I see this is pretty common issue from other postings. I've ran S&D many times (safe mode and normal), I've cleared out some trojans/other issues. This just seems to stay and everytime I jump on the internet it brings down a lot more :sad: . Any help would be great guys. Thank you so much in advance.

The Panda scan log:
Incident Status Location

Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\nyaistld.dll
Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\USYP_0002_N91M1708NetInstaller.exe
Spyware:spyware/virtumonde Not disinfected Windows Registry
Potentially unwanted tool:application/sysprotect Not disinfected hkey_local_machine\software\classes\appid\CheckProduct2_1.DLL
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Jasmine Ketchum\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-185536da-1a77bde2.zip[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Jasmine Ketchum\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-185536da-1a77bde2.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Jasmine Ketchum\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-185536da-1a77bde2.zip[NewSecurityClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Jasmine Ketchum\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-185536da-1a77bde2.zip[NewURLClassLoader.class]
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Jasmine Ketchum\Cookies\jasmine ketchum@findwhat[1].txt
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Jasmine Ketchum\Cookies\jasmine ketchum@hotlog[1].txt
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Program Files\VSAdd-in\VSAdd-in.dll
Adware:Adware/SecurityError Not disinfected C:\VundoFix Backups\cryatfwg.exe.bad
Adware:Adware/SystemDoctor Not disinfected C:\VundoFix Backups\ebvheqse.exe.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\efdmrcrl.dll.bad
Adware:Adware/SecurityError Not disinfected C:\VundoFix Backups\epxotbat.exe.bad
Adware:Adware/SecurityError Not disinfected C:\VundoFix Backups\eqtgrsuj.exe.bad
Adware:Adware/SecurityError Not disinfected C:\VundoFix Backups\fbiegrpu.exe.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\gebyw.dll.bad
Adware:Adware/SecurityError Not disinfected C:\VundoFix Backups\juiekrrc.exe.bad
Adware:Adware/SecurityError Not disinfected C:\VundoFix Backups\jxfrterl.exe.bad
Possible Virus. Not disinfected C:\VundoFix Backups\mllmm.dll.bad
Adware:Adware/SecurityError Not disinfected C:\VundoFix Backups\nmtkfukm.exe.bad
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\VundoFix Backups\ohkfovil.exe.bad
Adware:Adware/SecurityError Not disinfected C:\VundoFix Backups\pgyisefj.exe.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\rvgskvfi.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\sdefugvk.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ssqpm.dll.bad
Adware:Adware/SecurityError Not disinfected C:\VundoFix Backups\tkfuobqj.exe.bad
Adware:Adware/SecurityError Not disinfected C:\VundoFix Backups\wnuamovk.exe.bad
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N91M1807NetInstaller.exe
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWA6P_0001_N91M1807NetInstaller.exe
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWA6P_0001_N91M1807NetInstaller.exe
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe
Adware:Adware/BuddyLinks Not disinfected C:\WINDOWS\sbhks.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\SYSTEM32\meqchqnd.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\SYSTEM32\wtsoybfv.exe

HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 4:54:36 PM, on 11/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\StompSoft\PC BackUp\NbkCtrl.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\StompSoft\PC BackUp\NMSAccess.exe
C:\Program Files\StompSoft\PC BackUp\NSENGINE.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Jasmine Ketchum\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ATLDistrib Object - {7A1A109F-58B3-414B-9829-5F4D9BE5FEDE} - C:\WINDOWS\system32\mllmm.dll (file missing)
O2 - BHO: (no name) - {aa920519-a3a1-4f1d-8545-ca0e7ee0eba1} - C:\WINDOWS\system32\EDITF16.dll (file missing)
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\gebyw.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\nyaistld.dll
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\pmnnm.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RegUpdate] RegUpdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\StompSoft\PC BackUp\NbkCtrl.exe"
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SysProtect] C:\Program Files\SysProtect Free\USYP.exe /scan
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90
O15 - Trusted IP range: http://85.12.25.95
O15 - Trusted IP range: http://202.67.220.227
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\StompSoft\PC BackUp\NMSAccess.exe
O23 - Service: NsEngine - Unknown owner - C:\Program Files\StompSoft\PC BackUp\NSENGINE.exe

Hello and welcome to the forum, sorry for the wait, logs are many and volunteers are few. If you still need help and are not receiving it at another forum, please do this.

1) This is a FALSE POSITIVE: Smitfraud-C.Toolbar888 so you can forget about that.

2) Move HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm

3) You are showing a lot of nasties related to the Vundo trojan and I can't tell if the infection is still active or not, but we have junk to remove. I would like a new HJT log and please describe any symptoms you are receiving as well as any error messages "word for word".

Thanks

PSKelly-Thank you for looking at that. It seems like you guys are very busy...

