Help with Smitfraud-C Toolbar 888

M

MuleMan

New member
I am infected with the Smitfraud-C Toolbar 888. Here is the on line log file.The Hijackthis log is in a following post. Two many lines.
Incident Status Location Potentially unwanted tool:Application/Restart Not disinfected C:\WINDOWS\SYSTEM\Tools\Restart.exe Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\SYSTEM32\NIBRFOPF.DLL Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA7P_0001_N91M0809NetInstaller.exe Potentially unwanted tool:Application/SystemDoctor2006 Not disinfected C:\WINDOWS\Downloaded Program Files\USDR6_7777_BHLP0611NetInstaller.exe Potentially unwanted tool:application/winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\UERT_0001_D19M2109NetInstaller.exe Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWA7P_0001_N91M0809NetInstaller.exe Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\William Williamson\Local Settings\Temp\VOLQFMCH.EXE Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\William Williamson\Local Settings\Temp\TEHGFIFO.EXE Potentially unwanted tool:Application/SystemDoctor2006 Not disinfected C:\Documents and Settings\William Williamson\Local Settings\Temp\ICD3.TMP\USDR6_7777_BHLP0611NetInstaller.exe Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Documents and Settings\William Williamson\Local Settings\Temp\ICD2.TMP\UWA7P_0001_N91M0809NetInstaller.exe Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Documents and Settings\William Williamson\Local Settings\Temporary Internet Files\Content.IE5\VRLD5DLM\ErrorSafeFreeInstall[1].cab[UERS_0001_N91M2007NetInstaller.exe] Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\Documents and Settings\William Williamson\Local Settings\Temporary Internet Files\Content.IE5\P44UOJZO\installdrivecleanerstart[1].cab[UDC6_0001_D19M1908NetInstaller.exe] Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Documents and Settings\William Williamson\Local Settings\Temporary Internet Files\Content.IE5\AF4RXUBI\WinAntiVirusPro2006FreeInstall[1].cab Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Documents and Settings\William Williamson\Local Settings\Temporary Internet Files\Content.IE5\AF4RXUBI\WinAntiVirusPro2007FreeInstall[1].cab[UWA7P_0001_N91M0809NetInstaller.exe]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@drivecleaner[1].txt Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@landing.domainsponsor[1].txt Spyware:Cookie/Peel Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@peel[1].txt Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@stats.drivecleaner[2].txt Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@drivecleaner[3].txt Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@domainsponsor[1].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@xiti[1].txt Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@www.errorsafe[1].txt Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@errorsafe[2].txt Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@www.drivecleaner[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@dist.belnk[2].txt Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@tickle[2].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@adrevolver[1].txt Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@winantivirus[1].txt Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@domainsponsor[2].txt Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@toplist[2].txt Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@landing.domainsponsor[2].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@atwola[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@belnk[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@dist.belnk[3].txt Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@cgi-bin[1].txt Spyware:Cookie/Versiontracker Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@versiontracker[1].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@xiti[2].txt Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@fortunecity[1].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@adrevolver[3].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@apmebf[1].txt Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@maxserving[2].txt Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@seeq[1].txt Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@www48.seeq[1].txt Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@tucows[1].txt Spyware:Cookie/Go Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@go[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@belnk[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@dist.belnk[4].txt Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@hc2.humanclick[2].txt Spyware:Cookie/Clicktracks Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@stats1.clicktracks[2].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@apmebf[2].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@atwola[2].txt Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@bravenet[2].txt Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\William Williamson\Cookies\william williamson@toplist[3].txt Potentially unwanted tool:Application/Restart Not disinfected D:\WINDOWS\SYSTEM\Tools\Restart.exe Virus:Bck/Wingate Disinfected D:\WINDOWS\SYSTEM\res32.reg Spyware:Cookie/WebPower Not disinfected D:\WINDOWS\Profiles\bill Williamson\Cookies\bill williamson@webpower[1].txt Spyware:Cookie/LinkExchange Not disinfected D:\WINDOWS\Profiles\bill Williamson\Cookies\bill williamson@linkexchange[1].txt Spyware:Cookie/Com.com Not disinfected D:\WINDOWS\Profiles\bill Williamson\Cookies\bill williamson@uol.com[1].txt
 
Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 9:58:38 PM, on 2/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\Twain_32\ScanWiz5\SDetect.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\AOL\1134416943\ee\AOLSoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\X10\COMMON\x10nets.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.att.net/ie4/search/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O3 - Toolbar: (no name) - {53E0B6E8-A51D-448B-B692-40B67B285543} - (no file)
O3 - Toolbar: Natural Voice Reader - {BCBF738C-4891-4B9A-959A-C6BF7F608C3A} - C:\Program Files\NaturalReader\FreeVersion\NVRIEBar.dll (file missing)
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ScanWizard 5 Assistant] C:\WINDOWS\Twain_32\ScanWiz5\Button.exe
O4 - HKLM\..\Run: [SDetect.exe] C:\WINDOWS\Twain_32\ScanWiz5\SDetect.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134416943\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [My App] C:\WINDOWS\system32\ngen.exe
O4 - HKCU\..\Run: [LoadWatcher] Test
O4 - Global Startup: Free NaturalReader.lnk = C:\Program Files\NaturalReader\FreeVersion\FreeReader.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Netnews - {54F04B80-4155-11D9-A2B6-000AE6FC53ED} - news:worldnet.help.new-users (file missing) (HKCU)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://winantivirus.com/download/20...862_A8B6B652BC3A11DBA12D0015C55D3487_00000eee 05AF954BF1E84E3F973E970E71199110&lng=en&cnt=us
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://213.196.182.244/activex/AMC.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.199.212.163/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.errorsafe.com/files/installers/cab/ErrorSafeFreeInstall.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://webcam.dubuque.k12.ia.us/activex/AMC.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://cdn.downloadcontrol.com/files/installers/cab/Install-Errorprotector-Free.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\COMMON\x10nets.exe
 
Hi MuleMan and sorry for delay.

Rename HijackThis.exe to HJT.exe and post a fresh HijackThis log, please :)
 
New Highjackthis log

Some things have changed since my last post. I took your advice and purchased and installed Panda software. Now I'm not sure if I'm still infected or Panda is taking care of problems in the background. Here is the new Highjackthis log. I appreciate you being there for us.:) :)

Logfile of HijackThis v1.99.1
Scan saved at 9:43:26 AM, on 2/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\X10\COMMON\x10nets.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\apvxdwin.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\Twain_32\ScanWiz5\SDetect.exe
C:\Program Files\Common Files\AOL\1134416943\ee\AOLSoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
c:\program files\panda software\panda internet security 2007\WebProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\hijackthis\HjT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.att.net/ie4/search/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {42187C2A-06B6-4A95-BC57-0D1AC140E65D} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {563AF8EA-5807-4FBC-A58E-ED7D9838F9C7} - C:\WINDOWS\system32\pmnmnml.dll (file missing)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBarBHO.dll
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\nibrfopf.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O3 - Toolbar: (no name) - {53E0B6E8-A51D-448B-B692-40B67B285543} - (no file)
O3 - Toolbar: Natural Voice Reader - {BCBF738C-4891-4B9A-959A-C6BF7F608C3A} - C:\Program Files\NaturalReader\FreeVersion\NVRIEBar.dll (file missing)
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ScanWizard 5 Assistant] C:\WINDOWS\Twain_32\ScanWiz5\Button.exe
O4 - HKLM\..\Run: [SDetect.exe] C:\WINDOWS\Twain_32\ScanWiz5\SDetect.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134416943\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [My App] C:\WINDOWS\system32\ngen.exe
O4 - HKCU\..\Run: [LoadWatcher] Test
O4 - Global Startup: Free NaturalReader.lnk = C:\Program Files\NaturalReader\FreeVersion\FreeReader.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Netnews - {54F04B80-4155-11D9-A2B6-000AE6FC53ED} - news:worldnet.help.new-users (file missing) (HKCU)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://winantivirus.com/download/20...862_a8b6b652bc3a11dba12d0015c55d3487_00000eee 05af954bf1e84e3f973e970e71199110&lng=en&cnt=us
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://213.196.182.244/activex/AMC.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.199.212.163/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantivirus.com/downloa...862_a8b6b652bc3a11dba12d0015c55d3487_00000eee 05af954bf1e84e3f973e970e71199110
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://webcam.dubuque.k12.ia.us/activex/AMC.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://cdn.downloadcontrol.com/files/installers/cab/Install-Errorprotector-Free.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: pmnmnml - pmnmnml.dll (file missing)
O20 - Winlogon Notify: winfbo32 - winfbo32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\COMMON\x10nets.exe
 
