# HELP HJT log



## HELP_ME

This is my HJT log, any help would be great = D

Logfile of HijackThis v1.99.1
Scan saved at 10:05:52 AM, on 9/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Updater.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Matthew April\My Documents\My Received Files\anti-spy\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =  
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe 
O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hpB3EE.tmp (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINDOWS\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll (file missing)
O3 - Toolbar: Search - {215303D2-42B9-A7EC-7414-5630B3DD8F1A} - C:\WINDOWS\Cagxrcfg.dll (file missing)
O3 - Toolbar: (no name) - {00000000-0000-0000-0000-000000000001} - (no file)
O4 - HKLM\..\Run: [Zfkj] C:\WINDOWS\xfqub.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [lfsqbiqafb] C:\WINDOWS\System32\wqupxsmg.exe
O4 - HKLM\..\Run: [kjefel] C:\WINDOWS\kjefel.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [inhttpw] C:\WINDOWS\System32\inhttpw.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [bO²ùð[×y-¯Œ] C:\WINDOWS\xfqub.exe
O4 - HKLM\..\Run: [bO²ùðZ×y-¯Œ] C:\WINDOWS\xfqub.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [wshatm] "C:\WINDOWS\system32\wshatm.exe"
O4 - HKCU\..\Run: [wmpencen] "C:\WINDOWS\system32\wmpencen.exe"
O4 - HKCU\..\Run: [wlnotify] "C:\WINDOWS\system32\wlnotify.exe"
O4 - HKCU\..\Run: [vxblock] "C:\WINDOWS\system32\vxblock.exe"
O4 - HKCU\..\Run: [version] C:\WINDOWS\System32\version.exe
O4 - HKCU\..\Run: [SpyTrooper]  
O4 - HKCU\..\Run: [shfolder] "C:\WINDOWS\system32\shfolder.exe"
O4 - HKCU\..\Run: [shell32] "C:\WINDOWS\system32\shell32.exe"
O4 - HKCU\..\Run: [shdocvw] "C:\WINDOWS\system32\shdocvw.exe"
O4 - HKCU\..\Run: [s3gnb] "C:\WINDOWS\system32\s3gnb.exe"
O4 - HKCU\..\Run: [raschap] "C:\Documents and Settings\Matthew April\raschap.exe"
O4 - HKCU\..\Run: [netcfgx] "C:\WINDOWS\system32\netcfgx.exe"
O4 - HKCU\..\Run: [netapi] "C:\WINDOWS\system32\netapi.exe"
O4 - HKCU\..\Run: [msxbde40] "C:\WINDOWS\system32\msxbde40.exe"
O4 - HKCU\..\Run: [kbduzb] "C:\WINDOWS\system32\kbduzb.exe"
O4 - HKCU\..\Run: [kbdus] "C:\WINDOWS\system32\kbdus.exe"
O4 - HKCU\..\Run: [kbdinbe1] "C:\WINDOWS\system32\kbdinbe1.exe"
O4 - HKCU\..\Run: [kbdhe] "C:\WINDOWS\system32\kbdhe.exe"
O4 - HKCU\..\Run: [jgmd400] "C:\WINDOWS\system32\jgmd400.exe"
O4 - HKCU\..\Run: [ir41_qcx] "C:\WINDOWS\system32\ir41_qcx.exe"
O4 - HKCU\..\Run: [infosoft] "C:\WINDOWS\system32\infosoft.exe"
O4 - HKCU\..\Run: [inetclnt] "C:\WINDOWS\system32\inetclnt.exe"
O4 - HKCU\..\Run: [hsfcisp2] "C:\WINDOWS\system32\hsfcisp2.exe"
O4 - HKCU\..\Run: [fkfw] C:\PROGRA~1\COMMON~1\fkfw\fkfwm.exe
O4 - HKCU\..\Run: [eventcls] "C:\WINDOWS\system32\eventcls.exe"
O4 - HKCU\..\Run: [dmband] "C:\WINDOWS\system32\dmband.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cscui] "C:\Documents and Settings\Matthew April\cscui.exe"
O4 - HKCU\..\Run: [iprtcnst] "C:\WINDOWS\system32\iprtcnst.exe"
O4 - HKCU\..\Run: [atiicdxx] "C:\WINDOWS\system32\atiicdxx.exe"
O4 - HKCU\..\Run: [rmoc3260] "C:\WINDOWS\system32\rmoc3260.exe"
O4 - HKCU\..\Run: [getuname] "C:\WINDOWS\system32\getuname.exe"
O4 - HKCU\..\Run: [vdmdbg] "C:\WINDOWS\system32\vdmdbg.exe"
O4 - HKCU\..\Run: [resutils] "C:\WINDOWS\system32\resutils.exe"
O4 - HKCU\..\Run: [lftif11n] "C:\WINDOWS\system32\lftif11n.exe"
O4 - HKCU\..\Run: [uniplat] "C:\WINDOWS\system32\uniplat.exe"
O4 - HKCU\..\Run: [msr2cenu] "C:\WINDOWS\system32\msr2cenu.exe"
O4 - HKCU\..\Run: [mmcbase] "C:\WINDOWS\system32\mmcbase.exe"
O4 - HKCU\..\Run: [msorc32r] "C:\WINDOWS\system32\msorc32r.exe"
O4 - HKCU\..\Run: [wmiprop] "C:\WINDOWS\system32\wmiprop.exe"
O4 - HKCU\..\Run: [dmscript] "C:\WINDOWS\system32\dmscript.exe"
O4 - HKCU\..\Run: [wmerror] "C:\WINDOWS\system32\wmerror.exe"
O4 - HKCU\..\Run: [qasf] "C:\WINDOWS\system32\qasf.exe"
O4 - HKCU\..\Run: [6to4svc] "C:\WINDOWS\system32\6to4svc.exe"
O4 - HKCU\..\Run: [dpwsock] "C:\WINDOWS\system32\dpwsock.exe"
O4 - HKCU\..\Run: [kbdir] "C:\WINDOWS\system32\kbdir.exe"
O4 - HKCU\..\Run: [mmutilse] "C:\WINDOWS\system32\mmutilse.exe"
O4 - HKCU\..\Run: [pjlmon] "C:\WINDOWS\system32\pjlmon.exe"
O4 - HKCU\..\Run: [crypt32] "C:\WINDOWS\system32\crypt32.exe"
O4 - HKCU\..\Run: [dispex] "C:\WINDOWS\system32\dispex.exe"
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {563EC66E-5A1B-51D2-1DB0-5080C83DA4EB} - ms-its:mhtml:file://C:ie.mht!http://69.50.164.12/exp/mht/sext02.chm::/MegaInstaller.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\pychdprf.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE


----------



## edifier

This is one of the worst logs i've seen and will take many rounds of cleaning. Are you prepared for that?.


----------



## HELP_ME

i guess hahaha, i know its bad


----------



## HELP_ME

i will post a new log shortly i have changed somethings since then.


