Gladiator Security Forum > Generic4.0aw virus attack

Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?

Generic4444

Jun 2 2007, 09:08 PM

I've noticed that several people have had this issue recently. I tried using the Vundofix program, and ran it overnight, but I noticed in the morning that the computer rebooted. The virus is still there. I also tried to boot up in safe mode. I tap F8, then highlight safe mode and then hit enter when it highlights XP as my operating system. I click on administrator when it asks who to logg on as, and then click Yes when it asks if I want to continue in safe mode (or something to that effect). Then, the computer freezes with "SafeMode" in each corner and black screen in the background. I did just notice a message about having more than 1 spyware removal program open so that may be an issue. Anyway, here's my HijackThis logg. Help would be GREATLY appreciated...thanks!!

Logfile of HijackThis v1.99.1
Scan saved at 3:24:18 PM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common
Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\avp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ivy B\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start Page =
https://login.yahoo.com/config/login_verify2?&.src=ym
R0 - HKLM\Software\Microsoft\Internet
Explorer\Main,Start Page = http://www.dell.com
R3 - URLSearchHook: Yahoo! Toolbar -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program
Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program
Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Protection Bar -
{31615D5C-5126-448A-818A-A7CDFEE85A9B} - C:\PROGRAM
FILES\SECURITY TOOLS\IESBPL.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla]
C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program
Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry]
C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program
Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program
Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common
Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MMTray] C:\Program
Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [swldpodc]
C:\WINDOWS\System32\swldpodc.exe
O4 - HKLM\..\Run: [System]
C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [spoolsvv]
C:\WINDOWS\System32\spoolsvv.exe
O4 - HKLM\..\Run: [RunOnce2Upd]
"C:\WINDOWS\System32\KB_963493.exe"
O4 - HKLM\..\Run: [AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Genuine] rundll32.exe
"C:\WINDOWS\system32\ljjprvuc.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swldpodc]
C:\WINDOWS\System32\swldpodc.exe
O4 - HKCU\..\Run: [Windows update loader]
C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [Service Pack 1]
C:\WINDOWS\System32\vexg6ame4.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program
Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: palmOne Registration.lnk = C:\Program
Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk =
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk =
C:\Program Files\Adobe\Reader
8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk =
C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com -
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide -
{E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program
Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} -
https://pbells.broadjump.com/wizlet/iw60/st...aller_4-0-0.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
(MUWebControl Class) -
http://www.update.microsoft.com/microsoftu...b?1180440798812
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} -
http://pbells.broadjump.com/wizlet/Standar...aller_4-2-0.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{48390DF6-9B31-4364-ABA0-CD15CB84609D}:
NameServer = 85.255.114.71,85.255.112.197
O17 - HKLM\System\CS1\Services\Tcpip\Parameters:
NameServer = 85.255.114.71 85.255.112.197
O17 -
HKLM\System\CS1\Services\Tcpip\..\{48390DF6-9B31-4364-ABA0-CD15CB84609D}:
NameServer = 85.255.114.71,85.255.112.197
O17 - HKLM\System\CS2\Services\Tcpip\Parameters:
NameServer = 85.255.114.71 85.255.112.197
O17 -
HKLM\System\CS2\Services\Tcpip\..\{48390DF6-9B31-4364-ABA0-CD15CB84609D}:
NameServer = 85.255.114.71,85.255.112.197
O17 - HKLM\System\CS3\Services\Tcpip\Parameters:
NameServer = 85.255.114.71 85.255.112.197
O17 -
HKLM\System\CS3\Services\Tcpip\..\{48390DF6-9B31-4364-ABA0-CD15CB84609D}:
NameServer = 85.255.114.71,85.255.112.197
O17 - HKLM\System\CCS\Services\Tcpip\Parameters:
NameServer = 85.255.114.71 85.255.112.197
O21 - SSODL: DCOM Server 25319 -
{2C1CD3D7-86AC-4068-93BC-A02304B25319} -
C:\WINDOWS\SYSTEM32\ECMAMA.DLL (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) -
America Online, Inc. -
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -
GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) -
GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT,
s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT)
- Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark
International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) -
Unknown owner -
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager
(mcupdmgr.exe) - Networks Associates Technology, Inc -
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime
Engine (MCVSRte) - Networks Associates Technology, Inc
- c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) -
Intel® Corporation - C:\Program
Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) -
NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service
(WANMiniportService) - America Online, Inc. -
C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Management Service - Unknown
owner - C:\WINDOWS\System32\dmpbx.exe (file missing)

LoPhatPhuud

Jun 2 2007, 09:48 PM

First:
You are currently using hijackthis from a temporary directory, or from the Desktop.
This can cause problems and will leave backups scattered.

Please create a directory on your c: drive called c:\hijackthis and download and unzip hijackthis into that directory.
Run the program from that directory from now on.

It is essential that you follow these steps or certain important features of the program will not function correctly.

Second:
Open a Command Prompt Window (Start -> Run -> cmd)
Enter the following commands: (then press 'Enter')
sc stop "Windows Management Service" <-- include quotes
sc delete "Windows Management Service" <-- include quotes
exit

Note: Its ok if the 'Stop' command fails.

