Need help...I've been jacked!

**PureRockFury** · 2008-02-24, 02:46

First and foremost let me truly thank anyone willing to help me at this point! Please understand I have tried to figure this out on my own but I have been unsuccesful...terribly unsuccessful!! I followed the previous "sticky" (i.e. running SB in safe mode, etc.) so I will post the info as requested. Thanks again!!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:49 PM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Targus BT Mouse\MulMouse.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Targus BT Mouse\osd.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\SpyGuardPro\bm.exe" dm=http://spyguardpro.com ad=http://spyguardpro.com sd=http://ykeeper.spyguardpro.com
O4 - HKLM\..\Run: [ptask] C:\Program Files\SpyGuardPro\ptask.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Targus BT Mouse.lnk = C:\Program Files\Targus BT Mouse\MulMouse.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1165021569937
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10518 bytes

Saturday, February 23, 2008 5:34:45 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/02/2008
Kaspersky Anti-Virus database records: 577001

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 78498
Number of viruses found 5
Number of infected objects 9
Number of suspicious objects 0
Duration of the scan process 01:13:16

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped

C:\Documents and Settings\David\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\David\Local Settings\Application Data\BVRP Software\NetWaiting\MoHlog.txt Object is locked skipped

C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped

C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\David\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\David\Local Settings\History\History.IE5\MSHist012008022320080224\index.dat Object is locked skipped

C:\Documents and Settings\David\Local Settings\Temp\hpzasda213b Infected: Trojan-Clicker.Win32.VB.vx skipped

C:\Documents and Settings\David\Local Settings\Temp\~uavsetup.exe/file70 Infected: not-a-virus:Downloader.Win32.WinFixer.cv skipped

C:\Documents and Settings\David\Local Settings\Temp\~uavsetup.exe Inno: infected - 1 skipped

C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\FP5OB2VX\77576_255[1].flv Object is locked skipped

C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\David\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\David\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\master.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\mastlog.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\model.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\modellog.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\tempdb.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\templog.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\LOG\ERRORLOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP105\A0026327.exe Object is locked skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP105\A0026715.dll Object is locked skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP109\change.log Object is locked skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP91\A0024514.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP91\A0024514.exe NSIS: infected - 1 skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\geeba.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ixd skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\oppnopq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\WINDOWS\system32\qoppnlm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\WINDOWS\system32\vxgwybqs.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_69c.dat Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

**pskelley** · 2008-02-24, 15:17

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You do have problems, you are infected with Vundo and you have this rouge program running on your computer.
SpyGuardPro >>> http://www.emsisoft.com/en/malware/?...32.SpyGuardPro

SpyGuardPro is a rogue security program that shows false Warning messages. It also shows misleading scan Results. It also uses aggressive advertising and can also install through Trojan exploits.

If you still need help, do not expect fast or easy. You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.

See this: http://forums.spybot.info/showpost.p...80&postcount=2
C:\Program Files\Java\j2re1.4.2_03\ <<< Java is BADLY out of date and likely why you are infected. Download the newest version and uninstall all old versions in Add Remove programs.

C:\Program Files\Adobe\Reader 8.0\ <<< check this one also, hackers are now using it to infect computers and I believe you need an update.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

3) Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

4) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

5) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

6) Start > Control Panel > Add Remove programs > uninstall SpyGuardPro if it is there.

7) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\SpyGuardPro\bm.exe" dm=http://spyguardpro.com ad=http://spyguardpro.com sd=http://ykeeper.spyguardpro.com
O4 - HKLM\..\Run: [ptask] C:\Program Files\SpyGuardPro\ptask.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

8) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\Program Files\Common Files\SpyGuardPro\ <<< delete that folder

C:\Program Files\SpyGuardPro\ <<< delete that folder

9) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the Vundofix.txt and a new HJT log. Add any comments you think will help.