----------



## HELP_ME

Logfile of HijackThis v1.99.1
Scan saved at 1:25:18 PM, on 9/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Updater.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Matthew April\My Documents\My Received Files\anti-spy\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.computerforum.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =  
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe 
O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hpB3EE.tmp (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINDOWS\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll (file missing)
O3 - Toolbar: Search - {215303D2-42B9-A7EC-7414-5630B3DD8F1A} - C:\WINDOWS\Cagxrcfg.dll (file missing)
O3 - Toolbar: (no name) - {00000000-0000-0000-0000-000000000001} - (no file)
O4 - HKLM\..\Run: [Zfkj] C:\WINDOWS\xfqub.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [lfsqbiqafb] C:\WINDOWS\System32\wqupxsmg.exe
O4 - HKLM\..\Run: [kjefel] C:\WINDOWS\kjefel.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [inhttpw] C:\WINDOWS\System32\inhttpw.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [bO²ùð[×y-¯Œ] C:\WINDOWS\xfqub.exe
O4 - HKLM\..\Run: [bO²ùðZ×y-¯Œ] C:\WINDOWS\xfqub.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [wshatm] "C:\WINDOWS\system32\wshatm.exe"
O4 - HKCU\..\Run: [wmpencen] "C:\WINDOWS\system32\wmpencen.exe"
O4 - HKCU\..\Run: [wlnotify] "C:\WINDOWS\system32\wlnotify.exe"
O4 - HKCU\..\Run: [vxblock] "C:\WINDOWS\system32\vxblock.exe"
O4 - HKCU\..\Run: [version] C:\WINDOWS\System32\version.exe
O4 - HKCU\..\Run: [SpyTrooper]  
O4 - HKCU\..\Run: [shfolder] "C:\WINDOWS\system32\shfolder.exe"
O4 - HKCU\..\Run: [shell32] "C:\WINDOWS\system32\shell32.exe"
O4 - HKCU\..\Run: [shdocvw] "C:\WINDOWS\system32\shdocvw.exe"
O4 - HKCU\..\Run: [s3gnb] "C:\WINDOWS\system32\s3gnb.exe"
O4 - HKCU\..\Run: [raschap] "C:\Documents and Settings\Matthew April\raschap.exe"
O4 - HKCU\..\Run: [netcfgx] "C:\WINDOWS\system32\netcfgx.exe"
O4 - HKCU\..\Run: [netapi] "C:\WINDOWS\system32\netapi.exe"
O4 - HKCU\..\Run: [msxbde40] "C:\WINDOWS\system32\msxbde40.exe"
O4 - HKCU\..\Run: [kbduzb] "C:\WINDOWS\system32\kbduzb.exe"
O4 - HKCU\..\Run: [kbdus] "C:\WINDOWS\system32\kbdus.exe"
O4 - HKCU\..\Run: [kbdinbe1] "C:\WINDOWS\system32\kbdinbe1.exe"
O4 - HKCU\..\Run: [kbdhe] "C:\WINDOWS\system32\kbdhe.exe"
O4 - HKCU\..\Run: [jgmd400] "C:\WINDOWS\system32\jgmd400.exe"
O4 - HKCU\..\Run: [ir41_qcx] "C:\WINDOWS\system32\ir41_qcx.exe"
O4 - HKCU\..\Run: [infosoft] "C:\WINDOWS\system32\infosoft.exe"
O4 - HKCU\..\Run: [inetclnt] "C:\WINDOWS\system32\inetclnt.exe"
O4 - HKCU\..\Run: [hsfcisp2] "C:\WINDOWS\system32\hsfcisp2.exe"
O4 - HKCU\..\Run: [fkfw] C:\PROGRA~1\COMMON~1\fkfw\fkfwm.exe
O4 - HKCU\..\Run: [eventcls] "C:\WINDOWS\system32\eventcls.exe"
O4 - HKCU\..\Run: [dmband] "C:\WINDOWS\system32\dmband.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cscui] "C:\Documents and Settings\Matthew April\cscui.exe"
O4 - HKCU\..\Run: [iprtcnst] "C:\WINDOWS\system32\iprtcnst.exe"
O4 - HKCU\..\Run: [atiicdxx] "C:\WINDOWS\system32\atiicdxx.exe"
O4 - HKCU\..\Run: [rmoc3260] "C:\WINDOWS\system32\rmoc3260.exe"
O4 - HKCU\..\Run: [getuname] "C:\WINDOWS\system32\getuname.exe"
O4 - HKCU\..\Run: [vdmdbg] "C:\WINDOWS\system32\vdmdbg.exe"
O4 - HKCU\..\Run: [resutils] "C:\WINDOWS\system32\resutils.exe"
O4 - HKCU\..\Run: [lftif11n] "C:\WINDOWS\system32\lftif11n.exe"
O4 - HKCU\..\Run: [uniplat] "C:\WINDOWS\system32\uniplat.exe"
O4 - HKCU\..\Run: [msr2cenu] "C:\WINDOWS\system32\msr2cenu.exe"
O4 - HKCU\..\Run: [mmcbase] "C:\WINDOWS\system32\mmcbase.exe"
O4 - HKCU\..\Run: [msorc32r] "C:\WINDOWS\system32\msorc32r.exe"
O4 - HKCU\..\Run: [wmiprop] "C:\WINDOWS\system32\wmiprop.exe"
O4 - HKCU\..\Run: [dmscript] "C:\WINDOWS\system32\dmscript.exe"
O4 - HKCU\..\Run: [wmerror] "C:\WINDOWS\system32\wmerror.exe"
O4 - HKCU\..\Run: [qasf] "C:\WINDOWS\system32\qasf.exe"
O4 - HKCU\..\Run: [6to4svc] "C:\WINDOWS\system32\6to4svc.exe"
O4 - HKCU\..\Run: [dpwsock] "C:\WINDOWS\system32\dpwsock.exe"
O4 - HKCU\..\Run: [kbdir] "C:\WINDOWS\system32\kbdir.exe"
O4 - HKCU\..\Run: [mmutilse] "C:\WINDOWS\system32\mmutilse.exe"
O4 - HKCU\..\Run: [pjlmon] "C:\WINDOWS\system32\pjlmon.exe"
O4 - HKCU\..\Run: [crypt32] "C:\WINDOWS\system32\crypt32.exe"
O4 - HKCU\..\Run: [dispex] "C:\WINDOWS\system32\dispex.exe"
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {563EC66E-5A1B-51D2-1DB0-5080C83DA4EB} - ms-its:mhtml:file://C:ie.mht!http://69.50.164.12/exp/mht/sext02.chm::/MegaInstaller.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\pychdprf.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE


----------



## edifier

First things first. You have 2 antiviruses running. Get rid of one of them. We'll go straight to cleaning and use HJT later.

  Download Ewido http://www.ewido.net/en/download/ then set it up this way http://rstones12.geekstogo.com/ewidosetup.htm You will need this later in safe mode
Make sure to update this program.

  Next, download, install and update 'A-squared' here http://www.emsisoft.com/en/software/free/

Download, install and update this excellent freebie- Superantispyware here http://www.superantispyware.com/download.html

Download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ You will need it later in safe mode.

  Reboot your computer in Safe Mode by doing the following.

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter".

Choose your usual account.

  Very Important:
Make sure all security programs- Your antivirus, Spybot, etc are DISABLED until they are needed. They will interfere with the cleaning process.

Begin running your scans in this order.

Ewido
A-squared
Superantispyware

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Reboot into normal windows, run ATF cleaner, empty the recycle bin and proceed here and run this free online scan from 'Panda' http://www.pandasoftware.com/products/activescan.htm Save the scan log and post it here along with a new HJT log after the Panda scan.


----------



## HELP_ME

Incident                                                                        Status                        Location                                                                                                                                                                                                                                                        