I have moved the HJT to the C: and just ran the program with the following log file:
Logfile of HijackThis v1.99.1
Scan saved at 10:46:52 AM, on 11/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\StompSoft\PC BackUp\NMSAccess.exe
C:\Program Files\StompSoft\PC BackUp\NSENGINE.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ATLDistrib Object - {7A1A109F-58B3-414B-9829-5F4D9BE5FEDE} - C:\WINDOWS\system32\mllmm.dll (file missing)
O2 - BHO: (no name) - {aa920519-a3a1-4f1d-8545-ca0e7ee0eba1} - C:\WINDOWS\system32\EDITF16.dll (file missing)
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\gebyw.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\nyaistld.dll
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\pmnnm.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RegUpdate] RegUpdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\StompSoft\PC BackUp\NbkCtrl.exe"
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SysProtect] C:\Program Files\SysProtect Free\USYP.exe /scan
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90
O15 - Trusted IP range: http://85.12.25.95
O15 - Trusted IP range: http://202.67.220.227
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\StompSoft\PC BackUp\NMSAccess.exe
O23 - Service: NsEngine - Unknown owner - C:\Program Files\StompSoft\PC BackUp\NSENGINE.exe


I am still recieving a fair amount of pop-ups (with a pop-up blocker on) . I do run S&D after being on the internet and it does find spyware. Which it does clear everything off except Smitfraud (which we know is false). I'm assuming this could just be the websites visited and a normal thing now.

I was having problems with the Vundo virus and I ran some programs to delete it. I hoping it is gone now :). Thanks for looking at this again. Let me know if you need anything else.

Thanks for returning your information. You have a pretty good mess here, I will need some help from you. This file: O4 - HKLM\..\Run: [RegUpdate] RegUpdate.exe I need you to locate it and scan it to see if is bad. Use one or more of these scanners and I will will remove it in the instructions. If you find it is not bad, then pass over it.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

I need to point out your Java program is badly outdated and probably the reason you are infected, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2_03\ <<< out of date. I would uninstall all old versions and get that up to date right away.

I will bet you did not put those IP numbers in your 015 Trusted zone, so unless you know something about them, do this:

1) Right click http://mvps.org/winhelp2002/DelDomains.inf
and select Save As to download WinHelp2002's DelDomains.inf.
Please save the file somewhere you can find it like on the Desktop.
To run the inf file, right click on it and select Install.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

2) This tool will locate and remove the Vundo trojan if present. It may take several runs as explained for it to locate recognize and delete all Vundo files. You have been successful when all Vundo files located "have been deleted" At that point save the report, I must see it.

Thanks to Atribune and any others who helped with this fix.

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

(save those reports until you finish with the instructions)

3) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

4) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

5) Start > Control Panel > Add Remove programs and uninstall SysProtect Free. While there uninstall any program you know does not belong there. If you are unsure, let me know and I will look.

6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(some files may have been removed by the Vundofix, not to be concerned, just don't miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: ATLDistrib Object - {7A1A109F-58B3-414B-9829-5F4D9BE5FEDE} - C:\WINDOWS\system32\mllmm.dll (file missing)
O2 - BHO: (no name) - {aa920519-a3a1-4f1d-8545-ca0e7ee0eba1} - C:\WINDOWS\system32\EDITF16.dll (file missing)
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\gebyw.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\nyaistld.dll
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\pmnnm.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [RegUpdate] RegUpdate.exe
(if you found it to be bad)
O4 - HKCU\..\Run: [SysProtect] C:\Program Files\SysProtect Free\USYP.exe /scan
(rouge program)
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90
O15 - Trusted IP range: http://85.12.25.95
O15 - Trusted IP range: http://202.67.220.227
(the 015's may be gone)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

7) RIGHT Click on Start then click on Explore. Locate and delete these items:

RegUpdate.exe <<< delete that file (if you know it's bad)

C:\Program Files\SysProtect Free\ <<< delete that folder

8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the Vundofix results and a new HJT log. Let me know how the computer is running now.

Thanks

I was afraid this might be a bit of a mess....:)

I could not find the RegUpdate.exe file. I ran a search through the hard drive (including system and hidden files) and found nothing. I ran it as regupdate and regupdate.exe. If there is another way let me know so I can try again.

I uninstalled Java.
I installed the dell domains.
I've ran the vundo fix before trying to rid it. I ran it twice and it came up with nothing.
I ran HJT again and deleted all the files selected.
I looked for the sysprotect free folder and it wasn't in the program files as it said. I also ran a search for that (including hidden and system files) and came back with nothing.
Ran the ATF cleaner.

Here is the HJT log after. So far things are running better!

This time with the log....:oops:

Logfile of HijackThis v1.99.1
Scan saved at 4:31:15 PM, on 11/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RegUpdate] RegUpdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

Good to hear the computer is running better, You removed a lot of junk. This item is still in the log:

O4 - HKLM\..\Run: [RegUpdate] RegUpdate.exe Do you have a Visioneer/Xerox scanner, if so looks like this:
Visioneer/Xerox RegUpdate Utility: This tool is designed to remove ONLY Visioneer/Xerox scanner drivers and the various versions of PaperPort supported by Visioneer/Xerox. This has been tested to work on Windows 2000 Professional/XP/ME Computers.
http://72.14.209.104/search?q=cache:Y9xlt3Z_FKMJ:support.visioneer.com/utilities/RegUpdate%2520Read%2520Me.rtf+RegUpdate.exe&hl=en&gl=us&ct=clnk&cd=2
I have no idea why it is set to "run" at every bootup. I suggest you contact tech support for that answer.