Third:
Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Press the 'Scan' button and when done check the following items in HijackThis:
O3 - Toolbar: Protection Bar - {31615D5C-5126-448A-818A-A7CDFEE85A9B} - C:\PROGRAM FILES\SECURITY TOOLS\IESBPL.DLL

O4 - HKLM\..\Run: [swldpodc] C:\WINDOWS\System32\swldpodc.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKLM\..\Run: [RunOnce2Upd] "C:\WINDOWS\System32\KB_963493.exe"
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\ljjprvuc.dll",realset
O4 - HKCU\..\Run: [swldpodc] C:\WINDOWS\System32\swldpodc.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [Service Pack 1] C:\WINDOWS\System32\vexg6ame4.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{48390DF6-9B31-4364-ABA0-CD15CB84609D}: NameServer = 85.255.114.71,85.255.112.197
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.71 85.255.112.197
O17 - HKLM\System\CS1\Services\Tcpip\..\{48390DF6-9B31-4364-ABA0-CD15CB84609D}: NameServer = 85.255.114.71,85.255.112.197
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.71 85.255.112.197
O17 - HKLM\System\CS2\Services\Tcpip\..\{48390DF6-9B31-4364-ABA0-CD15CB84609D}: NameServer = 85.255.114.71,85.255.112.197
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.71 85.255.112.197
O17 - HKLM\System\CS3\Services\Tcpip\..\{48390DF6-9B31-4364-ABA0-CD15CB84609D}: NameServer = 85.255.114.71,85.255.112.197
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.71 85.255.112.197

O21 - SSODL: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - C:\WINDOWS\SYSTEM32\ECMAMA.DLL (file missing)

O23 - Service: Windows Management Service - Unknown owner - C:\WINDOWS\System32\dmpbx.exe (file missing)

Close all windows except HijackThis and click Fix checked.

While still in Safe Mode*, delete the following: (you may need to show hidden files**)
(Files specified without a full path will be located in C:\Windows\ or C:\Windows\System32\)
C:\PROGRAM FILES\SECURITY TOOLS\ <--delete entire folder,
C:\WINDOWS\System32\swldpodc.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\System32\spoolsvv.exe
C:\WINDOWS\System32\KB_963493.exe
C:\WINDOWS\system32\ljjprvuc.dll
C:\Windows\xpupdate.exe
C:\WINDOWS\System32\vexg6ame4.exe
C:\winstall.exe
C:\WINDOWS\SYSTEM32\ECMAMA.DLL

O23 - Service: Windows Management Service - Unknown owner - C:\WINDOWS\System32\dmpbx.exe (file missing)

*How to Boot into Safe mode:
http://www.computerhope.com/issues/chsafe.htm

**Show Hidden and System files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode

Run HiJackThis again and post a new log in this thread.

Generic4444

Jun 3 2007, 10:49 PM

I'm still having problems logging on in safe-mode. I was signing on as an admin before and saw the black screen with "Safe Mode" in the 4 corners. I decided to logg on as one of the "guests." It finally looked like some icons were showing up, then it asked the question again about whether or not I wanted to stay in Safe Mode. When I said Yes, the same black background with Safe Mode in the corners appeared. What's going on?? Help.

LoPhatPhuud

Jun 4 2007, 01:34 AM

When the corners show "Safe" mode, you should be there. If you cannot do anything, then do it this way, instead.

Run HiJackThis, and fix all the entries marked in my prior post. THen exit HiJackThis, reboot in Normal Mode and delete the files as requested.

Generic4444

Jun 5 2007, 07:27 PM

Ok, I ran Hijackthis in normal mode. I then checked off what you told me and fixed them. I then closed, rebooted in normal mode and tried to delete the files you pointed out. I could only find about half of them (and yes, I set it to "show hidden files"). (BTW- You mentioned a spoolsvv file to delete, but only the spoolsv was there, was this the file you meant?) So I deleted what I could, but the probem still persists. Here's my new HJT logg:

Logfile of HijackThis v1.99.1
Scan saved at 10:47:45 AM, on 6/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
https://login.yahoo.com/config/login_verify2?&.src=ym
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.dell.com
R3 - URLSearchHook: Yahoo! Toolbar -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media
Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO
Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common
Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ApachInc] rundll32.exe
"C:\WINDOWS\system32\eafvimsa.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program
Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: palmOne Registration.lnk = C:\Program
Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program
Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program
Files\palmOne\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -
C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} -
https://pbells.broadjump.com/wizlet/iw60/st...aller_4-0-0.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
-
http://www.update.microsoft.com/microsoftu...b?1180440798812
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} -
http://pbells.broadjump.com/wizlet/Standar...aller_4-2-0.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online,
Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -
C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner -
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) -
Networks Associates Technology, Inc -
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) -
Networks Associates Technology, Inc -
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation -
C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA
Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) -
America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

LoPhatPhuud

Jun 5 2007, 09:27 PM

Rename HiJackThis.exe to abc.exe and run again. When you have the log in Notepad, toggle word wrap so the lines do not wrap. It makes reading the log, difficult at best.

The Vundo infection is still there, but we'll take all the files out at once.

Generic4444

Jun 6 2007, 04:46 AM

My apologies on the formatting. I had been cutting and pasting before, so the wrap feature has no control over that. I then tried to attach the notepad file..and now, 3 hours later, I am about to go crazy. Every process is rediculously slow. 1000 apologies, but I have to do the cut/paste again because if the computer freezes again when I try to attach the notepad file, I will seriously throw this thing through the window. It's driving me nucking futs. Please help me fix this as fast as humanly possible. For my sanity, I beg of you.