Thanks

**PureRockFury** · 2008-02-24, 21:05

Thank you so much for your assistance! I carefully followed your directions (with the exception of the link for Java through Spybot forum did not work, therefore I downloaded the update directly), however problem(s) continue to reside on my computer.

After several reboots (5-7) VonduFix was unable to remove:
C:\\WINDOWS\system32\oppnopq.dll

Now I must admit I am tempted to remove this file as it is included in HJT log, but I wanted to check with the professional (you)

first!!

Also in the interest of giving you all the info, I have recently been getting the following error on reboot:
RUNDLL Error loading C:\\WINDOWS\system32\ehxgufao.dll The specified module could not be found.
I see this entry included in HJT log, O4 - HKLM\..\Run: [BM7be80271] Rundll32.exe "C:\WINDOWS\system32\ehxgufao.dll",s and I denied the program, among many, BM7be80271 through Spybot because it was not user initiated. Should I have allowed this entry? I apologize if this is unrelated and off topic, however I want to give you all the info I have.

Thank you again for all your help!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:38 PM, on 2/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Targus BT Mouse\MulMouse.exe
C:\Program Files\Targus BT Mouse\osd.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {222BF118-46EE-4408-89AF-A3E95E4C21C6} - C:\WINDOWS\system32\ddayv.dll (file missing)
O2 - BHO: (no name) - {32558ABE-DA87-40AE-8F1C-E9390E83BE61} - C:\Program Files\Common Files\nipysC:\DOCUME~1\David\LOCALS~1\Temp\\hpzasda213a.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {D85530E8-D39D-49D0-9F36-300D594556D2} - C:\WINDOWS\system32\oppnopq.dll
O2 - BHO: (no name) - {DFDF1E25-1AC6-478A-89D1-CA57998D0701} - C:\WINDOWS\system32\geeba.dll (file missing)
O2 - BHO: (no name) - {E1F0ACE0-CAF7-45CB-BD40-23017FC88E59} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0\bin\jusched.exe
O4 - HKLM\..\Run: [BM7be80271] Rundll32.exe "C:\WINDOWS\system32\ehxgufao.dll",s
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Targus BT Mouse.lnk = C:\Program Files\Targus BT Mouse\MulMouse.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1165021569937
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11499 bytes

**pskelley** · 2008-02-24, 21:21

Please read the directions and follow them. I need that Vundofix report to proceed:

Restart and post the Vundofix.txt and a new HJT log. Add any comments you think will help.

**PureRockFury** · 2008-02-25, 03:46

I apologize, I will post the VundoFix.txt below. I continue to get the reboot error (RUNDLL) posted above it that helps.
I assure you I followed all your instructions (except for not posting the vundoFix.txt, again sorry), such as updating Java and removing old versions through Control Panel before running VundoFix, therefore I do not understand why Vundo is reporting the removed version 1.4.2.3. As you can see the updated Java version 1.6 is listed in HJT log (previous post) after the VundoFix was run.

Thank you again!

VundoFix V6.7.8

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 12:06:01 PM 2/24/2008

Listing files found while scanning....

C:\WINDOWS\system32\abeeg.ini
C:\WINDOWS\system32\abeeg.ini2
C:\WINDOWS\system32\ehxgufao.dll
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\oppnopq.dll
C:\WINDOWS\system32\qoppnlm.dll
C:\WINDOWS\system32\vxgwybqs.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\abeeg.ini
C:\WINDOWS\system32\abeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\abeeg.ini2
C:\WINDOWS\system32\abeeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ehxgufao.dll
C:\WINDOWS\system32\ehxgufao.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\geeba.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oppnopq.dll
C:\WINDOWS\system32\oppnopq.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\qoppnlm.dll
C:\WINDOWS\system32\qoppnlm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vxgwybqs.dll
C:\WINDOWS\system32\vxgwybqs.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.8

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 12:29:00 PM 2/24/2008

Listing files found while scanning....

