Well, nothin new here.. I owned my computer and I'm usually pretty safe on it, just not this time..

My main problem keeps popping up in S&D, over and over again, and S&D keeps telling me it can't delete it and will try on startup, but of course nothing happens. S&D shows it as Command Service. I tried going into registry and deleting cmdService but it won't let me. Along with that comes a bunch of other spyware that S&D deletes with no problems, so I'm guessing all of the spyware is coming from this 'Command Service'.

All it does is occasionally give me a tiny IE pop-up but everytime I open a Firefox window it creates about 3-4 tabs of random websites and changes the size of my window, and alos when im browsing it wil create a tab or 2 and resize, it's getting pretty annoying and has happened about 3-4 times while typing this.. haha

Anyways here's my hijackthis log, I also tried the online Panda anti virus thing but it froze on me, so this is what I got..


Logfile of HijackThis v1.99.1
Scan saved at 5:46:59 PM, on 6/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\outlook\outlook.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Movie Maker\sample.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [w39aabc6.dll] RUNDLL32.EXE w39aabc6.dll,I2 00162a8a039aabc6
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\hr2805fue.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

It's weird to me because I don't notice much wrong in there, but I'm no expert so please let me know if you need any other info.

http://i30.photobucket.com/albums/c309/PakmanDirka/cmdService.jpg

Any help you can give me is GREATLY appreciated.

Thanks for your time..

Also my system32 folder doesn't show in WINDOWS.. I have to type it in URL.. and when I restart it just seems to get worse.

Pretty lame.. Once again any help is appreciated..

Bump? It's getting worse everyday..

Hello and welcome to the forum, sorry for the wait, logs are many and volunteers are few. If you still need help, let's talk a moment.
You need to know the "command service" issue is by far the least of your problems. You are very infected and it will take a lot of work to clean up this mess. You are showing a Look2Me infection, a Alcan worm infection and a Qoologic trojan. There may be more, I looked quickly. These infections will attract others so you will need to keep this computer offline as much as possible until you are clean.

You must have missed this information: http://forums.spybot.info/showthread.php?t=1137

If you wish to proceed with the cleanup, start like this:

Winlogon Notify MS-DOS Emulation, Nls, OemStartMenuData, OfficeUpdate,
OptimalLayout, policies, Reinstall, Reliability X random named dll in the System32 folder Variant of Adware.Look2Me

Written by Atribune, thanks much!

Follow the instructions at this link:
http://www.atribune.org/content/view/28/

This information may or may not be needed:
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

If for some reason Look2Me-Destroyer doesn't reopen check that task scheduler is running.
If it isnt you can use sc.exe to start it
start > run sc start schedule press enter.

Please post the contents of Look2Me-Destroyer.txt and a new HiJackThis log.

I will respond as soon as possible after you post, add any comments you think will help, communication is going to be important.

Thanks...pskelley
Safer Networking Forums

Thanks for the reply :] I read it over and I'm EXTREMELY tired right now so I will have to do this all tomorrow, but I will let you know how it goes.

Thanks a lot and sorry for the bumps :p


Hello and welcome to the forum, sorry for the wait, logs are many and volunteers are few. If you still need help, let's talk a moment.
You need to know the "command service" issue is by far the least of your problems. You are very infected and it will take a lot of work to clean up this mess. You are showing a Look2Me infection, a Alcan worm infection and a Qoologic trojan. There may be more, I looked quickly. These infections will attract others so you will need to keep this computer offline as much as possible until you are clean.

You must have missed this information: http://forums.spybot.info/showthread.php?t=1137

If you wish to proceed with the cleanup, start like this:

Winlogon Notify MS-DOS Emulation, Nls, OemStartMenuData, OfficeUpdate,
OptimalLayout, policies, Reinstall, Reliability X random named dll in the System32 folder Variant of Adware.Look2Me

Written by Atribune, thanks much!

Follow the instructions at this link:
http://www.atribune.org/content/view/28/

This information may or may not be needed:
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

If for some reason Look2Me-Destroyer doesn't reopen check that task scheduler is running.
If it isnt you can use sc.exe to start it
start > run sc start schedule press enter.