Logfile of HijackThis v1.99.1
Scan saved at 6:42:31 PM, on 6/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\abc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1496FFAC-00DB-4393-A478-7B46EC659CDC} - C:\WINDOWS\SYSTEM32\KHFGHGG.DLL
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {5BF9005C-16BE-4038-BA27-7AAC846FE008} - c:\windows\system32\ibgkibg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Explorer Helper - {696A82AF-3AD8-5A16-A1CA-32A59A63A863} - C:\WINDOWS\system\bremct32.dll
O2 - BHO: (no name) - {736E81A0-0A3B-4431-A2DD-45A155265EBd} - C:\WINDOWS\System32\nvqxpxft.dll
O2 - BHO: (no name) - {B18A45BA-8227-4D1B-B283-16AD1CD7D373} - C:\WINDOWS\System32\awvvw.dll
O2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - C:\PROGRAM FILES\SECURITY TOOLS\IESPLG.DLL (file missing)
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\SYSTEM32\CKJXXSNK.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\eafvimsa.dll",realset
O4 - HKLM\..\Run: [j5291932] rundll32 C:\WINDOWS\system32\j5291932.dll sook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://pbells.broadjump.com/wizlet/iw60/st...aller_4-0-0.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1180440798812
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/Standar...aller_4-2-0.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxx.dll (file missing)
O20 - Winlogon Notify: awvvw - C:\WINDOWS\System32\awvvw.dll
O20 - Winlogon Notify: khfghgg - C:\WINDOWS\SYSTEM32\khfghgg.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O20 - Winlogon Notify: ztwxkyxu - C:\WINDOWS\SYSTEM32\ibgkibg.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Generic4444

Jun 6 2007, 04:50 AM

Since this time, things seem to be moving a bit better, I will try to attach the logg. One thing I did before this 1000th restart of the day was to disconnest my cable modem. I then opened my browser and reconnected. This seems to help a lot for those of you out there going through these same issues. Phuud, here's the same logg as the previous one, but attached for your viewing ease:

Click to view attachment

LoPhatPhuud

Jun 6 2007, 07:26 PM

OK, let see if we can clean this out

First:
1. Please download [url=1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text (including the words 'Files to delete:') contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

QUOTE

Files to delete:
C:\WINDOWS\SYSTEM32\KHFGHGG.DLL
c:\windows\system32\ibgkibg.dll
C:\WINDOWS\system\bremct32.dll
C:\WINDOWS\System32\nvqxpxft.dll
C:\WINDOWS\System32\awvvw.dll
C:\PROGRAM FILES\SECURITY TOOLS\IESPLG.DLL
C:\WINDOWS\SYSTEM32\CKJXXSNK.DLL
C:\WINDOWS\system32\eafvimsa.dll
C:\WINDOWS\system32\j5291932.dll
C:\WINDOWS\System32\a3dxx.dll
C:\WINDOWS\System32\awvvw.dll
C:\WINDOWS\SYSTEM32\khfghgg.dll
C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
C:\WINDOWS\SYSTEM32\ibgkibg.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply

[b]Second:
Please download
VundoFix.exe
to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button."
when VundoFix appears at reboot.

Third:
Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Press the 'Scan' button and when done check the following items in HijackThis:
O2 - BHO: (no name) - {1496FFAC-00DB-4393-A478-7B46EC659CDC} - C:\WINDOWS\SYSTEM32\KHFGHGG.DLL
O2 - BHO: (no name) - {5BF9005C-16BE-4038-BA27-7AAC846FE008} - c:\windows\system32\ibgkibg.dll
O2 - BHO: Explorer Helper - {696A82AF-3AD8-5A16-A1CA-32A59A63A863} - C:\WINDOWS\system\bremct32.dll
O2 - BHO: (no name) - {736E81A0-0A3B-4431-A2DD-45A155265EBd} - C:\WINDOWS\System32\nvqxpxft.dll
O2 - BHO: (no name) - {B18A45BA-8227-4D1B-B283-16AD1CD7D373} - C:\WINDOWS\System32\awvvw.dll
O2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - C:\PROGRAM FILES\SECURITY TOOLS\IESPLG.DLL (file missing)
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\SYSTEM32\CKJXXSNK.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\eafvimsa.dll",realset
O4 - HKLM\..\Run: [j5291932] rundll32 C:\WINDOWS\system32\j5291932.dll sook

O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxx.dll (file missing)
O20 - Winlogon Notify: awvvw - C:\WINDOWS\System32\awvvw.dll
O20 - Winlogon Notify: khfghgg - C:\WINDOWS\SYSTEM32\khfghgg.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O20 - Winlogon Notify: ztwxkyxu - C:\WINDOWS\SYSTEM32\ibgkibg.dll

Close all windows except HijackThis and click Fix checked.

While still in Safe Mode*, delete the following: (you may need to show hidden files**)
(Files specified without a full path will be located in C:\Windows\ or C:\Windows\System32\)
C:\PROGRAM FILES\SECURITY TOOLS\ <--delete entire folder,

*How to Boot into Safe mode:
http://www.computerhope.com/issues/chsafe.htm

**Show Hidden and System files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode

Run HiJackThis again and post a new log in this thread.

Generic4444

Jun 7 2007, 12:58 PM

Ok, here's the avenger log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\lhv^yiay

*******************

Script file located at: \??\C:\Program Files\ihwcdqgu.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\SYSTEM32\KHFGHGG.DLL deleted successfully.