C:\WINDOWS\system32\oppnopq.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\oppnopq.dll
C:\WINDOWS\system32\oppnopq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\oppnopq.dll
C:\WINDOWS\system32\oppnopq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.7.8

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 12:53:03 PM 2/24/2008

Listing files found while scanning....

C:\WINDOWS\system32\oppnopq.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\oppnopq.dll
C:\WINDOWS\system32\oppnopq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\oppnopq.dll
C:\WINDOWS\system32\oppnopq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.7.8

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 1:40:23 PM 2/24/2008

Listing files found while scanning....

C:\WINDOWS\system32\oppnopq.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\oppnopq.dll
C:\WINDOWS\system32\oppnopq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\oppnopq.dll
C:\WINDOWS\system32\oppnopq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

**pskelley** · 2008-02-25, 11:44

Looks like you found a work a round for the Java update, if so ignore my instructions.

Try that link again, works perfectly for me:
http://forums.spybot.info/showpost.p...80&postcount=2
If clicking on it does not work, copy/paste the complete link to your browser

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Open Vundofix by Doubleclicking on it, then point your mouse to the white box above
the buttons and right click, then click on Add More Files. When the next window opens,
copy and paste the files into the boxes and click on Add File(s), then click on Close Window.
Then click Remove Vundo.

(files to add)

C:\WINDOWS\system32\ehxgufao.dll
C:\WINDOWS\system32\oppnopq.dll

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {222BF118-46EE-4408-89AF-A3E95E4C21C6} - C:\WINDOWS\system32\ddayv.dll (file missing)
O2 - BHO: (no name) - {32558ABE-DA87-40AE-8F1C-E9390E83BE61} - C:\Program Files\Common Files\nipysC:\DOCUME~1\David\LOCALS~1\Temp\\hpzasda213a.dll (file missing)
O2 - BHO: (no name) - {D85530E8-D39D-49D0-9F36-300D594556D2} - C:\WINDOWS\system32\oppnopq.dll
O2 - BHO: (no name) - {DFDF1E25-1AC6-478A-89D1-CA57998D0701} - C:\WINDOWS\system32\geeba.dll (file missing)
O2 - BHO: (no name) - {E1F0ACE0-CAF7-45CB-BD40-23017FC88E59} - (no file)
O4 - HKLM\..\Run: [BM7be80271] Rundll32.exe "C:\WINDOWS\system32\ehxgufao.dll",s

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Right click Start > Explore and navigate to these files/folders and delete them if there.

(make sure these files are gone)

C:\WINDOWS\system32\ehxgufao.dll
C:\WINDOWS\system32\oppnopq.dll

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart, post the Vundofix report, a new HJT log and some feedback.

Thanks

**PureRockFury** · 2008-02-26, 01:34

I cannot begin to tell you how much I appreciate you sticking this out with me!

I was able to update Java using the forum link...Thanks!

As I was doing this I believe I was bombarded further and may have picked up a few more visitors, therefore I have borrowed a computer from a friend so my infected computer will remain offline during this process to hopefully prevent reinfections while working through your steps (I know this was your recomendation previously except for downloading assistance programs but I had no choice). I plan on using a thumbdrive to transfer any needed programs and info to post[B]...unless you do not believe this is wise. I will only be transfering HJT log files, Vundofix.txt, and any other programs you recomend. Please let me know if my thinking is right here!

Good news!...I am no longer getting the RUNDLL error on reboot and no blank screens when things are loading!! But I notice new entrys in the HJT log that look similar to those that I removed. I look to you for guidance!

Thanks again!!

VundoFix V6.7.8

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 12:06:01 PM 2/24/2008

Listing files found while scanning....