Please post the contents of Look2Me-Destroyer.txt and a new HiJackThis log.

I will respond as soon as possible after you post, add any comments you think will help, communication is going to be important.

Thanks...pskelley
Safer Networking Forums

That's fine, you don't want to be trying to follow the instructions when you are tired, that's when mistakes are made. I will ask that you not "Quote" my instructions, that is just a waste of space and makes the topic harder to work with. The instructions can be scrolled back to.

Thanks...Phil

Sorry about that. Did everything above and it went like it said it would. So here's my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:49:39 PM, on 6/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\dxvwxpdq.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Symantec\S32EVNT1.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\xpupdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [w39aabc6.dll] RUNDLL32.EXE w39aabc6.dll,I2 00162a8a039aabc6
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKLM\..\Run: [DCOM Server] C:\WINDOWS\System32\dxvwxpdq.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\kwinoqez.exe GID003
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\testtestt.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [ff67506a.exe] C:\Documents and Settings\marieb\Local Settings\Application Data\ff67506a.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\marieb\LOCALS~1\Temp\10E.tmp3072.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\kwinoqez.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\System32\javaw.dll
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dxvwxpdq.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Wouldn't fit in first post.

And the L2M Destroyer text:


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 6/26/2006 3:06:02 PM

Infected! C:\WINDOWS\system32\j06m0aj1edo.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0018680.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0018681.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0018682.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0018694.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0018711.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0018712.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0019715.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0019719.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0019726.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0019727.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0019733.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0019737.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP177\A0019745.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP177\A0019746.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP177\A0019856.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP177\A0019969.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP177\A0020016.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP177\A0021048.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP177\A0021088.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP177\A0021089.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP178\A0022088.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP178\A0022092.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP179\A0022209.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP180\A0022437.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP180\A0022444.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP181\A0022540.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP181\A0022542.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP181\A0022551.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP181\A0022555.dll
Infected! C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP184\A0022660.dll
Infected! C:\WINDOWS\system32\clbjmon.dll
Infected! C:\WINDOWS\system32\gpn2l35o1.dll
Infected! C:\WINDOWS\system32\h42o0ef3eh2.dll
Infected! C:\WINDOWS\system32\j06m0aj1edo.dll
Infected! C:\WINDOWS\system32\j4l40e3qeh.dll
Infected! C:\WINDOWS\system32\ktr0l79m1.dll
Infected! C:\WINDOWS\system32\lv0009dme.dll
Infected! C:\WINDOWS\system32\mq4ql9h51.dll
Infected! C:\WINDOWS\system32\rUsadhlp.dll
Infected! C:\WINDOWS\System32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\j06m0aj1edo.dll
C:\WINDOWS\system32\j06m0aj1edo.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0018680.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0018680.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0018681.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0018681.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0018682.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0018682.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0018694.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0018694.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0018711.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0018711.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0018712.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0018712.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0019715.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0019715.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0019719.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0019719.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0019726.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0019726.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0019727.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0019727.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0019733.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0019733.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0019737.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP176\A0019737.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP177\A0019745.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP177\A0019745.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP177\A0019746.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP177\A0019746.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP177\A0019856.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP177\A0019856.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP177\A0019969.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP177\A0019969.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP177\A0020016.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP177\A0020016.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP177\A0021048.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP177\A0021048.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP177\A0021088.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP177\A0021088.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP177\A0021089.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP177\A0021089.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP178\A0022088.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP178\A0022088.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP178\A0022092.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP178\A0022092.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP179\A0022209.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP179\A0022209.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP180\A0022437.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP180\A0022437.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP180\A0022444.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP180\A0022444.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP181\A0022540.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP181\A0022540.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP181\A0022542.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP181\A0022542.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP181\A0022551.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP181\A0022551.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP181\A0022555.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP181\A0022555.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP184\A0022660.dll
C:\System Volume Information\_restore{4E28393C-02C1-4329-AA30-89CA2B5E2579}\RP184\A0022660.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\clbjmon.dll
C:\WINDOWS\system32\clbjmon.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\gpn2l35o1.dll
C:\WINDOWS\system32\gpn2l35o1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\h42o0ef3eh2.dll
C:\WINDOWS\system32\h42o0ef3eh2.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\j06m0aj1edo.dll
C:\WINDOWS\system32\j06m0aj1edo.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\j4l40e3qeh.dll
C:\WINDOWS\system32\j4l40e3qeh.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ktr0l79m1.dll
C:\WINDOWS\system32\ktr0l79m1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lv0009dme.dll
C:\WINDOWS\system32\lv0009dme.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mq4ql9h51.dll
C:\WINDOWS\system32\mq4ql9h51.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\rUsadhlp.dll
C:\WINDOWS\system32\rUsadhlp.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{10303BB6-3D9D-4086-98FE-A35C0236416B}"
HKCR\Clsid\{10303BB6-3D9D-4086-98FE-A35C0236416B}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9356C90C-B279-45C5-BFB0-8AA06A836D5F}"
HKCR\Clsid\{9356C90C-B279-45C5-BFB0-8AA06A836D5F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{67A7E04E-E250-4A77-8DB7-D9A6BFE0CAAA}"
HKCR\Clsid\{67A7E04E-E250-4A77-8DB7-D9A6BFE0CAAA}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{76E327EB-451E-4673-B388-3C21E28DA41C}"
HKCR\Clsid\{76E327EB-451E-4673-B388-3C21E28DA41C}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{AC9252A6-4AB8-4627-9BB2-41C240526CD7}"
HKCR\Clsid\{AC9252A6-4AB8-4627-9BB2-41C240526CD7}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4DAD7795-9355-4328-9ED4-93DF85107BB9}"
HKCR\Clsid\{4DAD7795-9355-4328-9ED4-93DF85107BB9}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{72DB39C2-0148-4334-A21A-D8720EDFD1CC}"
HKCR\Clsid\{72DB39C2-0148-4334-A21A-D8720EDFD1CC}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