Hi

Let's check if Vundo is still there:

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
 
Vundofix

When vundofix propted me to shut down my computer and I clicked OK my computer locked. Two files show in the vundofix box C:\windows\system32\nibrfopf.dll and c:\windows\system32\vbpokxyj.dll. I left the computer locked. Should I reset my computer and try again?
 
Hi

Yes, please try again.

If no success, we can try other ways to remove those :)
 
Vundofix

Tried twice more same thing. Also Vundofix.exe is still on my desktop. Vundofix did make a txt file. Don't know if it means anything but here it is.
VundoFix V6.3.9

Checking Java version...

Sun Java not detected
Scan started at 11:46:04 AM 2/26/2007

Listing files found while scanning....

C:\WINDOWS\system32\nibrfopf.dll
C:\WINDOWS\system32\vbpokxyj.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.3.9

Checking Java version...

Sun Java not detected
Scan started at 1:04:08 PM 2/26/2007

Listing files found while scanning....

C:\WINDOWS\system32\nibrfopf.dll
C:\WINDOWS\system32\vbpokxyj.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.3.9

Checking Java version...

Sun Java not detected
Scan started at 1:37:46 PM 2/26/2007

Listing files found while scanning....

C:\WINDOWS\system32\nibrfopf.dll
C:\WINDOWS\system32\vbpokxyj.dll

Beginning removal...

Performing Repairs to the registry.
Done!
 
Highjackthis Log

Even though VundoFix didn't do right. I ran another HighJackThis anyway.

Logfile of HijackThis v1.99.1
Scan saved at 7:21:58 PM, on 2/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\X10\COMMON\x10nets.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\Twain_32\ScanWiz5\SDetect.exe
C:\Program Files\Common Files\AOL\1134416943\ee\AOLSoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\apvxdwin.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
c:\program files\panda software\panda internet security 2007\WebProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\psimreal.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\hijackthis\HjT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.att.net/ie4/search/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {42187C2A-06B6-4A95-BC57-0D1AC140E65D} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {563AF8EA-5807-4FBC-A58E-ED7D9838F9C7} - C:\WINDOWS\system32\pmnmnml.dll (file missing)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBarBHO.dll
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\nibrfopf.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O3 - Toolbar: (no name) - {53E0B6E8-A51D-448B-B692-40B67B285543} - (no file)
O3 - Toolbar: Natural Voice Reader - {BCBF738C-4891-4B9A-959A-C6BF7F608C3A} - C:\Program Files\NaturalReader\FreeVersion\NVRIEBar.dll (file missing)
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ScanWizard 5 Assistant] C:\WINDOWS\Twain_32\ScanWiz5\Button.exe
O4 - HKLM\..\Run: [SDetect.exe] C:\WINDOWS\Twain_32\ScanWiz5\SDetect.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134416943\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [My App] C:\WINDOWS\system32\ngen.exe
O4 - HKCU\..\Run: [LoadWatcher] Test
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe
O4 - Global Startup: Free NaturalReader.lnk = C:\Program Files\NaturalReader\FreeVersion\FreeReader.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Netnews - {54F04B80-4155-11D9-A2B6-000AE6FC53ED} - news:worldnet.help.new-users (file missing) (HKCU)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://winantivirus.com/download/20...862_a8b6b652bc3a11dba12d0015c55d3487_00000eee 05af954bf1e84e3f973e970e71199110&lng=en&cnt=us
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://213.196.182.244/activex/AMC.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.199.212.163/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantivirus.com/downloa...862_a8b6b652bc3a11dba12d0015c55d3487_00000eee 05af954bf1e84e3f973e970e71199110
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://webcam.dubuque.k12.ia.us/activex/AMC.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://cdn.downloadcontrol.com/files/installers/cab/Install-Errorprotector-Free.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: pmnmnml - pmnmnml.dll (file missing)
O20 - Winlogon Notify: winfbo32 - winfbo32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\COMMON\x10nets.exe
 