C:\WINDOWS\system32\abeeg.ini
C:\WINDOWS\system32\abeeg.ini2
C:\WINDOWS\system32\ehxgufao.dll
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\oppnopq.dll
C:\WINDOWS\system32\qoppnlm.dll
C:\WINDOWS\system32\vxgwybqs.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\abeeg.ini
C:\WINDOWS\system32\abeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\abeeg.ini2
C:\WINDOWS\system32\abeeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ehxgufao.dll
C:\WINDOWS\system32\ehxgufao.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\geeba.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oppnopq.dll
C:\WINDOWS\system32\oppnopq.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\qoppnlm.dll
C:\WINDOWS\system32\qoppnlm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vxgwybqs.dll
C:\WINDOWS\system32\vxgwybqs.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.8

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 12:29:00 PM 2/24/2008

Listing files found while scanning....

C:\WINDOWS\system32\oppnopq.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\oppnopq.dll
C:\WINDOWS\system32\oppnopq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\oppnopq.dll
C:\WINDOWS\system32\oppnopq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.7.8

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 12:53:03 PM 2/24/2008

Listing files found while scanning....

C:\WINDOWS\system32\oppnopq.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\oppnopq.dll
C:\WINDOWS\system32\oppnopq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\oppnopq.dll
C:\WINDOWS\system32\oppnopq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.7.8

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 1:40:23 PM 2/24/2008

Listing files found while scanning....

C:\WINDOWS\system32\oppnopq.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\oppnopq.dll
C:\WINDOWS\system32\oppnopq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\oppnopq.dll
C:\WINDOWS\system32\oppnopq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.7.8

Checking Java version...

Scan started at 9:09:57 PM 2/24/2008

Listing files found while scanning....

C:\WINDOWS\system32\oppnopq.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\oppnopq.dll
C:\WINDOWS\system32\oppnopq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\oppnopq.dll
C:\WINDOWS\system32\oppnopq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\oppnopq.dll
C:\WINDOWS\system32\oppnopq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\oppnopq.dll
C:\WINDOWS\system32\oppnopq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\oppnopq.dll
C:\WINDOWS\system32\oppnopq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.7.8

Checking Java version...

Scan started at 6:33:45 PM 2/25/2008

Listing files found while scanning....

VundoFix V6.7.8

Checking Java version...

Scan started at 6:35:45 PM 2/25/2008

Listing files found while scanning....

C:\WINDOWS\system32\abadd.ini
C:\WINDOWS\system32\abadd.ini2
C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\oppnopq.dll
C:\WINDOWS\system32\sibwdoem.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\abadd.ini
C:\WINDOWS\system32\abadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\abadd.ini2
C:\WINDOWS\system32\abadd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\ddaba.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oppnopq.dll
C:\WINDOWS\system32\oppnopq.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\sibwdoem.dll
C:\WINDOWS\system32\sibwdoem.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\oppnopq.dll
C:\WINDOWS\system32\oppnopq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:08:13 PM, on 2/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Targus BT Mouse\MulMouse.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Targus BT Mouse\osd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {00752023-B6A7-4EC9-ABD8-3AA97B37B8C8} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Targus BT Mouse.lnk = C:\Program Files\Targus BT Mouse\MulMouse.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1165021569937
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10868 bytes

**pskelley** · 2008-02-26, 01:47

Thanks for for returning your information and the feedback, this HJT log:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:08:13 PM, on 2/25/2008
Is clean except for this one dead line:
O2 - BHO: (no name) - {00752023-B6A7-4EC9-ABD8-3AA97B37B8C8} - (no file)
use HJT to remove it if you wish.

Please run a new Kaspersky scan to make sure nothing hides, using these settings:

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Post any comments you think will help.