TeaTimer will stop changes we must make, please make sure it is turned off when you run any of the fixes, thanks:
http://russelltexas.com/malware/teatimer.htm

Please remember to stay offline except when absolutely necessary, you will get additional infections!

Read the instructions carefully, they must be executed exactly in order to be successful.

Thanks to Metallica and any others who help with this fix.

1. Please download Ewido Anti-Malware (http://www.ewido.net/en/download/)
Install ewido anti-malware
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates (http://download.ewido.net/ewido-signatures-full-current.exe)

2. Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

4. Once in Safe Mode, Open Ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.

Thanks...Phil

Alright I did all that, I'm gunna post up the HJT log, the Ewido is too long, not sure how I would post it..


Logfile of HijackThis v1.99.1
Scan saved at 7:28:48 PM, on 6/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [w39aabc6.dll] RUNDLL32.EXE w39aabc6.dll,I2 00162a8a039aabc6
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [ff67506a.exe] C:\Documents and Settings\marieb\Local Settings\Application Data\ff67506a.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\System32\javaw.dll
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe





Everything seems to be running smoother but I still got a pop-up when I started up. Not a HUGE deal, I mean it seems like nearly all of it is gone.

BTW Thanks for the help. No way I could have done all of this without your help..

Let me know if you need any other info if there's anthing major wrong :]

Everything seems to be running smoother but I still got a pop-up when I started up. Not a HUGE deal, I mean it seems like nearly all of it is gone.

We have a long way to go.

You have MSConfig running in Selective Startup mode, I need to see all logs in Normal mode.
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

Post another HJT log.

ewido...edit out all of the cookies it deleted and you should be able to get it posted. If there are a lot of System Restore items, you can edit them out also, we will be cleaning System Restore before we are done.

