijackThis v1.99.1
Scan saved at 1:32:00 PM, on 5/9/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SmVubmE\command.exe
C:\WINDOWS\SmVubmE\command.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1136099349\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
c:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Documents and Settings\JENNA\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136099349\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe -a
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Command Service ( ) - Unknown owner - C:\WINDOWS\SmVubmE\command.exe
O23 - Service: Command Service (abc) - Unknown owner - C:\WINDOWS\SmVubmE\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe






Registry Search Tool was downloaded, SmVubmE was pasted and run. Upon completion wordpad never opened. The following message is posted:

Search completed in 39 seconds.
No instances of "SmVubmE" found.

My antivirus script protection never interfeared.

Thanks

T

Lets try this for newnet
Run hijackthis click >"config" then "misc tools" >"delete file on reboot"
(exact spelling counts!!! so dont browse)
Copy/Paste the bolded line below into the File name box then click Open.
C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL
answer no to the reboot prompt
do the same for this file
C:\WINDOWS\SmVubmE\command.exe

this time yes to the prompt to reboot.
After the pc has restarted run hijackthis and fix this item
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
click scan again then save log and post another one please.


start RegSrch.vbs and paste in

command.exe

hit ok, wait, then when wordpad opens copy that back here please
Note: Your antivirus script protection might interfear, its safe, please allow it to run.

I have run HighjackThis, this time going into config file. I have copy and pasted both commands. Once again I have attempted this multiple times. HighjackThis still does not fix the identified entry. I have posted the most recent HighjackThis Log.

Logfile of HijackThis v1.99.1
Scan saved at 1:11:04 PM, on 5/10/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SmVubmE\command.exe
C:\WINDOWS\SmVubmE\command.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1136099349\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Iomega HotBurn\Autolaunch.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
c:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\JENNA\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136099349\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe -a
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Command Service ( ) - Unknown owner - C:\WINDOWS\SmVubmE\command.exe
O23 - Service: Command Service (abc) - Unknown owner - C:\WINDOWS\SmVubmE\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe






I have posted the RegSrch.vbs wordpad log.

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "command.exe" 5/10/2006 12:47:19 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\S-1-5-21-725345543-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"c"="C:\\WINDOWS\\SmVubmE\\command.exe"

[HKEY_USERS\S-1-5-21-725345543-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]
"b"="C:\\WINDOWS\\SmVubmE\\command.exe"


Thanks for your efforts.

T

Whats this about a config file ?

Lets use a differant regsearch tool
Download and unzip Registry Search, http://www.xs4all.nl/~fstaal01/downloads/regsearch.zip
save it to your Desktop, and doubleclick to start it. You will see two boxes, each with three lines. In the top box, enter the below info in the first line. leave all the boxes checked and hit Enter.
command.exe
Notepad will be opened with some text in it (a file, RegSearch.txt, will also be saved on your Desktop). Post this text in your next reply.

How is it going Tbroskey7632

Here is a log from the most recent request.

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 5/15/2006 12:00:18 PM for strings:
; 'command.exe'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ ]
; Contents of value:
; c:\windows\smvubme\command.exe
"ImagePath"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,53,6d,56,75,62,6d,45,5c,63,\
6f,6d,6d,61,6e,64,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\abc]
; Contents of value:
; c:\windows\smvubme\command.exe
"ImagePath"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,53,6d,56,75,62,6d,45,5c,63,\
6f,6d,6d,61,6e,64,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ ]
; Contents of value:
; c:\windows\smvubme\command.exe
"ImagePath"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,53,6d,56,75,62,6d,45,5c,63,\
6f,6d,6d,61,6e,64,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\abc]
; Contents of value:
; c:\windows\smvubme\command.exe
"ImagePath"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,53,6d,56,75,62,6d,45,5c,63,\
6f,6d,6d,61,6e,64,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ ]
; Contents of value:
; c:\windows\smvubme\command.exe
"ImagePath"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,53,6d,56,75,62,6d,45,5c,63,\
6f,6d,6d,61,6e,64,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\abc]
; Contents of value:
; c:\windows\smvubme\command.exe
"ImagePath"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,53,6d,56,75,62,6d,45,5c,63,\
6f,6d,6d,61,6e,64,2e,65,78,65,00

[HKEY_USERS\S-1-5-21-725345543-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"c"="C:\\WINDOWS\\SmVubmE\\command.exe"

[HKEY_USERS\S-1-5-21-725345543-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]
"b"="C:\\WINDOWS\\SmVubmE\\command.exe"

; End Of The Log...

Thanks before we continue

Go start run and paste in
c:\windows\smvubme

Is the file command.exe still there ?

No is not there

T

Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.


REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\abc]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ ]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ ]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\abc]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ ]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\abc]

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

Restart your PC.

Set windows to show hidden file's, folders and extension's.
Click Start.
Open any folder.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Uncheck hide extension's for known file types
Click Apply to confirm.
Click OK.
c:\windows\smvubme < delete that folder

Run that same regsearch we did last and post its log again please.

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 5/15/2006 3:08:56 PM for strings:
; 'command.exe'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_USERS\S-1-5-21-725345543-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"c"="C:\\WINDOWS\\SmVubmE\\command.exe"

[HKEY_USERS\S-1-5-21-725345543-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]
"b"="C:\\WINDOWS\\SmVubmE\\command.exe"

; End Of The Log...

Looks good

Are there any current problems ?

I have just run a "search & destroy" and it came up clean. I haven't had a clean run for some time on this machine.

The issue we were working on occurred on my 13 year old daughters laptop so it has been difficult to get it away from her to do your suggested repairs in a timely manner. Thanks again for your patients. I was a keystroke away from formatting the drive when I sent in my request. You have saved me a ton of time and aggravation (and the wrath of a 13 yr old) by providing the support to correct this issue.

Outstanding job! A donation to the cause is on the way.

Thanks for the support.

T

Almost finished

Go get all available windows updates.

Think Prevention:
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly to keep it updated

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

As the problem appears to be resolved this topic will be archived. :bigthumb:


If you need it re-opened please send me a pm and provide a link to the thread.

Glad we could help.