Could not open file c:\windows\system32\ibgkibg.dll for deletion
Deletion of file c:\windows\system32\ibgkibg.dll failed!

Could not process line:
c:\windows\system32\ibgkibg.dll
Status: 0xc0000022

File C:\WINDOWS\system\bremct32.dll deleted successfully.
File C:\WINDOWS\System32\nvqxpxft.dll deleted successfully.
File C:\WINDOWS\System32\awvvw.dll deleted successfully.

Could not open file C:\PROGRAM FILES\SECURITY TOOLS\IESPLG.DLL for deletion
Deletion of file C:\PROGRAM FILES\SECURITY TOOLS\IESPLG.DLL failed!

Could not process line:
C:\PROGRAM FILES\SECURITY TOOLS\IESPLG.DLL
Status: 0xc000003a

File C:\WINDOWS\SYSTEM32\CKJXXSNK.DLL deleted successfully.
File C:\WINDOWS\system32\eafvimsa.dll deleted successfully.
File C:\WINDOWS\system32\j5291932.dll deleted successfully.

File C:\WINDOWS\System32\a3dxx.dll not found!
Deletion of file C:\WINDOWS\System32\a3dxx.dll failed!

Could not process line:
C:\WINDOWS\System32\a3dxx.dll
Status: 0xc0000034

File C:\WINDOWS\System32\awvvw.dll not found!
Deletion of file C:\WINDOWS\System32\awvvw.dll failed!

Could not process line:
C:\WINDOWS\System32\awvvw.dll
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\khfghgg.dll not found!
Deletion of file C:\WINDOWS\SYSTEM32\khfghgg.dll failed!

Could not process line:
C:\WINDOWS\SYSTEM32\khfghgg.dll
Status: 0xc0000034

File C:\Documents and Settings\All Users\Documents\Settings\partnership.dll not found!
Deletion of file C:\Documents and Settings\All Users\Documents\Settings\partnership.dll failed!

Could not process line:
C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
Status: 0xc0000034

File C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll not found!
Deletion of file C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll failed!

Could not process line:
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
Status: 0xc0000034

Could not open file C:\WINDOWS\SYSTEM32\ibgkibg.dll for deletion
Deletion of file C:\WINDOWS\SYSTEM32\ibgkibg.dll failed!

Could not process line:
C:\WINDOWS\SYSTEM32\ibgkibg.dll
Status: 0xc0000022

Completed script processing.

*******************

Finished! Terminate.

The Vundofix program ran all night and didn't finish, so I think something was wrong with it. I stopped it. Here's the log anyway:

VundoFix V6.4.1

Checking Java version...

Scan started at 6:14:41 PM 6/1/2007

Listing files found while scanning....

Beginning removal...

VundoFix V6.4.1

Checking Java version...

Scan started at 9:31:22 PM 6/6/2007

Listing files found while scanning....

Now, here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:39:51 AM, on 6/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\hijackthis\abc.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\xteqcexs.dll
O2 - BHO: (no name) - {5BF9005C-16BE-4038-BA27-7AAC846FE008} - c:\windows\system32\ibgkibg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {B3E960AC-8FA3-4184-8453-E9ECFB84B100} - C:\WINDOWS\System32\awvvw.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://pbells.broadjump.com/wizlet/iw60/st...aller_4-0-0.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1180440798812
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/Standar...aller_4-2-0.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: ztwxkyxu - C:\WINDOWS\SYSTEM32\ibgkibg.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

So, it seems to me that the ibgkibg.dll file won't go away. The AVG still detects it as a Generic4.oaw threat. The system's running better, but I'd still like to get rid of this. Do you know is this is a program that grabs password info, etc? Thanks!

LoPhatPhuud

Jun 7 2007, 09:05 PM

There is a problem deleting one file. Apparently the Vundo folks have changed the way one file is installed to alter the security permissions to make removal more difficult. Lets see if we can fix that.

First:
Download the following file:
http://www.xs4all.nl/~fstaal01/downloads/swxcacls.exe

Copy it to C:\Windows\System32\swxcacls.exe

Open a Command Prompt window (Start -> Run -> cmd)

Copy and paste the follownig command line to the prompt
swxcacls c:\windows\system32\ibgkibg.dll /OA /GA:F

Second:
1. Please download [url=1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text (including the words 'Files to delete:') contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

QUOTE

Files to delete:
c:\windows\system32\ibgkibg.dll

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Generic4444

Jun 8 2007, 04:24 AM

Apparently, this little bugger refuses to leave. I ran the command in the window and it said it made the file Administrator accessible or something like that. Anyway, here are the logs:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ffpixnxy

*******************

Script file located at: ijllligj

Could not open script file! Error

Could not open script file! Status: 0xc000003b Abort!

Logfile of HijackThis v1.99.1
Scan saved at 12:21:35 AM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\abc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\xteqcexs.dll
O2 - BHO: (no name) - {5BF9005C-16BE-4038-BA27-7AAC846FE008} - c:\windows\system32\ibgkibg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {B3E960AC-8FA3-4184-8453-E9ECFB84B100} - C:\WINDOWS\System32\awvvw.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://pbells.broadjump.com/wizlet/iw60/st...aller_4-0-0.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1180440798812
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/Standar...aller_4-2-0.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: ztwxkyxu - C:\WINDOWS\SYSTEM32\ibgkibg.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

LoPhatPhuud

Jun 8 2007, 03:56 PM

The error was not due to inability to delete. Unable to open script usually means it was not copied correctly. But, we can hold off on Avenger for the moment. There is a new version of VundoFix. It came out just after you downloaded the version you have. Delete the current version on your system and then do the following:

Please download
VundoFix.exe
to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Generic4444

Jun 11 2007, 12:35 PM

I've been running VundoFix V6.4.2 since Friday and it's STILL checking (it's not stuck, as it changed what it was looking for as I was typing this). Almost immediately, this pops up in the box:

C:\WINDOWS\system32\xteqcexs.dll

Should I just let it keep going? I am for now..