Thanks:)

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:15:05 PM 6/26/2006

+ Scan result:



C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc96.exe -> Adware.AdURL : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\bw2.com -> Adware.AdURL : Cleaned with backup (quarantined).
C:\Program Files\MSN Gaming Zone\hocyzosoq..exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\Program Files\Movie Maker\sample.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\Program Files\Movie Maker\wsample.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\Program Files\Xfire\xfire_lang_nl.exe -> Adware.Agent : Cleaned with backup (quarantined).
D:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc66.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\biefgscr.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\Documents and Settings\Nici\Local Settings\Temp\!update.exe -> Adware.ClickSpring : Cleaned with backup (quarantined).
C:\Documents and Settings\Roz\Local Settings\Temp\!update.exe -> Adware.ClickSpring : Cleaned with backup (quarantined).
C:\Documents and Settings\marieb\Local Settings\Temp\!update.exe -> Adware.ClickSpring : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Αdobe\cmd.exe -> Adware.ClickSpring : Cleaned with backup (quarantined).
C:\Program Files\Common Files\ѕуstem32\сhkntfs.exe -> Adware.ClickSpring : Cleaned with backup (quarantined).
C:\WINDOWS\system32\Fοnts\wuaclt.exe -> Adware.ClickSpring : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc85.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\guard.tmp_tobedeleted -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\876056.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\WinNB57.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc43.EXE -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc90\Themexp.org File\NNWDAB638.EXE -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
D:\Documents and Settings\Linda\Local Settings\Temp\New21.tmp\upgrade.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
D:\Program Files\NewDotNet\newdotnet7_14.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
D:\Program Files\NewDotNet\newdotnet7_22.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
D:\Program Files\NewDotNet\uninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
D:\Program Files\NewDotNet\uninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
D:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
D:\WINDOWS\NDNuninstall6_90.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
D:\WINDOWS\NDNuninstall6_98.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
D:\WINDOWS\NDNuninstall7_14.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
D:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Documents and Settings\Nici\Application Data\Tаsks\dеxplore.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\bpodfz.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cgi.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\iexplore.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\javaw.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mmc.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
[220] C:\WINDOWS\System32\javaw.dll -> Adware.PurityScan : Error during cleaning.
[268] C:\WINDOWS\System32\javaw.dll -> Adware.PurityScan : Error during cleaning.
[280] C:\WINDOWS\System32\javaw.dll -> Adware.PurityScan : Error during cleaning.
[448] C:\WINDOWS\System32\javaw.dll -> Adware.PurityScan : Error during cleaning.
[476] C:\WINDOWS\System32\javaw.dll -> Adware.PurityScan : Error during cleaning.
[960] C:\WINDOWS\System32\javaw.dll -> Adware.PurityScan : Error during cleaning.
C:\Documents and Settings\Nici\Start Menu\Programs\WhenU -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Nici\Start Menu\Programs\WhenU\Learn More About WhenU Save.url -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Nici\Start Menu\Programs\WhenU\Learn More About WhenU SaveNow.url -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Nici\Start Menu\Programs\WhenU\Uninstall.lnk -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Nici\Start Menu\Programs\WhenU\WhenU Help Desk.lnk -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Nici\Start Menu\Programs\WhenU\WhenU.com Website.url -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc90\Themexp.org File\Ezthemes_WhenUSaveNowCrunch_InstallerInst.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc90\Themexp.org File\Ezthemes_WhenUSaveNow_InstallerInst.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\WINDOWS\System32tfthot.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\Documents and Settings\marieb\Local Settings\Temp\F8FB31.tmp/ssn6tuu.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\gbe90qs.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\Documents and Settings\marieb\Local Settings\Temp\i8.tmp -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Documents and Settings\marieb\Local Settings\Temp\iB3B.tmp -> Adware.SurfSide : Cleaned with backup (quarantined).
D:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll -> Adware.WindowEnhancer : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc68.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kwinoqez.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINDOWS\system32\pndsregm.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc69.exe -> Downloader.Adload.bo : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc70.exe -> Downloader.Adload.bo : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc72.exe -> Downloader.Adload.bo : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc77.exe -> Downloader.Adload.bo : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc78.exe -> Downloader.Adload.bo : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc79.exe -> Downloader.Adload.bo : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc71.exe -> Downloader.Adload.bv : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc76.exe -> Downloader.Adload.bv : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc93.exe -> Downloader.Adload.ce : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc39.exe -> Downloader.Adload.cf : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc80.exe -> Downloader.Adload.cf : Cleaned with backup (quarantined).
C:\Program Files\Common Files\svchostsys\svchostrun.exe -> Downloader.Agent.a : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc67.exe -> Downloader.Agent.ala : Cleaned with backup (quarantined).
C:\Documents and Settings\Roz\Local Settings\Temp\f97296.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\Program Files\Internet Explorer\VSL.dl_.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc82.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\Documents and Settings\marieb\Local Settings\Temp\10E.tmp -> Downloader.Small.dal : Cleaned with backup (quarantined).
C:\Documents and Settings\marieb\Local Settings\Temp\112.tmp -> Downloader.Small.dal : Cleaned with backup (quarantined).
C:\Documents and Settings\marieb\Local Settings\Temp\10F.tmp -> Downloader.Small.daq : Cleaned with backup (quarantined).
