Let me start by thanking you for any help that you can give me with this. :bigthumb: As the story begins I did something that I should not have :sick: and almost immediately I was get TeaTimer popups and IE popups for a host of spy and malware. In addition my firewall was disabled. Here is what I have done so far:

1) updated NAV, scanned, and repaired
2) updated Spybot, scanned, and repaired
3) installed Ad-Aware, updated, scanned, and repaired
4) ran TrendMicro's Housecall online scan and repaired
5) disabled TeaTimer
6) downloaded and installed sharedaccess.reg
7) ran HijackThis and created log file
8) ran BlackLight and created log file

Most of this I got from reading the following post in your archives:

http://forums.spybot.info/archive/index.php/t-3469.html

There still seem to be some residual issues and I figure there is some additional cleaning that I need to do using the HijackThis and BlackLight log files. I believe that I can find some of the culprits but I want to be thorough and don't want to delete something that I shouldn't. I would appreciate and assistance that you can provided deciphering the following log files:

HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 9:30:18 PM, on 5/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\NavNT\defwatch.exe
E:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint 3.0\Bin\LPSVS03N.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
E:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\WINDOWS\system32\dlbxcoms.exe
E:\Program Files\Ahead\InCD\InCD.exe
E:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\LEADTE~1\LEADTO~1.0\bin\EPRINT3.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Webroot\Washer\wwDisp.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
E:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\SimpleCenter\SimpleCenter.exe
E:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
E:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\jmayhew\Desktop\Spyware Removal Tools\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.superpages.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\lyugw.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vubkhtd.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [DpAgnt] E:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] E:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "E:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WatchDog] E:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [ePrint 3.0 Service] C:\PROGRA~1\LEADTE~1\LEADTO~1.0\bin\EPRINT3.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] E:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "E:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: AgentOffice.lnk = E:\Program Files\AgentOffice\OLAgnt32.exe
O4 - Startup: Launch Internet Explorer Browser.lnk = C:\Program Files\Internet Explorer\iexplore.exe
O4 - Startup: Launch Microsoft Office Outlook.lnk = E:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Startup: SimpleCenter.lnk = E:\Program Files\SimpleCenter\SimpleCenter.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = E:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - E:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_premium.pl?1&6&04.00.09.13&premium&unknown&http://www.toyota.com/fjcruiser/features.html?noreloadredir
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.sarasotamls.com/XMLSearch/XMLCache.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109479760357
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147781925265
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/1/sux.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - E:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: DpHost - DigitalPersona, Inc. - E:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: EPrint III Service - Unknown owner - C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint 3.0\Bin\LPSVS03N.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - E:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

BlackLight

05/16/06 21:32:40 [Info]: BlackLight Engine 1.0.36 initialized
05/16/06 21:32:40 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/16/06 21:32:43 [Note]: 7019 4
05/16/06 21:32:43 [Note]: 7005 0
05/16/06 21:32:47 [Note]: 7006 0
05/16/06 21:32:47 [Note]: 7022 0
05/16/06 21:32:47 [Note]: 7011 2804
05/16/06 21:32:48 [Note]: 7026 0
05/16/06 21:32:48 [Note]: 7026 0
05/16/06 21:32:48 [Note]: 7024 3
05/16/06 21:32:48 [Info]: Hidden process: C:\WINDOWS\system32\updcwn.exe
05/16/06 21:32:48 [Note]: 7024 3
05/16/06 21:32:48 [Info]: Hidden process: C:\WINDOWS\system32\lyugw.exe
05/16/06 21:32:48 [Note]: 7024 3
05/16/06 21:32:48 [Info]: Hidden process: C:\WINDOWS\system32\lyugw.exe
05/16/06 21:32:48 [Note]: 7024 3
05/16/06 21:32:48 [Info]: Hidden process: C:\WINDOWS\system32\lyugw.exe
05/16/06 21:32:48 [Note]: FSRAW library version 1.7.1015
05/16/06 21:33:11 [Info]: Hidden file: c:\Documents and Settings\All Users\Start Menu\Programs\Startup\mwpdd.exe
05/16/06 21:33:11 [Note]: 10002 1
05/16/06 21:37:49 [Note]: 4020 31097 8388608
05/16/06 21:37:49 [Note]: 4018 31097 8388608
05/16/06 21:37:49 [Note]: 4020 31097 8388608
05/16/06 21:37:49 [Note]: 4018 31097 8388608
05/16/06 21:37:49 [Note]: 4020 31097 8388608
05/16/06 21:37:49 [Note]: 4018 31097 8388608
05/16/06 21:37:49 [Note]: 4020 31097 8388608
05/16/06 21:37:49 [Note]: 4018 31097 8388608
05/16/06 21:46:44 [Info]: Hidden file: c:\WINDOWS\skkin.dll
05/16/06 21:46:44 [Note]: 10002 1
05/16/06 21:46:46 [Info]: Hidden file: C:\WINDOWS\system32\updcwn.exe
05/16/06 21:46:46 [Note]: 10002 1
05/16/06 21:46:50 [Info]: Hidden file: C:\WINDOWS\system32\lyugw.exe
05/16/06 21:46:50 [Note]: 10002 1
05/16/06 21:46:52 [Info]: Hidden file: c:\WINDOWS\system32\vubkhtd.exe
05/16/06 21:46:52 [Note]: 10002 1
05/16/06 21:46:54 [Info]: Hidden file: c:\WINDOWS\system32\bwdcnvo.dll
05/16/06 21:46:54 [Note]: 10002 1
05/16/06 21:56:45 [Note]: 7007 0