Adware:adware/kingporn                                                          Not disinfected               c:\windows\system32\COMMCOSS.DLL                                                                                                                                                                                                                                
Adware:adware/ilookup                                                           Not disinfected               c:\windows\system32\mac02.ico                                                                                                                                                                                                                                   
Adware:adware/keenvalue                                                         Not disinfected               c:\windows\system32\setup_incred_4.exe                                                                                                                                                                                                                          
Adware:adware/clickalchemy                                                      Not disinfected               c:\windows\inf\alchem.inf                                                                                                                                                                                                                                       
Adware:adware/twain-tech                                                        Not disinfected               c:\windows\inf\twaintec.inf                                                                                                                                                                                                                                     
Spyware:spyware/surfsidekick                                                    Not disinfected               C:\Documents and Settings\Matthew April\Local Settings\Temporary Internet Files\Ssk.log                                                                                                                                                                         
Adware:adware/ieplugin                                                          Not disinfected               c:\windows\kwv2.dat                                                                                                                                                                                                                                             
Dialer:dialer.bny                                                               Not disinfected               c:\windows\pcconfig.dat                                                                                                                                                                                                                                         
Adware:adware/bookedspace                                                       Not disinfected               c:\windows\cfgmgr52.ini                                                                                                                                                                                                                                         
Adware:adware/isearch                                                           Not disinfected               c:\windows\deskbar.ini                                                                                                                                                                                                                                          
Adware:adware/beginto                                                           Not disinfected               c:\windows\system32\cache32_dsktptr                                                                                                                                                                                                                             
Adware:adware/transponder                                                       Not disinfected               c:\windows\inst                                                                                                                                                                                                                                                 
Adware:adware/navipromo                                                         Not disinfected               Windows Registry                                                                                                                                                                                                                                                
Adware:adware/megasearch                                                        Not disinfected               Windows Registry                                                                                                                                                                                                                                                
Spyware:spyware/clipgenie                                                       Not disinfected               Windows Registry                                                                                                                                                                                                                                                
Adware:adware/ist.istbar                                                        Not disinfected               Windows Registry                                                                                                                                                                                                                                                
Adware:adware/savenow                                                           Not disinfected               Windows Registry                                                                                                                                                                                                                                                
Adware:adware/sqwire                                                            Not disinfected               Windows Registry                                                                                                                                                                                                                                                
Adware:adware/toolbarshopper                                                    Not disinfected               Windows Registry                                                                                                                                                                                                                                                
Adware:adware/favoriteman                                                       Not disinfected               Windows Registry                                                                                                                                                                                                                                                
Adware:adware/spytrooper                                                        Not disinfected               Windows Registry                                                                                                                                                                                                                                                
Adware:adware/searchexe                                                         Not disinfected               Windows Registry                                                                                                                                                                                                                                                
Adware:adware/topmoxie                                                          Not disinfected               Windows Registry                                                                                                                                                                                                                                                
Adware:Adware/Alexa-Toolbar                                                     Not disinfected               C:\WINDOWS\system32\SSS1.exe                                                                                                                                                                                                                                    
Adware:Adware/Beginto                                                           Not disinfected               C:\WINDOWS\system32\desktrf.exe[winbbb.dat]                                                                                                                                                                                                                     
Spyware:Spyware/SafeSurf                                                        Not disinfected               C:\WINDOWS\system32\InstallerV23.exe[ExtractDLL.dll]                                                                                                                                                                                                            
Adware:Adware/Beginto                                                           Not disinfected               C:\WINDOWS\system32\desktrf-cat_b2s.exe[winbbb.dat]                                                                                                                                                                                                             
Spyware:Spyware/7r7t                                                            Not disinfected               C:\Documents and Settings\Tim April\Local Settings\Temporary Internet Files\Content.IE5\41IHIFKN\cmmanupd[1].exe                                                                                                                                                
Spyware:Spyware/7r7t                                                            Not disinfected               C:\Documents and Settings\Tim April\Local Settings\Temporary Internet Files\Content.IE5\S16FWXMN\minisetup2[1].exe                                                                                                                                              
Spyware:Spyware/7r7t                                                            Not disinfected               C:\Documents and Settings\Tim April\Local Settings\Temporary Internet Files\Content.IE5\S16FWXMN\Tspd[1].exe                                                                                                                                                    
Spyware:Spyware/7r7t                                                            Not disinfected               C:\Documents and Settings\Tim April\Local Settings\Temporary Internet Files\Content.IE5\S16FWXMN\Tspd[2].exe                                                                                                                                                    
Spyware:Cookie/Tickle                                                           Not disinfected               C:\Documents and Settings\Tim April\Cookies\tim april@tickle[2].txt 
Spyware:Cookie/Kazaa Networks                                                   Not disinfected               C:\Documents and Settings\Tim April\Cookies\tim april@desktop.kazaa[1].txt 
Spyware:Cookie/TopRebates.com                                                   Not disinfected               C:\Documents and Settings\Tim April\Cookies\tim april@www.toprebates[2].txt 
Spyware:Cookie/888                                                              Not disinfected               C:\Documents and Settings\Tim April\Cookies\tim april@888[4].txt 
Spyware:Cookie/SpywareStormer                                                   Not disinfected               C:\Documents and Settings\Tim April\Cookies\tim april@spywarestormer[1].txt 
Spyware:Cookie/Abcsearch                                                        Not disinfected               C:\Documents and Settings\Tim April\Cookies\tim april@abcsearch[1].txt 
Spyware:Cookie/888                                                              Not disinfected               C:\Documents and Settings\Tim April\Cookies\tim april@888[2].txt 
Spyware:Cookie/Centralmedia                                                     Not disinfected               C:\Documents and Settings\Tim April\Cookies\tim april@centralmedia[2].txt 
Spyware:Cookie/Advnt                                                            Not disinfected               C:\Documents and Settings\Tim April\Cookies\tim april@www.advnt01[1].txt 
Spyware:Cookie/Mysearch                                                         Not disinfected               C:\Documents and Settings\Tim April\Cookies\tim april@mysearch[2].txt 
Spyware:Cookie/888                                                              Not disinfected               C:\Documents and Settings\Tim April\Cookies\tim april@888[1].txt 
Spyware:Cookie/Kazaa Networks                                                   Not disinfected               C:\Documents and Settings\Tim April\Cookies\tim april@desktop.kazaa[3].txt 
Spyware:Cookie/888                                                              Not disinfected               C:\Documents and Settings\Tim April\Cookies\tim april@888[3].txt 
Spyware:Cookie/Com.com                                                          Not disinfected               C:\Documents and Settings\Tim April\Cookies\tim april@com[1].txt 
Potentially unwanted tool:Application/BrilliantDigital                          Not disinfected               C:\Documents and Settings\Matthew April\My Documents\My Music\my music\unknown + random\bdcore.dll.updpnd                                                                                                                                                       
Potentially unwanted tool:Application/BrilliantDigital                          Not disinfected               C:\Documents and Settings\Matthew April\My Documents\My Music\my music\unknown + random\bdcore.dll                                                                                                                                                              
Adware:Adware/TVMedia                                                           Not disinfected               C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\U20D.tmp                                                                                                                                                                                           
Adware:Adware/Beginto                                                           Not disinfected               C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\WIN218.tmp                                                                                                                                                                                         
Adware:Adware/Twain-Tech                                                        Not disinfected               C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\twaintec.inf                                                                                                                                                                                       
Spyware:Spyware/Apropos                                                         Not disinfected               C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV176.tmp[cxtpls_loader.exe]                                                                                                                                                                      
Spyware:Spyware/Apropos                                                         Not disinfected               C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV177.tmp[cxtpls_loader.exe]                                                                                                                                                                      
Spyware:Spyware/Apropos                                                         Not disinfected               C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV178.tmp[cxtpls_loader.exe]                                                                                                                                                                      
Spyware:Spyware/7r7t                                                            Not disinfected               C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV5.tmp                                                                                                                                                                                           
Spyware:Spyware/7r7t                                                            Not disinfected               C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV6.tmp                                                                                                                                                                                           
Spyware:Spyware/7r7t                                                            Not disinfected               C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV7.tmp                                                                                                                                                                                           
Spyware:Spyware/7r7t                                                            Not disinfected               C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV8.tmp                                                                                                                                                                                           
Spyware:Spyware/7r7t                                                            Not disinfected               C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV9.tmp                                                                                                                                                                                           
Spyware:Spyware/7r7t                                                            Not disinfected               C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV45.tmp


----------



## HELP_ME

Logfile of HijackThis v1.99.1
Scan saved at 7:47:22 PM, on 9/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Updater.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Matthew April\My Documents\My Received Files\anti-spy\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.computerforum.com/58191-help-hjt-log.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =  
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe 
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll (file missing)
O3 - Toolbar: Search - {215303D2-42B9-A7EC-7414-5630B3DD8F1A} - C:\WINDOWS\Cagxrcfg.dll (file missing)
O4 - HKLM\..\Run: [Zfkj] C:\WINDOWS\xfqub.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [lfsqbiqafb] C:\WINDOWS\System32\wqupxsmg.exe
O4 - HKLM\..\Run: [kjefel] C:\WINDOWS\kjefel.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [inhttpw] C:\WINDOWS\System32\inhttpw.exe
O4 - HKLM\..\Run: [bO²ùð[×y-¯Œ] C:\WINDOWS\xfqub.exe
O4 - HKLM\..\Run: [bO²ùðZ×y-¯Œ] C:\WINDOWS\xfqub.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [wshatm] "C:\WINDOWS\system32\wshatm.exe"
O4 - HKCU\..\Run: [wlnotify] "C:\WINDOWS\system32\wlnotify.exe"
O4 - HKCU\..\Run: [vxblock] "C:\WINDOWS\system32\vxblock.exe"
O4 - HKCU\..\Run: [version] C:\WINDOWS\System32\version.exe
O4 - HKCU\..\Run: [SpyTrooper]  
O4 - HKCU\..\Run: [shfolder] "C:\WINDOWS\system32\shfolder.exe"
O4 - HKCU\..\Run: [s3gnb] "C:\WINDOWS\system32\s3gnb.exe"
O4 - HKCU\..\Run: [raschap] "C:\Documents and Settings\Matthew April\raschap.exe"
O4 - HKCU\..\Run: [netcfgx] "C:\WINDOWS\system32\netcfgx.exe"
O4 - HKCU\..\Run: [netapi] "C:\WINDOWS\system32\netapi.exe"
O4 - HKCU\..\Run: [kbduzb] "C:\WINDOWS\system32\kbduzb.exe"
O4 - HKCU\..\Run: [kbdus] "C:\WINDOWS\system32\kbdus.exe"
O4 - HKCU\..\Run: [kbdinbe1] "C:\WINDOWS\system32\kbdinbe1.exe"
O4 - HKCU\..\Run: [kbdhe] "C:\WINDOWS\system32\kbdhe.exe"
O4 - HKCU\..\Run: [jgmd400] "C:\WINDOWS\system32\jgmd400.exe"
O4 - HKCU\..\Run: [ir41_qcx] "C:\WINDOWS\system32\ir41_qcx.exe"
O4 - HKCU\..\Run: [infosoft] "C:\WINDOWS\system32\infosoft.exe"
O4 - HKCU\..\Run: [inetclnt] "C:\WINDOWS\system32\inetclnt.exe"
O4 - HKCU\..\Run: [hsfcisp2] "C:\WINDOWS\system32\hsfcisp2.exe"
O4 - HKCU\..\Run: [fkfw] C:\PROGRA~1\COMMON~1\fkfw\fkfwm.exe
O4 - HKCU\..\Run: [eventcls] "C:\WINDOWS\system32\eventcls.exe"
O4 - HKCU\..\Run: [dmband] "C:\WINDOWS\system32\dmband.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cscui] "C:\Documents and Settings\Matthew April\cscui.exe"
O4 - HKCU\..\Run: [iprtcnst] "C:\WINDOWS\system32\iprtcnst.exe"
O4 - HKCU\..\Run: [atiicdxx] "C:\WINDOWS\system32\atiicdxx.exe"
O4 - HKCU\..\Run: [rmoc3260] "C:\WINDOWS\system32\rmoc3260.exe"
O4 - HKCU\..\Run: [getuname] "C:\WINDOWS\system32\getuname.exe"
O4 - HKCU\..\Run: [vdmdbg] "C:\WINDOWS\system32\vdmdbg.exe"
O4 - HKCU\..\Run: [resutils] "C:\WINDOWS\system32\resutils.exe"
O4 - HKCU\..\Run: [lftif11n] "C:\WINDOWS\system32\lftif11n.exe"
O4 - HKCU\..\Run: [uniplat] "C:\WINDOWS\system32\uniplat.exe"
O4 - HKCU\..\Run: [msr2cenu] "C:\WINDOWS\system32\msr2cenu.exe"
O4 - HKCU\..\Run: [mmcbase] "C:\WINDOWS\system32\mmcbase.exe"
O4 - HKCU\..\Run: [msorc32r] "C:\WINDOWS\system32\msorc32r.exe"
O4 - HKCU\..\Run: [wmiprop] "C:\WINDOWS\system32\wmiprop.exe"
O4 - HKCU\..\Run: [dmscript] "C:\WINDOWS\system32\dmscript.exe"
O4 - HKCU\..\Run: [wmerror] "C:\WINDOWS\system32\wmerror.exe"
O4 - HKCU\..\Run: [qasf] "C:\WINDOWS\system32\qasf.exe"
O4 - HKCU\..\Run: [6to4svc] "C:\WINDOWS\system32\6to4svc.exe"
O4 - HKCU\..\Run: [dpwsock] "C:\WINDOWS\system32\dpwsock.exe"
O4 - HKCU\..\Run: [kbdir] "C:\WINDOWS\system32\kbdir.exe"
O4 - HKCU\..\Run: [pjlmon] "C:\WINDOWS\system32\pjlmon.exe"
O4 - HKCU\..\Run: [dispex] "C:\WINDOWS\system32\dispex.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {563EC66E-5A1B-51D2-1DB0-5080C83DA4EB} - ms-its:mhtml:file://C:ie.mht!http://69.50.164.12/exp/mht/sext02.chm::/MegaInstaller.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\pychdprf.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe


----------



## edifier

Run hijack this, click the "open misc. tool section" button, click "open uninstall manager>click save list,yes to the prompts, notepad will open with your add/remove programs list.Post that list here.


----------



## HELP_ME

Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
ArcSoft PhotoImpression 3.0
a-squared Free 2.0
ATI Display Driver
Audacity 1.2.4
AVG Free Edition
Canon Digital Camera USB WIA Driver
Canon PhotoRecord
Canon Utilities PhotoStitch 3.1
Canon Utilities RAW Image Converter
Canon Utilities RemoteCapture 2.1
Canon Utilities ZoomBrowser EX
Digidesign Pro Tools® FREE
Digimax 202
Digimax Viewer 2.0
Easy CD Creator 5 Basic
ewido anti-spyware 4.0
Guitar Pro 4.0
Guitar Pro 5.0
Guitar-Online Tools - Metronome, version 2.0
HijackThis 1.99.1
HP OfficeJet G Series
HydraVision
Intel Application Accelerator
iriver Music Manager
iRiver Updater
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Kazaa Lite K++ v2.4.3
Koolbar.net - Toolbar
Microsoft Encarta Encyclopedia Standard 2003
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Picture It! Photo 7.0
Microsoft PowerPoint Viewer 97
Microsoft Streets and Trips 2002
Microsoft Word 2002
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
Microsoft XML Parser and SDK
MSN Messenger 7.5
My DSC
MyDSC_CIF
OpenMG Secure Module 4.1.00
Panda ActiveScan
PartyPoker
PowerDVD
Quicken XG
QuickTax 2002 Standard
QuickTime
RealPlayer Basic
Rogers Self Healing (remove only)
Rogers Self Healing (remove only)
Rogers Update Manager (remove only)
Rogers Yahoo! Applications
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Shockwave
Skype 2.5
SoundMAX
Spybot - Search & Destroy 1.4
SUPERAntiSpyware Free Edition
Sysnet
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Viewpoint Manager (Remove Only)
Viewpoint Media Player (Remove Only)
WG121 Smart Wizard
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows VisFx Components
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2


----------



## edifier

Go to ADD/REMOVE Programs and get rid of the following.

Koolbar.net - Toolbar
PartyPoker (if you don't use)
Sysnet
Viewpoint Manager (Remove Only)
Viewpoint Media Player (Remove Only)
Windows VisFx Components

  Reboot and navigate to C/Program Files and remove any of these folders if still present.

  Run ATF cleaner (select all)

Next go here http://forums.majorgeeks.com/showthread.php?t=74265 and follow these removal instructions. It must be run from safemode.Once completed, return to (safemode with networking) and run this online scan here http://www.trendmicro.com/spyware-scan/ .Once finished, reboot into normal windows and post a fresh 'HJT' log.


----------



## HELP_ME

alright i got rid of all except for koolbar.net - toolbar because it doesnt let me remove, nothing happens when i try and remove.  that is why i still have it there.


----------



## edifier

Just follow the rest of the instructions and if still present, we'll get rid of it manually.


----------



## HELP_ME

Logfile of HijackThis v1.99.1
Scan saved at 11:24:07 AM, on 9/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Updater.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\Documents and Settings\Matthew April\My Documents\My Received Files\anti-spy\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =  
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe 
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll (file missing)
O3 - Toolbar: Search - {215303D2-42B9-A7EC-7414-5630B3DD8F1A} - C:\WINDOWS\Cagxrcfg.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [lfsqbiqafb] C:\WINDOWS\System32\wqupxsmg.exe
O4 - HKLM\..\Run: [kjefel] C:\WINDOWS\kjefel.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [inhttpw] C:\WINDOWS\System32\inhttpw.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [wshatm] "C:\WINDOWS\system32\wshatm.exe"
O4 - HKCU\..\Run: [wlnotify] "C:\WINDOWS\system32\wlnotify.exe"
O4 - HKCU\..\Run: [vxblock] "C:\WINDOWS\system32\vxblock.exe"
O4 - HKCU\..\Run: [version] C:\WINDOWS\System32\version.exe
O4 - HKCU\..\Run: [shfolder] "C:\WINDOWS\system32\shfolder.exe"
O4 - HKCU\..\Run: [s3gnb] "C:\WINDOWS\system32\s3gnb.exe"
O4 - HKCU\..\Run: [raschap] "C:\Documents and Settings\Matthew April\raschap.exe"
O4 - HKCU\..\Run: [netcfgx] "C:\WINDOWS\system32\netcfgx.exe"
O4 - HKCU\..\Run: [netapi] "C:\WINDOWS\system32\netapi.exe"
O4 - HKCU\..\Run: [kbduzb] "C:\WINDOWS\system32\kbduzb.exe"
O4 - HKCU\..\Run: [kbdus] "C:\WINDOWS\system32\kbdus.exe"
O4 - HKCU\..\Run: [kbdinbe1] "C:\WINDOWS\system32\kbdinbe1.exe"
O4 - HKCU\..\Run: [kbdhe] "C:\WINDOWS\system32\kbdhe.exe"
O4 - HKCU\..\Run: [jgmd400] "C:\WINDOWS\system32\jgmd400.exe"
O4 - HKCU\..\Run: [ir41_qcx] "C:\WINDOWS\system32\ir41_qcx.exe"
O4 - HKCU\..\Run: [infosoft] "C:\WINDOWS\system32\infosoft.exe"
O4 - HKCU\..\Run: [inetclnt] "C:\WINDOWS\system32\inetclnt.exe"
O4 - HKCU\..\Run: [hsfcisp2] "C:\WINDOWS\system32\hsfcisp2.exe"
O4 - HKCU\..\Run: [fkfw] C:\PROGRA~1\COMMON~1\fkfw\fkfwm.exe
O4 - HKCU\..\Run: [eventcls] "C:\WINDOWS\system32\eventcls.exe"
O4 - HKCU\..\Run: [dmband] "C:\WINDOWS\system32\dmband.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cscui] "C:\Documents and Settings\Matthew April\cscui.exe"
O4 - HKCU\..\Run: [iprtcnst] "C:\WINDOWS\system32\iprtcnst.exe"
O4 - HKCU\..\Run: [atiicdxx] "C:\WINDOWS\system32\atiicdxx.exe"
O4 - HKCU\..\Run: [rmoc3260] "C:\WINDOWS\system32\rmoc3260.exe"
O4 - HKCU\..\Run: [getuname] "C:\WINDOWS\system32\getuname.exe"
O4 - HKCU\..\Run: [vdmdbg] "C:\WINDOWS\system32\vdmdbg.exe"
O4 - HKCU\..\Run: [resutils] "C:\WINDOWS\system32\resutils.exe"
O4 - HKCU\..\Run: [lftif11n] "C:\WINDOWS\system32\lftif11n.exe"
O4 - HKCU\..\Run: [uniplat] "C:\WINDOWS\system32\uniplat.exe"
O4 - HKCU\..\Run: [msr2cenu] "C:\WINDOWS\system32\msr2cenu.exe"
O4 - HKCU\..\Run: [mmcbase] "C:\WINDOWS\system32\mmcbase.exe"
O4 - HKCU\..\Run: [msorc32r] "C:\WINDOWS\system32\msorc32r.exe"
O4 - HKCU\..\Run: [wmiprop] "C:\WINDOWS\system32\wmiprop.exe"
O4 - HKCU\..\Run: [dmscript] "C:\WINDOWS\system32\dmscript.exe"
O4 - HKCU\..\Run: [wmerror] "C:\WINDOWS\system32\wmerror.exe"
O4 - HKCU\..\Run: [qasf] "C:\WINDOWS\system32\qasf.exe"
O4 - HKCU\..\Run: [6to4svc] "C:\WINDOWS\system32\6to4svc.exe"
O4 - HKCU\..\Run: [dpwsock] "C:\WINDOWS\system32\dpwsock.exe"
O4 - HKCU\..\Run: [kbdir] "C:\WINDOWS\system32\kbdir.exe"
O4 - HKCU\..\Run: [pjlmon] "C:\WINDOWS\system32\pjlmon.exe"
O4 - HKCU\..\Run: [dispex] "C:\WINDOWS\system32\dispex.exe"
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {563EC66E-5A1B-51D2-1DB0-5080C83DA4EB} - ms-its:mhtml:file://C:ie.mht!http://69.50.164.12/exp/mht/sext02.chm::/MegaInstaller.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\pychdprf.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe


----------



## edifier

Okay. Still a mess. Lets try a few specialty tools.

Download VundoFix.exe- http://www.atribune.org/ccount/click.php?id=4 to your desktop.

Double-click VundoFix.exe to run it.
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

A log called vundofix.txt will be created in your C:\ directory. Please post that log.


----------



## HELP_ME

VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.4

Java version is 1.5.0.6

Scan started at 12:34:49 PM 9/23/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...


----------



## edifier

Next One.

  Download SmitFraudFix from this link http://siri.urz.free.fr/Fix/SmitfraudFix.zip Then extract the contents to your desktop.

Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Post that log.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Do not run any other options as they will damage your desktop if run on an uninfected computer.


----------



## HELP_ME

you already had me fix this... it was one of the fixes under SmitRem and nothing was detected so.... do you still want me to do it?


----------



## edifier

Sorry for that. Very busy this morning and this thread has spanned quite a few days. I want you to do the following dianogstic scan from Kaspersky http://kaspersky.com/kos/english/kavwebscan.html
Click Accept
When the updates are finished downloading, click Next, Scan Settings
Under Scan using the following antivirus database:, select extended
Make sure the Scan Archives and Scan Mail Bases options are selected as well. Click OK
Click My Computer and wait for the scan to finish
Click Save Report As. Under Save as type:, select Text file. Save this log to your Desktop. Post a copy of it here.


----------



## HELP_ME

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Saturday, September 23, 2006 4:27:48 PM
 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.83.0
 Kaspersky Anti-Virus database last update: 23/09/2006
 Kaspersky Anti-Virus database records: 225954
-------------------------------------------------------------------------------

Scan Settings:
	Scan using the following antivirus database: extended
	Scan Archives: true
	Scan Mail Bases: true

Scan Target - My Computer:
	A:\
	C:\
	D:\
	E:\
	F:\

Scan Statistics:
	Total number of scanned objects: 123778
	Number of viruses found: 43
	Number of infected objects: 137 / 0
	Number of suspicious objects: 2
	Duration of the scan process: 01:09:31