Delete Vundofix from your computer, make sure you delete this backup folder: C:\VundoFix Backups\
You can edit out any cookies also, if AVG Anti-Spyware does not remove them, delete them manually.

Let's run another scan to make sure nothing is hiding, please follow the instructions in this link:
http://www.virusvault.co.uk/fusionbb/showtopic.php?tid/33/
Thanks to John McKenna for the tutorial. Make sure the instructions are followed exactly, that you delete or at least quarantine anything located. Make sure you:
Then click Save report > Save report as and save the Report-Scan.txt to your desktop.

Once that scan is complete, run a new Panda scan and post that log also. If both scans are clean, we will get you on the road with some great information to help you stay clean.

Thanks

Sorry about the slow response
So far so good at least on how the computer is running...
I'll check into the regupdate.exe. I'm not aware of there ever being a scanner hooked up but I'll contact support for that.

I deleted vundo fix from the desktop and the backup files on c:
I ran the AVG as instructed in safe mode. Here is the log from that:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:01:21 PM 11/14/2006

+ Scan result:



C:\Program Files\VSAdd-in\VSAdd-in.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\meqchqnd.exe -> Adware.Searchcolor : Cleaned with backup (quarantined).
HKU\S-1-5-21-118417547-3870262792-679155803-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7A1A109F-58B3-414B-9829-5F4D9BE5FEDE} -> Adware.Virtumonde : Cleaned with backup (quarantined).
HKU\S-1-5-21-118417547-3870262792-679155803-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EA32FB3B-21C9-42CC-B8EF-01A9B28EDB0D} -> Adware.Virtumonde : Cleaned with backup (quarantined).
HKU\S-1-5-21-118417547-3870262792-679155803-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\SpOrder.dll -> Adware.WinAntiVirus : Cleaned with backup (quarantined).
HKU\S-1-5-21-118417547-3870262792-679155803-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4} -> Adware.WinAntiVirus : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\pmnll.exe -> Dropper.Agent.arj : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\USYP_0002_N91M1708NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\Documents and Settings\Jasmine Ketchum\DoctorWeb\Quarantine\svchost.exe -> Not-A-Virus.Monitor.Win32.007SpySoft.308 : Cleaned with backup (quarantined).
C:\WINDOWS\sbhks.dll -> Not-A-Virus.Monitor.Win32.SpyBuddy.36 : Cleaned with backup (quarantined).
C:\WINDOWS\sbmsncap.dll -> Not-A-Virus.Monitor.Win32.SpyBuddy.36 : Cleaned with backup (quarantined).
C:\WINDOWS\sbtril32.dll -> Not-A-Virus.Monitor.Win32.SpyBuddy.36 : Cleaned with backup (quarantined).
C:\WINDOWS\sysicept.dll -> Not-A-Virus.Monitor.Win32.SpyBuddy.36 : Cleaned with backup (quarantined).
C:\HJT\backups\backup-20061113-163045-958.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\nyaistld.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).


::Report end

Now here is the new Panda scan log:

Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Jasmine Ketchum\Cookies\jasmine ketchum@ad.yieldmanager[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jasmine Ketchum\Cookies\jasmine ketchum@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Jasmine Ketchum\Cookies\jasmine ketchum@fastclick[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Jasmine Ketchum\Cookies\jasmine ketchum@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jasmine Ketchum\Cookies\jasmine ketchum@tribalfusion[1].txt
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\SYSTEM32\wtsoybfv.exe

Thanks!

Clean out that quarantine folder >>> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine

Here is information to help you control cookies:
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx

Look where they are in the Panda scan and delete them.

Navigate to this file: C:\WINDOWS\SYSTEM32\wtsoybfv.exe and delete it. If you have an issues with it, use these instructions:
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\SYSTEM32\wtsoybfv.exe and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.

I am a little nervous about all of the junk AVG Anti-Spyware located, you may want to run the program again in Safe Mode, to see if it will pick up anything else.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Complete the instruction I just posted, I would turn AVG Anti-Spyware off and keep that scanner if I were you. Review the links, they will help you stay safe. Post back in two days, if all is still running well, I'll ask tashi:) to close the topic.

I am very pleased with Internet Explorer 7. You may want to consider it, beside new features it will also add a measure of additional safety.
http://www.microsoft.com/windows/ie/default.mspx

Thanks...Phil

Ok one more time hopefully :)

I deleted the quarantined items.
I deleted the cookies and the wtsoybfv.exe file.
I ran AVG one more time for good luck in safe mode and it came back with nothing. I made this currently inactive so I can use it later if needed.
Redid the system restore as you said.
I ran the panda scan also one more time and it came back with nothing.

Thank you for the links on the info. I was going to ask about IE 7 anyways. I will probably download that now. I will let you know in a couple of days. Thank you so so much for your help. Everything is way better now.

Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.

If you should need to post another log for the same PC let one of us know via a PM (personal message).