LoPhatPhuud

Jun 11 2007, 06:29 PM

Let it go for now, but if its not done by tonite, kill the process and reboot. THen post back here,

Generic4444

Jun 12 2007, 10:09 PM

Well, the program ran until just a few minutes ago, and nothing else happened. You said to post back, but it doesn't seem to make any sense to post either log since nothing happened and I never got to a point to press "Remove Vundo".

LoPhatPhuud

Jun 12 2007, 11:45 PM

Post a new HiJackThis log and a Startup log (instructions follow)

Would you please use HiJackThis to produce a startup list and post it here:
1. From HJT main screen, click 'Config' button
2. Click 'Misc Tools' button
3. Check both boxes to the right of 'Generate StartupList Log' button
4. Click 'Generate StartupList Log' button
5. Click 'Yes' in the next dialog
6. Save the log and post a copy in this thread.

Generic4444

Jun 13 2007, 03:16 AM

OK, here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 6:11:04 PM, on 6/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\abc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\xteqcexs.dll
O2 - BHO: (no name) - {5BF9005C-16BE-4038-BA27-7AAC846FE008} - c:\windows\system32\ibgkibg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {B3E960AC-8FA3-4184-8453-E9ECFB84B100} - C:\WINDOWS\System32\awvvw.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://pbells.broadjump.com/wizlet/iw60/st...aller_4-0-0.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1180440798812
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/Standar...aller_4-2-0.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: ztwxkyxu - C:\WINDOWS\SYSTEM32\ibgkibg.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

and then the Startup log:

StartupList report, 6/12/2007, 11:09:33 PM
StartupList version: 1.52.2
Started from : C:\hijackthis\abc.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\abc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Ivy B\Start Menu\Programs\Startup]
palmOne Registration.lnk = C:\Program Files\palmOne\register.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
Digital Line Detect.lnk = ?
HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
StorageGuard = "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
DVDSentry = C:\WINDOWS\System32\DSentry.exe
PCMService = "C:\Program Files\Dell\Media Experience\PCMService.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
VSOCheckTask = "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
MCAgentExe = c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MCUpdateExe = C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
VirusScan Online = c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
Dell AIO Printer A920 = "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Sonic RecordNow! =
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
SUPERAntiSpyware = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll - {02478D38-C3F9-4EFB-9B51-7695ECA05670}
(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Microsoft Money\System\mnyside.dll - {243B17DE-77C7-46BF-B94B-0B5F309A0E64}
(no name) - C:\WINDOWS\system32\xteqcexs.dll - {4B646AFB-9341-4330-8FD1-C32485AEE619}
(no name) - c:\windows\system32\ibgkibg.dll - {5BF9005C-16BE-4038-BA27-7AAC846FE008}
(no name) - C:\WINDOWS\system32\dla\tfswshx.dll - {5CA3D70E-1895-11CF-8E15-001234567890}
(no name) - C:\WINDOWS\System32\awvvw.dll (file missing) - {B3E960AC-8FA3-4184-8453-E9ECFB84B100}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
McAfee.com Update Check (D3VMQS31-Owner).job
McAfee.com Update Check (IVY-Ivy B).job

--------------------------------------------------

Enumerating Download Program Files:

[{0000000A-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/8/B...42/wmsp9dmo.cab

[{321FB770-1FBE-4BFE-BDC1-6F622D4FA499}]
CODEBASE = https://pbells.broadjump.com/wizlet/iw60/st...aller_4-0-0.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/D/0...D0C/wmv9dmo.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\muweb.dll
CODEBASE = http://www.update.microsoft.com/microsoftu...b?1180440798812

[{EA7F451B-94DD-4009-A8BF-8F977B0B2696}]
CODEBASE = http://pbells.broadjump.com/wizlet/Standar...aller_4-2-0.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

user32.dll = C:\Program Files\Security Tools\iesmn.exe
rare = C:\Program Files\Security Tools\imsmain.exe

--------------------------------------------------

End of report, 7,691 bytes
Report generated in 0.516 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

LoPhatPhuud

Jun 13 2007, 05:48 AM

I wish we had done the startup list earlier!!

First:
Launch Notepad, and copy/paste in the box below to a new text file.
Save it on your Desktop as fixme.reg

CODE

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"user32.dll"=-
"rare"=-

Locate fixme.reg on your Desktop and double-click on it.

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".

Reboot into Normal Mode

Delete the following:
C:\Program Files\Security Tools\ <--delete entire folder,

Second:
We are going to do Vundofix again, now that the above files are gone.

Please download
VundoFix.exe
to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Generic4444

Jun 13 2007, 12:51 PM

I was able to do the fixme.reg code, however, there is no C:\Program Files\Security Tools\ folder to delete..

Generic4444

Jun 15 2007, 12:33 PM

Hello there...any other suggestions?