Hi

I recommend to uninstall viewpoint, link

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {563AF8EA-5807-4FBC-A58E-ED7D9838F9C7} - C:\WINDOWS\system32\pmnmnml.dll (file missing)
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\nibrfopf.dll (file missing)
O3 - Toolbar: (no name) - {53E0B6E8-A51D-448B-B692-40B67B285543} - (no file)
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKCU\..\Run: [My App] C:\WINDOWS\system32\ngen.exe
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://winantivirus.com/download/200...d3487_00000eee 05af954bf1e84e3f973e970e71199110&lng=en&cnt=us
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantivirus.com/download...d3487_00000eee 05af954bf1e84e3f973e970e71199110
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://cdn.downloadcontrol.com/files...ector-Free.cab
O20 - Winlogon Notify: pmnmnml - pmnmnml.dll (file missing)
O20 - Winlogon Notify: winfbo32 - winfbo32.dll (file missing)

Close all windows including browser and press fix checked

Please download the Killbox.
Unzip it to the desktop.

Please run Killbox.

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\nibrfopf.dll
C:\WINDOWS\system32\vbpokxyj.dll
C:\WINDOWS\system32\v6.exe
C:\WINDOWS\system32\ngen.exe

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Re-run vundofix

Post:

- a fresh hijackthis log
- vundofix report
 
Question

Should I make any back up copies of any of the files that HighJackThis is about to delete or any other files that are to be deleted? Thanks.
 
Hi

KillBox does them by default (to C:\!KillBox folder) so no need to do them manually :)
 
OK. I go as far as paste from clipboard but no files show up in the Full Path and File To Delete box. Are paths and files suppose to show up in this box? I can use notepad to copy and paste manualy in the box. Should I do this?
 
Hi

Yes, if they don't show up in box, copy&paste manually then. If no success, those files can be removed also in other ways so no worries :)
 
After I click yes at the delete reboot button the PendingFileRenameOperations box comes up. In the center of the box it says
PendingFileRenameOperations Registry Data has been Removed by External Process. Then there is an Box with OK option. No other option. I don't like to keep brothering you but I just want to do it right.
 
Sorry I didn't get a chance to post earlier but had a busy day. Here are the two logs.

Pocket Killbox version 2.0.0.648
Running on Windows XP as William Williamson(Administrator)
was started @ Tuesday, February 27, 2007, 11:32 AM

Killbox Closed(Exit) @ 11:32:39 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as William Williamson(Administrator)
was started @ Tuesday, February 27, 2007, 11:33 AM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\nibrfopf.dllC:\WINDOWS\system32\vbpokxyj.dllC:\WINDOWS\system32\v6.exeC:\WINDOWS\system32\ngen.exe