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\software.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\default.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY	Object is locked	skipped
C:\WINDOWS\system32\config\SAM	Object is locked	skipped
C:\WINDOWS\system32\config\SAM.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SYSTEM	Object is locked	skipped
C:\WINDOWS\system32\config\SOFTWARE	Object is locked	skipped
C:\WINDOWS\system32\config\DEFAULT	Object is locked	skipped
C:\WINDOWS\system32\config\SysEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\AppEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\SecEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP	Object is locked	skipped
C:\WINDOWS\system32\SSS1.exe/AlxRes.dll	Infected: not-a-virus:AdWare.Win32.AlexaBar.a	skipped
C:\WINDOWS\system32\SSS1.exe	InstallCreator: infected - 1	skipped
C:\WINDOWS\system32\SSS1.exe	UPX: infected - 1	skipped
C:\WINDOWS\system32\desktrf.exe/data0002	Infected: not-a-virus:AdWare.Win32.Beginto.b	skipped
C:\WINDOWS\system32\desktrf.exe	NSIS: infected - 1	skipped
C:\WINDOWS\system32\CatRoot2\edb.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb	Object is locked	skipped
C:\WINDOWS\system32\h323log.txt	Object is locked	skipped
C:\WINDOWS\system32\lvvkammr.ini	Infected: not-a-virus:AdWare.Win32.Sahat.ao	skipped
C:\WINDOWS\system32\8jqs4hc1.ini	Infected: not-a-virus:AdWare.Win32.Sahat.ao	skipped
C:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINDOWS\Sti_Trace.log	Object is locked	skipped
C:\WINDOWS\wiaservc.log	Object is locked	skipped
C:\WINDOWS\wiadebug.log	Object is locked	skipped
C:\WINDOWS\SchedLgU.Txt	Object is locked	skipped
C:\WINDOWS\WindowsUpdate.log	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{AD3F4645-B27F-42A8-A057-D1B9DBF561F4}.bin	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Megasearch.zip/MegasearchBarSetup.exe	Suspicious: Password-protected-EXE	skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Megasearch.zip	ZIP: suspicious - 1	skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log	Object is locked	skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Tim April\Local Settings\Temporary Internet Files\Content.IE5\S16FWXMN\minisetup2[1].exe/data0002	Infected: not-a-virus:AdWare.Win32.PurityScan.ep	skipped
C:\Documents and Settings\Tim April\Local Settings\Temporary Internet Files\Content.IE5\S16FWXMN\minisetup2[1].exe	NSIS: infected - 1	skipped
C:\Documents and Settings\Matthew April\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\Matthew April\NTUSER.DAT.LOG	Object is locked	skipped
C:\Documents and Settings\Matthew April\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Matthew April\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Matthew April\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\Matthew April\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Matthew April\Local Settings\Temp\~DF2BD5.tmp	Object is locked	skipped
C:\Documents and Settings\Matthew April\My Documents\Downloads\Half-LIfe_PLUS_CS1.5_PLus\Half-Life.zip/Half-Life/hltv.exe	Infected: not-a-virus:Server-Proxy.Win32.Hltv	skipped
C:\Documents and Settings\Matthew April\My Documents\Downloads\Half-LIfe_PLUS_CS1.5_PLus\Half-Life.zip	ZIP: infected - 1	skipped
C:\Documents and Settings\Matthew April\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\Tspd[1].exe.bac_a00168/data0002	Infected: not-a-virus:AdWare.Win32.Agent.e	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\Tspd[1].exe.bac_a00168	NSIS: infected - 1	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\Tspd[1].exe.bac_a00168	CryptFF.b: infected - 1	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\Tspd[2].exe.bac_a00168/data0002	Infected: not-a-virus:AdWare.Win32.Agent.e	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\Tspd[2].exe.bac_a00168	NSIS: infected - 1	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\Tspd[2].exe.bac_a00168	CryptFF.b: infected - 1	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0016135.exe.bac_a00168	Infected: Trojan-Dropper.Win32.Agent.tb	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017414.exe.bac_a00168/data0002/data0002	Infected: Trojan-Downloader.Win32.Keenval	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017414.exe.bac_a00168/data0002/data0004	Infected: Trojan-Downloader.Win32.Keenval	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017414.exe.bac_a00168/data0002/data0005	Infected: Trojan-Downloader.Win32.Keenval	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017414.exe.bac_a00168/data0002	Infected: Trojan-Downloader.Win32.Keenval	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017414.exe.bac_a00168/data0008	Infected: Trojan-Downloader.Win32.Keenval.e	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017414.exe.bac_a00168/data0009	Infected: Trojan-Downloader.Win32.Keenval.e	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017414.exe.bac_a00168	NSIS: infected - 6	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017414.exe.bac_a00168	CryptFF.b: infected - 6	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017448.dll.bac_a00168	Infected: not-a-virus:AdWare.Win32.Beginto.b	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0014018.exe.bac_a00168/InpB/SskBho.dll	Infected: not-a-virus:AdWare.Win32.SurfSide.ay	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0014018.exe.bac_a00168/InpB/SskCore.dll	Infected: not-a-virus:AdWare.Win32.SurfSide.ay	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0014018.exe.bac_a00168/InpB/Ssk.exe	Infected: not-a-virus:AdWare.Win32.SurfSide.av	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0014018.exe.bac_a00168/InpB/Ssk3RepairInstall.exe	Infected: not-a-virus:AdWare.Win32.SurfSide.az	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0014018.exe.bac_a00168/InpB	Infected: not-a-virus:AdWare.Win32.SurfSide.az	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0014018.exe.bac_a00168	CAB: infected - 5	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0014018.exe.bac_a00168	CryptFF.b: infected - 5	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017451.dll.bac_a00168	Infected: not-a-virus:AdWare.Win32.Sahat.g	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017415.exe.bac_a00168/data0003/data0001	Infected: not-a-virus:AdWare.Win32.WebRebates.g	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017415.exe.bac_a00168/data0003	Infected: not-a-virus:AdWare.Win32.WebRebates.g	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017415.exe.bac_a00168/data0003	Infected: not-a-virus:AdWare.Win32.WebRebates.b	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017415.exe.bac_a00168/data0004	Infected: not-a-virus:AdWare.Win32.HelpExpress	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017415.exe.bac_a00168/data0005	Infected: not-a-virus:AdWare.Win32.WebRebates.b	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017415.exe.bac_a00168	NSIS: infected - 5	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017415.exe.bac_a00168	CryptFF.b: infected - 5	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\cmmanupd[1].exe.bac_a00168/data0002	Infected: not-a-virus:AdWare.Win32.CASClient.m	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\cmmanupd[1].exe.bac_a00168	NSIS: infected - 1	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\cmmanupd[1].exe.bac_a00168	CryptFF.b: infected - 1	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017533.exe.bac_a00168/data0002	Infected: not-a-virus:AdWare.Win32.CASClient.m	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017533.exe.bac_a00168	NSIS: infected - 1	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017533.exe.bac_a00168	CryptFF.b: infected - 1	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017447.exe.bac_a00168/data0002	Infected: not-a-virus:AdWare.Win32.Beginto.a	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017447.exe.bac_a00168/data0003	Infected: not-a-virus:AdWare.Win32.Beginto.a	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017447.exe.bac_a00168	NSIS: infected - 2	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017447.exe.bac_a00168	CryptFF.b: infected - 2	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017455.exe.bac_a00168/data0002	Infected: not-a-virus:AdWare.Win32.BookedSpace.c	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017455.exe.bac_a00168	NSIS: infected - 1	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017455.exe.bac_a00168	CryptFF.b: infected - 1	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017450.dll.bac_a00168	Infected: not-a-virus:AdWare.Win32.180Solutions	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\setup[1].exe.bac_a00168/stream/data0002	Infected: not-a-virus:AdWare.Win32.CASClient.n	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\setup[1].exe.bac_a00168/stream/data0003	Infected: not-a-virus:AdWare.Win32.CASClient.f	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\setup[1].exe.bac_a00168/stream	Infected: not-a-virus:AdWare.Win32.CASClient.f	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\setup[1].exe.bac_a00168	NSIS: infected - 3	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\setup[1].exe.bac_a00168	CryptFF.b: infected - 3	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017468.exe.bac_a00168	Infected: not-a-virus:AdWare.Win32.CASClient.f	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017411.dll.bac_a00168	Infected: Trojan-Dropper.Win32.Small.abe	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017419.dll.bac_a00168	Infected: not-a-virus:AdWare.Win32.HotSearchBar.b	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017413.exe.bac_a00168/data0001	Infected: Trojan-Downloader.NSIS.Agent.a	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017413.exe.bac_a00168	NSIS: infected - 1	skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017413.exe.bac_a00168	CryptFF.b: infected - 1	skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\U20D.tmp/InpB/TvmBho.dll	Infected: not-a-virus:AdWare.Win32.SurfSide.c	skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\U20D.tmp/InpB/TvmCore.dll	Infected: not-a-virus:AdWare.Win32.TotalVelocity.aa	skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\U20D.tmp/InpB/Tvm.exe	Infected: not-a-virus:AdWare.Win32.TotalVelocity.aa	skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\U20D.tmp/InpB	Infected: not-a-virus:AdWare.Win32.TotalVelocity.aa	skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\U20D.tmp	CAB: infected - 4	skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\WIN218.tmp	Infected: not-a-virus:AdWare.Win32.HotSearchBar.b	skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV176.tmp/data0003	Infected: Trojan-Downloader.Win32.Apropo.r	skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV176.tmp	NSIS: infected - 1	skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV177.tmp/data0003	Infected: Trojan-Downloader.Win32.Apropo.r	skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV177.tmp	NSIS: infected - 1	skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV178.tmp/data0003	Infected: Trojan-Downloader.Win32.Apropo.r	skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV178.tmp	NSIS: infected - 1	skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV5.tmp/data0003	Infected: Trojan-Downloader.Win32.Agent.oa	skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV5.tmp	NSIS: infected - 1	skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV6.tmp/data0003	Infected: not-a-virus:AdWare.Win32.Sahat.al	skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV6.tmp	NSIS: infected - 1	skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV7.tmp/data0003	Infected: Trojan-Downloader.Win32.Agent.oa	skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV7.tmp	NSIS: infected - 1	skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV8.tmp/data0003	Infected: not-a-virus:AdWare.Win32.Sahat.al	skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV8.tmp	NSIS: infected - 1	skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV9.tmp/data0003	Infected: Trojan-Downloader.Win32.Agent.oa	skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV9.tmp	NSIS: infected - 1	skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV45.tmp/data0003	Infected: Trojan-Downloader.Win32.Agent.oa	skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV45.tmp	NSIS: infected - 1	skipped
C:\Documents and Settings\Deborah Revtak\cpdef2.exe/data0003	Infected: Trojan-Downloader.Win32.Apropo.r	skipped
C:\Documents and Settings\Deborah Revtak\cpdef2.exe	NSIS: infected - 1	skipped
C:\Documents and Settings\Deborah Revtak\ridemgInst.exe/data0003	Infected: Trojan-Downloader.Win32.Agent.oa	skipped
C:\Documents and Settings\Deborah Revtak\ridemgInst.exe	NSIS: infected - 1	skipped
C:\Documents and Settings\Deborah Revtak\sahInst.exe/data0003	Infected: not-a-virus:AdWare.Win32.Sahat.al	skipped
C:\Documents and Settings\Deborah Revtak\sahInst.exe	NSIS: infected - 1	skipped
C:\Documents and Settings\Tiffany April\Desktop\cpdef2.exe/data0003	Infected: Trojan-Downloader.Win32.Apropo.r	skipped
C:\Documents and Settings\Tiffany April\Desktop\cpdef2.exe	NSIS: infected - 1	skipped
C:\Documents and Settings\Tiffany April\cpdef3.exe/data0003	Infected: Trojan-Downloader.Win32.Apropo.ab	skipped
C:\Documents and Settings\Tiffany April\cpdef3.exe	NSIS: infected - 1	skipped
C:\Documents and Settings\Tiffany April\ridemgInst.exe/data0003	Infected: Trojan-Downloader.Win32.Agent.oa	skipped
C:\Documents and Settings\Tiffany April\ridemgInst.exe	NSIS: infected - 1	skipped
C:\Documents and Settings\Tiffany April\sahInst.exe/data0003	Infected: not-a-virus:AdWare.Win32.Sahat.al	skipped
C:\Documents and Settings\Tiffany April\sahInst.exe	NSIS: infected - 1	skipped
C:\Program Files\a-squared Free\Quarantine\4af56e3cce8a9dafdced624efd46a550.a2q/WINDOWS/inst/3p_2.exe/WISE0001.BIN	Infected: Trojan-Downloader.Win32.TSUpdate.f	skipped
C:\Program Files\a-squared Free\Quarantine\4af56e3cce8a9dafdced624efd46a550.a2q/WINDOWS/inst/3p_2.exe/WISE0007.BIN	Infected: Trojan-Downloader.Win32.TSUpdate.f	skipped
C:\Program Files\a-squared Free\Quarantine\4af56e3cce8a9dafdced624efd46a550.a2q/WINDOWS/inst/3p_2.exe	Infected: Trojan-Downloader.Win32.TSUpdate.f	skipped
C:\Program Files\a-squared Free\Quarantine\4af56e3cce8a9dafdced624efd46a550.a2q	ZIP: infected - 3	skipped
C:\Program Files\a-squared Free\Quarantine\f8fdc8b497924ff43800ef040335728b.a2q/WINDOWS/system32/MegasearchBarSetup.dll	Infected: not-a-virus:AdWare.Win32.F1Organizer.n	skipped
C:\Program Files\a-squared Free\Quarantine\f8fdc8b497924ff43800ef040335728b.a2q	ZIP: infected - 1	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP74\A0015903.dll	Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP74\A0015905.dll	Infected: not-a-virus:AdWare.Win32.Altnet.a	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP74\A0015918.dll	Infected: not-a-virus:AdWare.Win32.BrilliantDigital.35684	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP77\A0016124.exe	Object is locked	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP77\A0016128.exe	Object is locked	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP77\A0016133.dll	Object is locked	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP77\A0016139.exe	Infected: Trojan-Downloader.Win32.Agent.tf	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP78\A0017275.exe/PgSDK.DLL	Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.d	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP78\A0017275.exe	ViseMan: infected - 1	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP78\A0017275.exe	ViseMan: infected - 1	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP78\A0017302.exe/data0002	Infected: not-a-virus:AdWare.Win32.CASClient.h	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP78\A0017302.exe	NSIS: infected - 1	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP78\A0017309.exe/data0002	Infected: not-a-virus:AdWare.Win32.CASClient.a	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP78\A0017309.exe/data0003	Infected: not-a-virus:AdWare.Win32.CASClient.e	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP78\A0017309.exe	NSIS: infected - 2	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP79\A0017412.dll	Infected: Trojan-Dropper.Win32.Small.abe	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP79\A0017418.dll	Infected: not-a-virus:AdWare.Win32.Agent.e	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP79\A0017452.exe	Infected: not-a-virus:AdWare.Win32.BookedSpace.f	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP79\A0017474.dll	Infected: not-a-virus:AdWare.Win32.F1Organizer.n	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP79\A0017604.exe	Infected: not-a-virus:Server-Proxy.Win32.Hltv	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP81\A0018939.exe/data0002	Infected: not-a-virus:AdWare.Win32.HotSearchBar.b	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP81\A0018939.exe	NSIS: infected - 1	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP81\A0018940.exe/data0002/data0002	Infected: Trojan-Downloader.Win32.Keenval	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP81\A0018940.exe/data0002/data0004	Infected: Trojan-Downloader.Win32.Keenval	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP81\A0018940.exe/data0002/data0005	Infected: Trojan-Downloader.Win32.Keenval	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP81\A0018940.exe/data0002	Infected: Trojan-Downloader.Win32.Keenval	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP81\A0018940.exe/data0008	Infected: Trojan-Downloader.Win32.Keenval.e	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP81\A0018940.exe/data0009	Infected: Trojan-Downloader.Win32.Keenval.e	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP81\A0018940.exe	NSIS: infected - 6	skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP82\change.log	Object is locked	skipped