Thanks

**PureRockFury** · 2008-02-26, 02:42

PSKelley,
Thank you for the quick response. I went to HJT and removed the dead line provided in your post. Before going online with my computer, to run the Kaspersky scan, I opened Spybot and reactivated Teatimer and I instantly received the a request to allow or deny BM7be80271, which I believe was the program that was giving me difficulties on Reboot and was found in the HJT logs that was supposedly removed. I ran a HJT scan and received the results below. As you will see the above listed program is present and SpyguardPro has returned, among probably others! Perhaps I should not have strayed from your directions and perhaps (hopefully) there is a logical, harmless explination for these most recent findings in HJT, but I wanted to check with you before I go online and download more junk. Of course, I will run the Kaspersky scan as requested or any other suggestions you may have. Please advise.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:46 PM, on 2/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Targus BT Mouse\MulMouse.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Targus BT Mouse\osd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {00752023-B6A7-4EC9-ABD8-3AA97B37B8C8} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {222BF118-46EE-4408-89AF-A3E95E4C21C6} - (no file)
O2 - BHO: (no name) - {32558ABE-DA87-40AE-8F1C-E9390E83BE61} - (no file)
O2 - BHO: (no name) - {3CC4C7F7-5A9B-4A56-8EF2-678D86BA3A66} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {D85530E8-D39D-49D0-9F36-300D594556D2} - (no file)
O2 - BHO: (no name) - {DFDF1E25-1AC6-478A-89D1-CA57998D0701} - (no file)
O2 - BHO: (no name) - {E1F0ACE0-CAF7-45CB-BD40-23017FC88E59} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [BM7be80271] Rundll32.exe "C:\WINDOWS\system32\ehxgufao.dll",s
O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\SpyGuardPro\bm.exe" dm=http://spyguardpro.com ad=http://spyguardpro.com sd=http://ykeeper.spyguardpro.com
O4 - HKLM\..\Run: [ptask] C:\Program Files\SpyGuardPro\ptask.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Targus BT Mouse.lnk = C:\Program Files\Targus BT Mouse\MulMouse.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1165021569937
O20 - Winlogon Notify: oppnopq - C:\WINDOWS\
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11862 bytes

**pskelley** · 2008-02-26, 11:40

Thanks for the feedback, TeaTimer is a very good program, but at time it keeps junk in memory and causing us problems like this. Sometimes we have to unintall Spybot S&D to remove the junk. Let's try this first.

1) Disable TeaTimer per the instruction I posted earlier, then do this:
In some cases it's sometimes quite usefull to reset TeaTimer, once you've had it disabled to remove HijackThis entries :
Download ResetTeaTimer.bat.

http://downloads.subratam.org/ResetTeaTimer.bat

Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {00752023-B6A7-4EC9-ABD8-3AA97B37B8C8} - (no file)
O2 - BHO: (no name) - {222BF118-46EE-4408-89AF-A3E95E4C21C6} - (no file)
O2 - BHO: (no name) - {32558ABE-DA87-40AE-8F1C-E9390E83BE61} - (no file)
O2 - BHO: (no name) - {3CC4C7F7-5A9B-4A56-8EF2-678D86BA3A66} - (no file)
O2 - BHO: (no name) - {D85530E8-D39D-49D0-9F36-300D594556D2} - (no file)
O2 - BHO: (no name) - {DFDF1E25-1AC6-478A-89D1-CA57998D0701} - (no file)
O2 - BHO: (no name) - {E1F0ACE0-CAF7-45CB-BD40-23017FC88E59} - (no file)
O4 - HKLM\..\Run: [BM7be80271] Rundll32.exe "C:\WINDOWS\system32\ehxgufao.dll",s
O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\SpyGuardPro\bm.exe" dm=http://spyguardpro.com ad=http://spyguardpro.com sd=http://ykeeper.spyguardpro.com
O4 - HKLM\..\Run: [ptask] C:\Program Files\SpyGuardPro\ptask.exe
O20 - Winlogon Notify: oppnopq - C:\WINDOWS\

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Right click Start > Explore and navigate to these files/folders and delete them if there.

(check to be very sure these files and folders have been removed)

C:\WINDOWS\system32\ehxgufao.dll <<< file
C:\Program Files\Common Files\SpyGuardPro\ <<< folder
C:\Program Files\SpyGuardPro\ <<< folder

Restart and post a new HJT log. If all is well, run the Kaspersky online scan and post the results unless they are clean.

Thanks...Phil

Thread: Need help...I've been jacked!

Thread Tools

Display

Need help...I've been jacked!

Posting Permissions