Thanks,

James

James, Hi! Welcome to the forum :)

Are you still needing help? If so, please post a fresh HijackThis log and I'll be happy to see you through. :bigthumb:

Hello Jane,

Thanks for responding to my inquiry. I am still having problems with some hidden malware processes that are continuing to further infect my box. I having been scanning about 2 times a day to keep things in check. Here is my new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:15:04 PM, on 5/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\NavNT\defwatch.exe
E:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint 3.0\Bin\LPSVS03N.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
E:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\WINDOWS\system32\dlbxcoms.exe
E:\Program Files\Ahead\InCD\InCD.exe
E:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\LEADTE~1\LEADTO~1.0\bin\EPRINT3.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
E:\Program Files\SimpleCenter\SimpleCenter.exe
E:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Documents and Settings\jmayhew\Desktop\Spyware Removal

Tools\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.superpages.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\lyugw.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vubkhtd.exe
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog

Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [DpAgnt] E:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer

962\dlbxmon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] E:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "E:\Program Files\D-Tools\daemon.exe"

-lang 1033
O4 - HKLM\..\Run: [WatchDog] E:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [ePrint 3.0 Service]

C:\PROGRA~1\LEADTE~1\LEADTO~1.0\bin\EPRINT3.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common

Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media

Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint

Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKLM\..\RunOnce: [Index Washer] E:\Program

Files\Webroot\Washer\WashIdx.exe "jmayhew"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] E:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager]

C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "E:\Program Files\Microsoft

ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\RunOnce: [Index Washer] E:\Program

Files\Webroot\Washer\WashIdx.exe "jmayhew"
O4 - Startup: AgentOffice.lnk = E:\Program Files\AgentOffice\OLAgnt32.exe
O4 - Startup: Launch Internet Explorer Browser.lnk = C:\Program Files\Internet

Explorer\iexplore.exe
O4 - Startup: Launch Microsoft Office Outlook.lnk = E:\Program Files\Microsoft

Office\OFFICE11\OUTLOOK.EXE
O4 - Startup: SimpleCenter.lnk = E:\Program

Files\SimpleCenter\SimpleCenter.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = E:\Program Files\APC\APC PowerChute

Personal Edition\Display.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL

Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite -

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - E:\Program Files\Microsoft

ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

E:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\Program Files\Microsoft

ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} -

C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} -

C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) -

https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.

viewpoint.com/cgi-bin/installer.v4/vet_install_premium.pl?1&6&04.00.09.13&prem

ium&unknown&http://www.toyota.com/fjcruiser/features.html?noreloadredir
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) -

http://www.sarasotamls.com/XMLSearch/XMLCache.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuwe

b_site.cab?1109479760357
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_

site.cab?1147781925265
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) -

http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activ

ex/hcImpl.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) -

http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} -

http://www.azebar.com/1/sux.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation -

E:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program

Files\NavNT\defwatch.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: DpHost - DigitalPersona, Inc. - E:\Program

Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: EPrint III Service - Unknown owner - C:\Program Files\LEAD

Technologies, Inc\LEADTOOLS ePrint 3.0\Bin\LPSVS03N.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel

32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - E:\Program

Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program

Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec

Corporation - C:\Program Files\NavNT\rtvscan.exe

Let me know if you need anything else.

Thanks,

James

Hi James,

Your HijackThis log is all chopped up and hard to read. Open Notepad and choose *Format* at the top, then uncheck "word wrap". This will make your logs easier to read.

Open HijackThis and choose *scan only*
When it finishes, checkmark all of the below and then press the *fix checked* button.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\lyugw.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vubkhtd.exe

O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)

O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe

O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe

O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll

O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...02/Coupons.cab

O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/1/sux.cab

Please download the Killbox by Option^Explicit.
http://www.geekstogo.com/modules.php?modid=5&action=download&id=4

* Save it to your desktop.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\WINDOWS\system32\lyugw.exe
C:\WINDOWS\system32\runsrv32.exe
C:\WINDOWS\system32\susp.exe
C:\WINDOWS\system32\dmonwv.dll

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Answer yes to the prompt asking if you want to delete the files at reboot. Click "NO" at the Delete on Reboot prompt, and go to the next step which will reboot your PC when done with Blacklight.
..............................................

Please run Blacklight and choose to rename each of those files found.

Start > Run and type copy & paste into the box: c:\blbeta /expert

scan > next > select each file and choose rename for all of them, then let Blacklight restart your PC.

Please post the Blacklight log. The text file is named: fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
........................................
Scan with both Blacklight again to produce a new log after the reboot (hopefully those files will be gone from the list) and do a fresh HijackThis log for me to review.

This topic is closed due to lack of a response to helper.
If you need it re-opened please send me a pm and provide a link to the thread.
Applies only to the original topic starter.