Scan process completed.


----------



## edifier

Make sure this is still done- ''Control Panel/folder options/view' and check 'show hidden files and folders'.While there, UNCHECK 'hide protected operating system files(recommended)'. Click Apply and Okay.'

Copy the below to Notepad so you can view it in safemode.

Download 'Killbox' here  http://download.bleepingcomputer.com/spyware/KillBox.zip to your desktop.Unzip it there. You will need it later in safe mode.

Download, install and update this trial from Webroot Spysweeper- http://www.webroot.com/shoppingcart/tryme.php?bjpc=64011&vcode=DT14

We are going to have to do this procedure a few times as you can see there are many infections.

Reboot your computer in Safe Mode

Again, make sure all security programs are disabled until needed.

Double-click on Killbox.exe to run it.
Put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines if still present one at a time.

C:\WINDOWS\system32\SSS1.exe
C:\WINDOWS\system32\desktrf.exe
C:\WINDOWS\system32\lvvkammr.ini 
C:\WINDOWS\system32\8jqs4hc1.ini 

Click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.

Please let me know if any of these didn't delete.

Navigate manually to the following below and delete.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ (Contents of this folder)
C:\Documents and Settings\Tim April\Local Settings\Temporary Internet Files\Content.IE5\S16FWXMN\ ( contents of this folder)
C:\Documents and Settings\Matthew April\My Documents\Downloads\Half-LIfe_PLUS_CS1.5_PLus\ (this folder)
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\(contents of this folder)
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\(contents of this folder)
C:\Documents and Settings\Deborah Revtak\- Files below
     cpdef2.exe
     ridemgInst.exe
     sahInst.exe
C:\Documents and Settings\Tiffany April\Desktop\cpdef2.exe - this file
C:\Documents and Settings\Tiffany April\ - Files below
     cpdef3.exe
     ridemgInst.exe
     sahInst.exe
C:\Program Files\a-squared Free\Quarantine\ (contents of this folder)

Now run Spysweeper- its supposed to be updated. Let it delete what it finds.


Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Tick Select All
Click the Empty Selected button.

Reboot into normal windows, run ATF cleaner and purge the restore folder by doing the following.

  Go to 'Control Panel/ System/System Restore' and check the box ' Turn off system restore on all drives' click 'apply' and 'okay'.Reboot your computer and then enable system restore again and create a 'New Restore Point' by going to 'Start/Programs/Accessories/System Tools/System Restore'.

  Post a fresh 'HJT' log and we'll go from there.


----------



## HELP_ME

Logfile of HijackThis v1.99.1
Scan saved at 10:45:28 AM, on 9/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Updater.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Matthew April\My Documents\My Received Files\anti-spy\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =  
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe 
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll (file missing)
O3 - Toolbar: Search - {215303D2-42B9-A7EC-7414-5630B3DD8F1A} - C:\WINDOWS\Cagxrcfg.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [lfsqbiqafb] C:\WINDOWS\System32\wqupxsmg.exe
O4 - HKLM\..\Run: [kjefel] C:\WINDOWS\kjefel.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [inhttpw] C:\WINDOWS\System32\inhttpw.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [wshatm] "C:\WINDOWS\system32\wshatm.exe"
O4 - HKCU\..\Run: [wlnotify] "C:\WINDOWS\system32\wlnotify.exe"
O4 - HKCU\..\Run: [vxblock] "C:\WINDOWS\system32\vxblock.exe"
O4 - HKCU\..\Run: [version] C:\WINDOWS\System32\version.exe
O4 - HKCU\..\Run: [shfolder] "C:\WINDOWS\system32\shfolder.exe"
O4 - HKCU\..\Run: [s3gnb] "C:\WINDOWS\system32\s3gnb.exe"
O4 - HKCU\..\Run: [raschap] "C:\Documents and Settings\Matthew April\raschap.exe"
O4 - HKCU\..\Run: [netcfgx] "C:\WINDOWS\system32\netcfgx.exe"
O4 - HKCU\..\Run: [netapi] "C:\WINDOWS\system32\netapi.exe"
O4 - HKCU\..\Run: [kbduzb] "C:\WINDOWS\system32\kbduzb.exe"
O4 - HKCU\..\Run: [kbdus] "C:\WINDOWS\system32\kbdus.exe"
O4 - HKCU\..\Run: [kbdinbe1] "C:\WINDOWS\system32\kbdinbe1.exe"
O4 - HKCU\..\Run: [kbdhe] "C:\WINDOWS\system32\kbdhe.exe"
O4 - HKCU\..\Run: [jgmd400] "C:\WINDOWS\system32\jgmd400.exe"
O4 - HKCU\..\Run: [ir41_qcx] "C:\WINDOWS\system32\ir41_qcx.exe"
O4 - HKCU\..\Run: [infosoft] "C:\WINDOWS\system32\infosoft.exe"
O4 - HKCU\..\Run: [inetclnt] "C:\WINDOWS\system32\inetclnt.exe"
O4 - HKCU\..\Run: [hsfcisp2] "C:\WINDOWS\system32\hsfcisp2.exe"
O4 - HKCU\..\Run: [fkfw] C:\PROGRA~1\COMMON~1\fkfw\fkfwm.exe
O4 - HKCU\..\Run: [eventcls] "C:\WINDOWS\system32\eventcls.exe"
O4 - HKCU\..\Run: [dmband] "C:\WINDOWS\system32\dmband.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cscui] "C:\Documents and Settings\Matthew April\cscui.exe"
O4 - HKCU\..\Run: [iprtcnst] "C:\WINDOWS\system32\iprtcnst.exe"
O4 - HKCU\..\Run: [atiicdxx] "C:\WINDOWS\system32\atiicdxx.exe"
O4 - HKCU\..\Run: [rmoc3260] "C:\WINDOWS\system32\rmoc3260.exe"
O4 - HKCU\..\Run: [getuname] "C:\WINDOWS\system32\getuname.exe"
O4 - HKCU\..\Run: [vdmdbg] "C:\WINDOWS\system32\vdmdbg.exe"
O4 - HKCU\..\Run: [resutils] "C:\WINDOWS\system32\resutils.exe"
O4 - HKCU\..\Run: [lftif11n] "C:\WINDOWS\system32\lftif11n.exe"
O4 - HKCU\..\Run: [uniplat] "C:\WINDOWS\system32\uniplat.exe"
O4 - HKCU\..\Run: [msr2cenu] "C:\WINDOWS\system32\msr2cenu.exe"
O4 - HKCU\..\Run: [mmcbase] "C:\WINDOWS\system32\mmcbase.exe"
O4 - HKCU\..\Run: [msorc32r] "C:\WINDOWS\system32\msorc32r.exe"
O4 - HKCU\..\Run: [wmiprop] "C:\WINDOWS\system32\wmiprop.exe"
O4 - HKCU\..\Run: [dmscript] "C:\WINDOWS\system32\dmscript.exe"
O4 - HKCU\..\Run: [wmerror] "C:\WINDOWS\system32\wmerror.exe"
O4 - HKCU\..\Run: [qasf] "C:\WINDOWS\system32\qasf.exe"
O4 - HKCU\..\Run: [6to4svc] "C:\WINDOWS\system32\6to4svc.exe"
O4 - HKCU\..\Run: [dpwsock] "C:\WINDOWS\system32\dpwsock.exe"
O4 - HKCU\..\Run: [kbdir] "C:\WINDOWS\system32\kbdir.exe"
O4 - HKCU\..\Run: [pjlmon] "C:\WINDOWS\system32\pjlmon.exe"
O4 - HKCU\..\Run: [dispex] "C:\WINDOWS\system32\dispex.exe"
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


----------



## edifier

Download Dr. Web Cureit here http://download.drweb.com/drweb+cureit/

  Download CWShredder here http://www.intermute.com/spysubtract/cwshredder_download.html
  These above will be run from safemode.