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 2:09:12 PM
# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\nibrfopf.dllC:\WINDOWS\system32\vbpokxyj.dllC:\WINDOWS\system32\v6.exeC:\WINDOWS\system32\ngen.exe


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 2:10:58 PM
# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\nibrfopf.dllC:\WINDOWS\system32\vbpokxyj.dllC:\WINDOWS\system32\v6.exeC:\WINDOWS\system32\ngen.exe


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 5:53:22 PM
Killbox Closed(Exit) @ 5:53:26 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as William Williamson(Administrator)
was started @ Wednesday, February 28, 2007, 1:52 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\nibrfopf.dllC:\WINDOWS\system32\vbpokxyj.dllC:\WINDOWS\system32\v6.exeC:\WINDOWS\system32\ngen.exe


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 1:56:24 PM
Killbox Closed(Exit) @ 1:58:24 PM
__________________________________________________
VundoFix V6.3.9

Checking Java version...

Sun Java not detected
Scan started at 11:46:04 AM 2/26/2007

Listing files found while scanning....

C:\WINDOWS\system32\nibrfopf.dll
C:\WINDOWS\system32\vbpokxyj.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.3.9

Checking Java version...

Sun Java not detected
Scan started at 1:04:08 PM 2/26/2007

Listing files found while scanning....

C:\WINDOWS\system32\nibrfopf.dll
C:\WINDOWS\system32\vbpokxyj.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.3.9

Checking Java version...

Sun Java not detected
Scan started at 1:37:46 PM 2/26/2007

Listing files found while scanning....

C:\WINDOWS\system32\nibrfopf.dll
C:\WINDOWS\system32\vbpokxyj.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.3.9

Checking Java version...

Sun Java not detected
Scan started at 3:14:38 PM 2/28/2007

Listing files found while scanning....

C:\WINDOWS\system32\vbpokxyj.dll
 
New Log. I using WinXP. Can I delete any of the corucpted files from Dos?

Logfile of HijackThis v1.99.1
Scan saved at 10:07:12 AM, on 3/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\Twain_32\ScanWiz5\SDetect.exe
C:\Program Files\Common Files\AOL\1134416943\ee\AOLSoftware.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\X10\COMMON\x10nets.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
c:\program files\panda software\panda internet security 2007\WebProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\psimreal.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\hijackthis\HjT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.att.net/ie4/search/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {42187C2A-06B6-4A95-BC57-0D1AC140E65D} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Natural Voice Reader - {BCBF738C-4891-4B9A-959A-C6BF7F608C3A} - C:\Program Files\NaturalReader\FreeVersion\NVRIEBar.dll (file missing)
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ScanWizard 5 Assistant] C:\WINDOWS\Twain_32\ScanWiz5\Button.exe
O4 - HKLM\..\Run: [SDetect.exe] C:\WINDOWS\Twain_32\ScanWiz5\SDetect.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134416943\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LoadWatcher] Test
O4 - Global Startup: Free NaturalReader.lnk = C:\Program Files\NaturalReader\FreeVersion\FreeReader.exe
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Netnews - {54F04B80-4155-11D9-A2B6-000AE6FC53ED} - news:worldnet.help.new-users (file missing) (HKCU)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://213.196.182.244/activex/AMC.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.199.212.163/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://webcam.dubuque.k12.ia.us/activex/AMC.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\COMMON\x10nets.exe
 
Hi

Copy text below to Notepad and save it as rem.bat (save it as all files, *.*)

@ECHO OFF
attrib -r -h C:\WINDOWS\system32\vbpokxyj.dll
del /a /f /q C:\WINDOWS\system32\vbpokxyj.dll

It should look like this ->
bat.JPG


Doubleclick rem.bat; black dos windows will flash, that's normal.

(In case you are unsure how to create a bat file, take a look here with screenshots.)

Re-run vundofix

Post:

- a fresh HijackThis log
- vundofix report
 
You must log in or register to reply here.
Back
Top