C:\Documents and Settings\marieb\Local Settings\Temp\113.tmp -> Downloader.Small.daq : Cleaned with backup (quarantined).
C:\Documents and Settings\marieb\Local Settings\Temp\10E.tmp3072.exe -> Downloader.Small.dcj : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc35.exe -> Dropper.Mudrop.bq : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc88\SnowballWars.exe -> Dropper.VB.mz : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc99.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\marieb\Local Settings\Temp\2.dlb -> Hijacker.Spywad.o : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dlh9jkdq2.exe -> Hijacker.Spywad.o : Cleaned with backup (quarantined).
C:\WINDOWS\xpupdate.exe -> Hijacker.Spywad.o : Cleaned with backup (quarantined).
C:\Documents and Settings\marieb\Local Settings\Temp\F8FB31.tmp/mptft.exe -> Hijacker.StartPage.ajj : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc45.exe -> Hijacker.VB.fb : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1659004503-152049171-725345543-1004\Dc83.exe -> Hijacker.VB.fb : Cleaned with backup (quarantined).
C:\Documents and Settings\Roz\Local Settings\Temporary Internet Files\Content.IE5\7ZBN3052\2238[1].exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwbaic.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwblta.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwbrhr.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwciaa.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwdahr.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwdiua.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvweuqq.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwewxd.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwfvto.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwfziz.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwgsww.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwgwpa.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwhfcu.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwhmbg.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwlkyj.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwlwba.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwlyjd.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwnfnc.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwntvb.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwnxrq.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwomda.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwomjp.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwphyd.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwpjfg.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwpwfb.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwqhsm.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwqmnp.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwqofa.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwqypy.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwrotw.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwscve.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwslhe.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwtkfr.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwucef.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwuxas.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwuxqz.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwvbtl.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwviig.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwvskh.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwwrhw.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwyaue.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwzfjl.exe -> Logger.Agent.mw : Cleaned with backup (quarantined).
C:\WINDOWS\desktop.html -> Not-A-Virus.Hoax.Win32.Renos.cy : Ignored.
C:\Documents and Settings\marieb\Local Settings\Temp\10E.tmp7680.exe -> Proxy.Agent.eu : Cleaned with backup (quarantined).
C:\Documents and Settings\marieb\Local Settings\Temp\art7E57.tmp -> Proxy.Xorpix.z : Cleaned with backup (quarantined).
C:\Documents and Settings\marieb\Local Settings\Temp\art9049.tmp -> Proxy.Xorpix.z : Cleaned with backup (quarantined).
C:\Documents and Settings\marieb\Cookies\marieb@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Roz\Local Settings\Temp\31444\explorer.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\Documents and Settings\marieb\Local Settings\Temp\16251\explorer.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\Documents and Settings\marieb\Local Settings\Temp\25523\explorer.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\Documents and Settings\marieb\Local Settings\Temp\28492\explorer.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwauwf.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwbacs.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwbijt.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwcdlz.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwdeni.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwdzvp.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvweeba.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwigaq.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwiybv.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwjncb.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwkjtc.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwkrvh.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwlhqf.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwmcis.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwmvst.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwneva.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwnexo.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwnppy.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwnqat.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwturp.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwtwya.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwuyuy.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwwkag.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwwmlk.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwwpvy.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwwuji.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwxpdq.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwydup.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwyytk.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwzdaa.exe -> Trojan.Agent.nl : Cleaned with backup (quarantined).
[744] C:\WINDOWS\System32\dxvwxpdq.exe -> Trojan.Agent.nl : Error during cleaning.
C:\Documents and Settings\marieb\Local Settings\Temp\maxdd1.game -> Trojan.Dialer.pw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\maxd641.exe -> Trojan.Dialer.pw : Cleaned with backup (quarantined).
C:\WINDOWS\unwn.exe -> Trojan.Qoologic : Cleaned with backup (quarantined).
C:\WINDOWS\wnu_135.exe -> Trojan.Qoologic : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll -> Trojan.Sinowal.x : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB8C34} -> Trojan.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\marieb\Local Settings\Temp\temp.frC61A -> Trojan.VB.tg : Cleaned with backup (quarantined).