  From normal windows, follow these removal instructions and run this specialty tool here http://forums.majorgeeks.com/showthread.php?t=74338 Save this log.

  Once completed, reboot into safemode.

  Run ATF cleaner- Tick All

  From safemode, run HijackThis and put a check by the following entries if still present, close all open windows and browsers except HijackThis and click 'Fix Checked'

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: Search - {215303D2-42B9-A7EC-7414-5630B3DD8F1A} - C:\WINDOWS\Cagxrcfg.dll (file missing)
O4 - HKLM\..\Run: [lfsqbiqafb] C:\WINDOWS\System32\wqupxsmg.exe
O4 - HKLM\..\Run: [kjefel] C:\WINDOWS\kjefel.exe
O4 - HKLM\..\Run: [inhttpw] C:\WINDOWS\System32\inhttpw.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [wshatm] "C:\WINDOWS\system32\wshatm.exe"
O4 - HKCU\..\Run: [wlnotify] "C:\WINDOWS\system32\wlnotify.exe"
O4 - HKCU\..\Run: [vxblock] "C:\WINDOWS\system32\vxblock.exe"
O4 - HKCU\..\Run: [version] C:\WINDOWS\System32\version.exe
O4 - HKCU\..\Run: [shfolder] "C:\WINDOWS\system32\shfolder.exe"
O4 - HKCU\..\Run: [s3gnb] "C:\WINDOWS\system32\s3gnb.exe"
O4 - HKCU\..\Run: [raschap] "C:\Documents and Settings\Matthew April\raschap.exe"
O4 - HKCU\..\Run: [netcfgx] "C:\WINDOWS\system32\netcfgx.exe"
O4 - HKCU\..\Run: [netapi] "C:\WINDOWS\system32\netapi.exe"
O4 - HKCU\..\Run: [kbduzb] "C:\WINDOWS\system32\kbduzb.exe"
O4 - HKCU\..\Run: [kbdus] "C:\WINDOWS\system32\kbdus.exe"
O4 - HKCU\..\Run: [kbdinbe1] "C:\WINDOWS\system32\kbdinbe1.exe"
O4 - HKCU\..\Run: [kbdhe] "C:\WINDOWS\system32\kbdhe.exe"
O4 - HKCU\..\Run: [jgmd400] "C:\WINDOWS\system32\jgmd400.exe"
O4 - HKCU\..\Run: [ir41_qcx] "C:\WINDOWS\system32\ir41_qcx.exe"
O4 - HKCU\..\Run: [infosoft] "C:\WINDOWS\system32\infosoft.exe"
O4 - HKCU\..\Run: [inetclnt] "C:\WINDOWS\system32\inetclnt.exe"
O4 - HKCU\..\Run: [hsfcisp2] "C:\WINDOWS\system32\hsfcisp2.exe"
O4 - HKCU\..\Run: [fkfw] C:\PROGRA~1\COMMON~1\fkfw\fkfwm.exe
O4 - HKCU\..\Run: [eventcls] "C:\WINDOWS\system32\eventcls.exe"
O4 - HKCU\..\Run: [dmband] "C:\WINDOWS\system32\dmband.exe"
O4 - HKCU\..\Run: [cscui] "C:\Documents and Settings\Matthew April\cscui.exe"
O4 - HKCU\..\Run: [iprtcnst] "C:\WINDOWS\system32\iprtcnst.exe"
O4 - HKCU\..\Run: [atiicdxx] "C:\WINDOWS\system32\atiicdxx.exe"
O4 - HKCU\..\Run: [rmoc3260] "C:\WINDOWS\system32\rmoc3260.exe"
O4 - HKCU\..\Run: [getuname] "C:\WINDOWS\system32\getuname.exe"
O4 - HKCU\..\Run: [vdmdbg] "C:\WINDOWS\system32\vdmdbg.exe"
O4 - HKCU\..\Run: [resutils] "C:\WINDOWS\system32\resutils.exe"
O4 - HKCU\..\Run: [lftif11n] "C:\WINDOWS\system32\lftif11n.exe"
O4 - HKCU\..\Run: [uniplat] "C:\WINDOWS\system32\uniplat.exe"
O4 - HKCU\..\Run: [msr2cenu] "C:\WINDOWS\system32\msr2cenu.exe"
O4 - HKCU\..\Run: [mmcbase] "C:\WINDOWS\system32\mmcbase.exe"
O4 - HKCU\..\Run: [msorc32r] "C:\WINDOWS\system32\msorc32r.exe"
O4 - HKCU\..\Run: [wmiprop] "C:\WINDOWS\system32\wmiprop.exe"
O4 - HKCU\..\Run: [dmscript] "C:\WINDOWS\system32\dmscript.exe"
O4 - HKCU\..\Run: [wmerror] "C:\WINDOWS\system32\wmerror.exe"
O4 - HKCU\..\Run: [qasf] "C:\WINDOWS\system32\qasf.exe"
O4 - HKCU\..\Run: [6to4svc] "C:\WINDOWS\system32\6to4svc.exe"
O4 - HKCU\..\Run: [dpwsock] "C:\WINDOWS\system32\dpwsock.exe"
O4 - HKCU\..\Run: [kbdir] "C:\WINDOWS\system32\kbdir.exe"
O4 - HKCU\..\Run: [pjlmon] "C:\WINDOWS\system32\pjlmon.exe"
O4 - HKCU\..\Run: [dispex] "C:\WINDOWS\system32\dispex.exe"
O16 - DPF: {563EC66E-5A1B-51D2-1DB0-5080C83DA4EB} - ms-its:mhtml:file://C:ie.mht!http://69.50.164.12/exp/mht/sext02.c...aInstaller.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/instal...sinstaller.cab
O18 - Filter: text/html - (no CLSID) - (no file)

Exit HijackThis but remain in safe mode.

Run CWShredder.

Next, run Dr.Web Cureit. Save the scan log.

Run ATF cleaner once more.

Reboot into normal windows and post a fresh 'HJT' log along with the scan logs from DR. Web and Look2Me Detroyer.


----------



## HELP_ME

Logfile of HijackThis v1.99.1
Scan saved at 7:22:40 PM, on 9/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Updater.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Matthew April\My Documents\My Received Files\anti-spy\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe 
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


----------



## HELP_ME

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 9/24/2006 7:07:08 PM


Attempting to delete infected files...

Making registry repairs.


Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0CE5E388-C808-4521-B000-88C76774BCFB}"
HKCR\Clsid\{0CE5E388-C808-4521-B000-88C76774BCFB}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded










AND THERE WAS NOTHING FOR DR.WEB


----------



## edifier

While i'm reviewing your current log, could you update me on this latest round of cleaning. Did you mean that Dr.Web found nothing?. What about CWShredder?. How is your system running now?.


----------



## edifier

Looking alot better. 

 Proceed to ADD/REMOVE Programs and un-install all versions of 'Java'. Then go here http://java.sun.com/javase/downloads/index.jsp and install 'Java Runtime Environment (JRE) 5.0 Update 8'. 

 Then run HijackThis and put a check by the following entries if still present, close all open windows and browsers except HijackThis and click 'Fix Checked'

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0. dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

Run ATF cleaner- Select All. Do the same if you use Firefox also.

Reboot your computer. Once back in windows, post a fresh 'HJT' log.


----------



## HELP_ME

neither dr.web or CW shredder found anything


----------



## HELP_ME

i have been downloading several diffrent things for this whole clen up process and i was just wondering what things i wont need in the future and we wont be using again, and if i can remove them from my computer. 

things like:
smitrem
vundofix
a-squared
super anti-spy ware
cw shredder
dr.WEB cureit 
and, look2me destroyer

let me know what i can remove.


----------



## edifier

You can delete everything we have used but i would recommend keeping and running on a regular basis these.

Ewido
A-squared
Superantispyware

These are all free.

Also for Spyware Prevention, this freebie. Just manually update it twice a month.

http://www.javacoolsoftware.com/spywareblaster.html

You should also install a free software firewall.


----------



## HELP_ME

Logfile of HijackThis v1.99.1
Scan saved at 5:34:55 PM, on 9/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.exe
C:\Updater.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Matthew April\My Documents\My Received Files\anti-spy\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
F2 - REG:system.ini: Shell=Explorer.exe 
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


----------



## edifier

Looks okay. Webroot Spysweeper is only a 2 week trial so you can un-install that also.


----------



## HELP_ME

ALRIGHT!  well thanks alot for all the help, i appreciate it.  there was something else i wanted to ask but i forget now...o well


----------