LoPhatPhuud

Jun 15 2007, 07:46 PM

What happened to the VundoFix log that I requested in my last post????

Generic4444

Jun 15 2007, 07:57 PM

The same thing happened. This pops up immediately:

C:\WINDOWS\system32\xteqcexs.dll

in the Vundofix window...then it runs forever and never finishes. I force it to quit, and it shows no files in the log.

LoPhatPhuud

Jun 15 2007, 08:41 PM

Download gmer rootkit detector from http://gmer.net/

unzip it & double click the gmer.exe file

select rootkit tab & press scan

when it has finished press save & post back the log it makes

also select the autostarts tab & do the same there

Generic4444

Jun 16 2007, 03:29 PM

(sigh) Seems like the problems never stop. I ran gmer twice. Both times it starts scanning then a blue screen comes up:

A problem has been detected and Windows has shut down to prevent damage to your computer.

IRQL_NOT_LESS_OR_EQUAL

Technical Information:

*** STOP: 0x0000000A (0x00000054, 0x00000002, 0x00000001, 0x804DBC8E)

LoPhatPhuud

Jun 16 2007, 07:19 PM

OK, the try Rootkit Reveale...

Please download RootKitRevealer from here:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire contents of the log file here for me to see.

Generic4444

Jun 17 2007, 03:01 AM

OK, here's the log:

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 6/16/2007 6:08 PM 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\SchedulingAgent\LastTaskRun 6/16/2007 6:05 PM 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\runtime2.sys 5/21/2007 11:19 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\runtime2.sys 5/21/2007 11:19 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\runtime2 6/16/2007 11:20 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\runtime2.sys 5/21/2007 11:19 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Network\runtime2.sys 5/21/2007 11:19 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\runtime2 6/16/2007 11:20 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\runtime2.sys 5/21/2007 11:19 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Network\runtime2.sys 5/21/2007 11:19 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\runtime2 5/29/2007 11:35 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Cookies\ivy b@adinterax[1].txt 6/16/2007 5:54 PM 331 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ivy B\Cookies\ivy b@adinterax[2].txt 6/16/2007 7:49 PM 343 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Cookies\ivy b@areaconnect[1].txt 6/16/2007 7:54 PM 817 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Cookies\ivy b@pumpkinpages[1].txt 6/16/2007 7:52 PM 75 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Cookies\ivy b@www.pumpkinpages[1].txt 6/16/2007 7:52 PM 392 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Cookies\ivy b@yahoo[2].txt 6/16/2007 5:52 PM 817 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ivy B\Cookies\ivy b@yahoo[3].txt 6/16/2007 7:49 PM 817 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Cookies\ivy b@yellowbook[1].txt 6/16/2007 7:52 PM 485 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Cookies\ivy b@ylwbook.pumpkinpages[2].txt 6/16/2007 7:52 PM 96 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temp\WER1fc2.dir00 6/16/2007 6:08 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ivy B\Local Settings\Temp\WER1fc2.dir00\appcompat.txt 6/16/2007 6:08 PM 15.91 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ivy B\Local Settings\Temp\WER1fc2.dir00\explorer.exe.hdmp 6/16/2007 6:08 PM 14.29 MB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ivy B\Local Settings\Temp\WER1fc2.dir00\explorer.exe.mdmp 6/16/2007 6:08 PM 90.01 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ivy B\Local Settings\Temp\WER1fc2.dir00\manifest.txt 6/16/2007 6:08 PM 1.76 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\JY5SI7J2\1pixel[1].gif 6/16/2007 7:54 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\JY5SI7J2\a[1].gif 6/16/2007 7:53 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\JY5SI7J2\aclogo1a[1].gif 6/16/2007 7:54 PM 3.89 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\JY5SI7J2\app[1].css 6/16/2007 7:54 PM 10.84 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\JY5SI7J2\cobrand[1].css 6/16/2007 7:54 PM 14.97 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\JY5SI7J2\core[1].css 6/16/2007 7:54 PM 10.63 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\JY5SI7J2\favicon[5].ico 6/16/2007 7:52 PM 1.37 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\JY5SI7J2\FiberOne_WholeWheatBread_LREC[2].js 6/16/2007 7:49 PM 9.24 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\JY5SI7J2\loading[2].gif 6/16/2007 7:53 PM 565 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\JY5SI7J2\map-compassrose[1].png 6/16/2007 7:53 PM 7.65 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\JY5SI7J2\map-controls-box-bg[1].png 6/16/2007 7:53 PM 866 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\JY5SI7J2\map_icon-a[1].gif 6/16/2007 7:53 PM 220 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\JY5SI7J2\map_icon-i[1].gif 6/16/2007 7:53 PM 194 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\JY5SI7J2\ModifySearchOn[1].gif 6/16/2007 7:52 PM 75 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\JY5SI7J2\popup-top[1].png 6/16/2007 7:53 PM 563 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\JY5SI7J2\search[2].htm 6/16/2007 7:52 PM 47.74 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\JY5SI7J2\spec[1].css 6/16/2007 7:54 PM 438 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\JY5SI7J2\tbredir[1].htm 6/16/2007 7:54 PM 1.10 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\MR2JETIN\51[1].jpg 6/16/2007 7:52 PM 12.82 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\MR2JETIN\b[1].gif 6/16/2007 7:49 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\MR2JETIN\bluefade[1].gif 6/16/2007 7:54 PM 374 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\MR2JETIN\bluefadelong[1].gif 6/16/2007 7:54 PM 890 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\MR2JETIN\Button_SortIt[1].gif 6/16/2007 7:52 PM 1.10 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\MR2JETIN\CAIT3LEJ.HTM 6/16/2007 5:28 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\MR2JETIN\cr_gg_sw[1].gif 6/16/2007 7:48 PM 94 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\MR2JETIN\empty-square[1].gif 6/16/2007 7:53 PM 60 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\MR2JETIN\icon-btn-street-view[1].png 6/16/2007 7:53 PM 4.22 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\MR2JETIN\index[1].php 6/16/2007 5:32 PM 21.02 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\MR2JETIN\insp_yp_redir[1].htm 6/16/2007 7:54 PM 1.47 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\MR2JETIN\map_icon-g[1].gif 6/16/2007 7:53 PM 224 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\MR2JETIN\map_icon-larger[1].gif 6/16/2007 7:53 PM 1.58 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\MR2JETIN\mqlogo[1].gif 6/16/2007 7:53 PM 1.61 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\MR2JETIN\my_2[1].gif 6/16/2007 7:49 PM 809 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\MR2JETIN\MyYellowbookMenus[1].js 6/16/2007 7:52 PM 14.46 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\MR2JETIN\newbanner[1].swf 6/16/2007 7:54 PM 25.94 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\MR2JETIN\rollover-left[1].png 6/16/2007 7:53 PM 2.02 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\MR2JETIN\ShowFolder[2] 6/16/2007 7:49 PM 25.80 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\MR2JETIN\ShowFolder[5].htm 6/16/2007 7:49 PM 156.57 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\MR2JETIN\view-ad-blue[1].gif 6/16/2007 7:52 PM 510 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\MR2JETIN\yellow-pages[1].htm 6/16/2007 7:54 PM 11.39 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\O5MZK5EZ\292[1].gif 6/16/2007 7:53 PM 18.23 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\O5MZK5EZ\ad2[2].js 6/16/2007 7:49 PM 686 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\O5MZK5EZ\AlsoServingResultsBackground[1].gif 6/16/2007 7:52 PM 1012 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\O5MZK5EZ\caribsunbkry[1].gif 6/16/2007 7:53 PM 10.13 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\O5MZK5EZ\favicon[5].ico 6/16/2007 7:52 PM 3.55 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\O5MZK5EZ\header[1].htm 6/16/2007 7:52 PM 2.14 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\O5MZK5EZ\heading2[1].jpg 6/16/2007 7:53 PM 6.15 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\O5MZK5EZ\icon-btn-hybrid-view[1].png 6/16/2007 7:53 PM 3.62 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\O5MZK5EZ\popup-bottom-left[1].png 6/16/2007 7:53 PM 1.75 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\O5MZK5EZ\pp_logo_75[1].gif 6/16/2007 7:52 PM 5.98 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\O5MZK5EZ\search[1].htm 6/16/2007 7:53 PM 25.81 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\O5MZK5EZ\Shopbright_SPI[1].gif 6/16/2007 7:54 PM 1.18 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\O5MZK5EZ\toplinks2[1].gif 6/16/2007 7:54 PM 542 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\O5MZK5EZ\website[1].gif 6/16/2007 7:54 PM 140 