::Report end

[QUOTE=pskelley]We have a long way to go.

You have MSConfig running in Selective Startup mode, I need to see all logs in Normal mode.
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
/QUOTE]

I don't understand what you need me to do there, all the logs [besides ewido] were done in Normal Mode.

I'm probably totally misunderstanding what you're saying so let me know..

Start > Run > type "msconfig" without the quotes and OK. On the General tab under Startup Selection make sure the bullit is in the "Normal Mode" selection. Now Apply and OK your way out. If bad programs are unchecked, I can't see them and have no way of knowing they are there. Once you are clean you can return to Selective Startup to save resources if you wish.

Once this is done I need to see a new HJT log, I will post the the next set of instructions without seeing that log and adjust later.

Thanks.

1) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

2) Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [w39aabc6.dll] RUNDLL32.EXE w39aabc6.dll,I2 00162a8a039aabc6
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [ff67506a.exe] C:\Documents and Settings\marieb\Local Settings\Application Data\ff67506a.exe
O20 - AppInit_DLLs: C:\WINDOWS\System32\javaw.dll
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\System32\javaw.dll <<< file

C:\WINDOWS\System32\0mcamcap.exe <<< file

C:\Documents and Settings\marieb\Local Settings\Application Data\ff67506a.exe <<< file

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

5) Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Restart the computer and post a fresh HJT log, add any comments you think will help. We are making progress, Qooloqic is hiding there somewhere and we may have to deal with PurityScan adware but you have killed a lot of this junk:bigthumb:

Thanks...Phil:)

Ad-Aware SE Personal
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 6.0.1
Adobe Stock Photos 1.0
AOL Instant Messenger
AviSynth 2.5
BitTornado 0.3.7
DeadAIM
DivX
DivX Converter
DivX Player
DivX Web Player
ewido anti-spyware 4.0
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
HijackThis 1.99.1
HP Software Update
Internet Explorer Q831167
iPod for Windows 2006-03-23
iTunes
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
LiveUpdate 1.80 (Symantec Corporation)
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft Office XP Professional with FrontPage
Mozilla Firefox (1.5)
MSN Music Assistant
NVIDIA Display Driver
Outlook Express Q837009
Photosmart 140,240,7200,7600,7700,7900 Series
PowerDVD
QuickTime
Realtek AC'97 Audio
Spy Sweeper
Spybot - Search & Destroy 1.4
Steam
Symantec AntiVirus Client
Update for Windows XP (KB898461)
Videora iPod Converter 0.91
Windows Driver Package - MSN (usbccgp) USB (04/19/2006 1.1.0.2)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP2) Q819696
Windows XP Service Pack 1a
WinRAR archiver
Xfire (remove only)

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:36:41 AM, on 6/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\sys0157470780-.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [w39aabc6.dll] RUNDLL32.EXE w39aabc6.dll,I2 00162a8a039aabc6
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [win3206780-57470] C:\WINDOWS\win3206780-57470.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [newname] C:\\nwnm.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [keyboard] C:\\kybrd.exe
O4 - HKLM\..\Run: [grvrwg] C:\WINDOWS\System32\garaxi.exe reg_run
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\System32\mptft.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\kwinoqez.exe GID003
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKLM\..\Run: [sys0157470780-] C:\WINDOWS\sys0157470780-.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [ff67506a.exe] C:\Documents and Settings\marieb\Local Settings\Application Data\ff67506a.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\kwinoqez.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\System32\javaw.dll
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Wow sorry, ignore that HJT log.

I am extremely tired again and accidently posted the wrong log..

Logfile of HijackThis v1.99.1
Scan saved at 6:45:23 AM, on 6/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\sys0157470780-.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [win3206780-57470] C:\WINDOWS\win3206780-57470.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [newname] C:\\nwnm.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [keyboard] C:\\kybrd.exe
O4 - HKLM\..\Run: [grvrwg] C:\WINDOWS\System32\garaxi.exe reg_run
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\System32\mptft.exe
O4 - HKLM\..\Run: C:\WINDOWS\system32\kwinoqez.exe GID003
O4 - HKLM\..\Run: [sys0157470780-] C:\WINDOWS\sys0157470780-.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\kwinoqez.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe



From what I see I've had a lot of problems with a program called Zeno, associated with this?
[B]O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\kwinoqez.exe

Also wondering if this is a normal process: C:\WINDOWS\sys0157470780-.exe

Bed time at 7AM for me, let me know any info you need. I did everything I was instructed to do :p

I have to apologize, I DID NOT get notified when you posted last. If your issues are not resolved, post a new HJT log and we will continue from that point. Once again, sorry the notifications failed.

Thanks...pskelley

No problem :] It's not too bad, I've kept it offline as much as possible. Here's a new HJT log.

Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 3:50:56 PM, on 7/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Steam\Steam.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrd.exe
O4 - HKLM\..\Run: [grvrwg] C:\WINDOWS\System32\garaxi.exe reg_run
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\System32\mptft.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\kwinoqez.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: yvbb01 - C:\WINDOWS\SYSTEM32\yvbb01.dll
O20 - Winlogon Notify: yvpp01 - C:\WINDOWS\SYSTEM32\yvpp01.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

I bolded things that don't seem right.. Let me know.

Thanks again :]

I still did not get a notification:confused: I checked and I am subscribed also??

Actually I am surprised some of this junk is still in the log, the Alcan Plus remover should have taken it out. Did you have any problems running that fix? I suppose we will do it manually:

While it is one my mind, Java just updated to jre1.5.0_07 see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2


Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrd.exe
O4 - HKLM\..\Run: [grvrwg] C:\WINDOWS\System32\garaxi.exe reg_run
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\System32\mptft.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\kwinoqez.exe
O20 - Winlogon Notify: yvbb01 - C:\WINDOWS\SYSTEM32\yvbb01.dll
O20 - Winlogon Notify: yvpp01 -

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\\kybrd.exe <<< file

C:\WINDOWS\SYSC00.exe <<< file

C:\WINDOWS\System32\garaxi.exe reg_run <<< file

C:\WINDOWS\System32\0mcamcap.exe <<< file

C:\Program Files\TClock\ <<< folder

C:\WINDOWS\SYSTEM32\yvbb01.dll <<< file

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

If this item resists: C:\WINDOWS\SYSTEM32\yvpp01.dll
use the information at this link:
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
How to use the Delete on Reboot tool That should kill the file, then you can remove the item with HJT.

Restart the computer and post a new HJT log so I can see where we are. Let me have any comments you think I should have.

Send a PM when you post, looks like I will not get the notification?
http://forums.spybot.info/member.php?find=lastposter&t=5588

Thanks...Phil

Still with us PakmanRevd?

This topic is closed.

If you need it re-opened please send me a pm and provide a link to the thread.

Applies only to the original topic starter.