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\O5MZK5EZ\ypbook[1].htm 6/16/2007 7:52 PM 944 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\O5MZK5EZ\z-out[1].png 6/16/2007 7:53 PM 2.02 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\OV1L0TMA\230[1].gif 6/16/2007 7:54 PM 2.44 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\OV1L0TMA\292[1].gif 6/16/2007 7:53 PM 12.35 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\OV1L0TMA\292[2].gif 6/16/2007 7:53 PM 5.33 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\OV1L0TMA\293[1].gif 6/16/2007 7:53 PM 20.06 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\OV1L0TMA\3coconut[1].gif 6/16/2007 7:54 PM 1.35 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\OV1L0TMA\5coconut[1].gif 6/16/2007 7:54 PM 1.30 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\OV1L0TMA\_;ord=1182041386334865[1].htm 6/16/2007 7:49 PM 4.13 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\OV1L0TMA\addresses[1].htm 6/16/2007 7:52 PM 43.40 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\OV1L0TMA\CAEBAZU9.htm 6/16/2007 7:54 PM 326.15 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\OV1L0TMA\icon_no_printer[1].gif 6/16/2007 7:52 PM 585 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\OV1L0TMA\icon_printer[1].gif 6/16/2007 7:52 PM 89 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\OV1L0TMA\logo_small[1].gif 6/16/2007 7:52 PM 2.79 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\OV1L0TMA\map_icon-d[1].gif 6/16/2007 7:53 PM 213 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\OV1L0TMA\map_icon-j[1].gif 6/16/2007 7:53 PM 206 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\OV1L0TMA\spacer[2].gif 6/16/2007 7:54 PM 49 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\OV1L0TMA\talk[1].gif 6/16/2007 7:54 PM 708 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\OV1L0TMA\warn16_1[1].gif 6/16/2007 7:53 PM 580 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\OV1L0TMA\zoom-bg-tilemap[1].png 6/16/2007 7:53 PM 910 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Q58NA9M1\292[1].gif 6/16/2007 7:53 PM 3.15 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Q58NA9M1\96264185[1].gif 6/16/2007 7:54 PM 1.61 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Q58NA9M1\_;ord=1182041361936279[1] 6/16/2007 7:49 PM 11 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Q58NA9M1\_;ord=1182041386334865[1] 6/16/2007 7:49 PM 11 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Q58NA9M1\arrow_open[1].gif 6/16/2007 7:54 PM 51 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Q58NA9M1\CADCKN9L.HTM 6/16/2007 7:49 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Q58NA9M1\favicon[1].ico 6/16/2007 7:52 PM 3.55 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Q58NA9M1\favicon[2].ico 6/16/2007 7:54 PM 1.12 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Q58NA9M1\grab[1].cur 6/16/2007 7:53 PM 326 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Q58NA9M1\grabbing[1].cur 6/16/2007 7:53 PM 326 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Q58NA9M1\i3copy[1].gif 6/16/2007 7:53 PM 420 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Q58NA9M1\map_icon-e[1].gif 6/16/2007 7:53 PM 200 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Q58NA9M1\Maps[1].js 6/16/2007 7:52 PM 20.94 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Q58NA9M1\other-fl[1].htm 6/16/2007 7:52 PM 19.82 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Q58NA9M1\poweredby[1].gif 6/16/2007 7:54 PM 2.77 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Q58NA9M1\transaction[1].css 6/16/2007 7:52 PM 8.33 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Q58NA9M1\zoom7[1].gif 6/16/2007 7:53 PM 299 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\TAQL6IEN\1x1[1].gif 6/16/2007 7:53 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\TAQL6IEN\293[1].gif 6/16/2007 7:53 PM 23.21 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\TAQL6IEN\293[2].gif 6/16/2007 7:53 PM 22.64 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\TAQL6IEN\293[3].gif 6/16/2007 7:53 PM 16.09 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\TAQL6IEN\294[1].gif 6/16/2007 7:53 PM 15.90 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\TAQL6IEN\294[2].gif 6/16/2007 7:53 PM 18.29 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\TAQL6IEN\294[3].gif 6/16/2007 7:53 PM 14.70 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\TAQL6IEN\294[4].gif 6/16/2007 7:53 PM 9.46 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\TAQL6IEN\295[1].gif 6/16/2007 7:53 PM 19.24 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\TAQL6IEN\295[2].gif 6/16/2007 7:53 PM 9.62 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\TAQL6IEN\295[3].gif 6/16/2007 7:53 PM 10.55 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\TAQL6IEN\300x250_WheatBread[1].swf 6/16/2007 7:49 PM 18.25 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\TAQL6IEN\_;ord=1182041361936279[1].htm 6/16/2007 7:49 PM 4.12 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\TAQL6IEN\abg-en-100c-000000[1].png 6/16/2007 7:53 PM 1006 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\TAQL6IEN\Button_FindIt[1].gif 6/16/2007 7:52 PM 1.10 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\TAQL6IEN\CAIA6XT6.swf 6/16/2007 7:49 PM 11.38 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\TAQL6IEN\map_icon-b[1].gif 6/16/2007 7:53 PM 214 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\TAQL6IEN\Results[1].css 6/16/2007 7:52 PM 8.11 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\TAQL6IEN\search_dropdown_button[1].gif 6/16/2007 7:52 PM 568 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\UHDIVMT4\96279301[1].gif 6/16/2007 7:54 PM 1.59 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\UHDIVMT4\cr_gg_sw[1].gif 6/16/2007 2:04 PM 94 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\UHDIVMT4\grayfade[1].gif 6/16/2007 7:54 PM 100 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\UHDIVMT4\icon-btn-aerial-view[1].png 6/16/2007 7:53 PM 6.36 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\UHDIVMT4\k21list[1].htm 6/16/2007 7:54 PM 107.01 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\UHDIVMT4\login[2].htm 6/16/2007 7:49 PM 62.27 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\UHDIVMT4\map_icon-f[1].gif 6/16/2007 7:53 PM 196 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\UHDIVMT4\navcopy[1].gif 6/16/2007 7:53 PM 480 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\UHDIVMT4\palmtrees%5B1%5D[1].gif 6/16/2007 7:54 PM 2.97 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\UHDIVMT4\popup-center[1].png 6/16/2007 7:53 PM 219 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\UHDIVMT4\search[1].htm 6/16/2007 7:53 PM 54.74 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\UHDIVMT4\show_ads[2].js 6/16/2007 7:52 PM 12.08 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\UHDIVMT4\ShowFolder[5].htm 6/16/2007 7:49 PM 156.39 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\UHDIVMT4\transaction[2] 6/16/2007 7:52 PM 141.77 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\UHDIVMT4\ypadredir[1].htm 6/16/2007 7:52 PM 1.70 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\UHDIVMT4\z-in[1].png 6/16/2007 7:53 PM 2.04 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Y32UH2WW\295[1].gif 6/16/2007 7:53 PM 16.08 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Y32UH2WW\4coconut[1].gif 6/16/2007 7:54 PM 1.37 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Y32UH2WW\96296760[1].jpg 6/16/2007 7:54 PM 2.82 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Y32UH2WW\acxiom[1].gif 6/16/2007 7:54 PM 475 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Y32UH2WW\b[2].gif 6/16/2007 7:49 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Y32UH2WW\CA05M7CL.swf 6/16/2007 7:49 PM 11.38 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Y32UH2WW\CAANEV2T.htm 6/16/2007 7:52 PM 1.14 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Y32UH2WW\CAML6DWF.htm 6/16/2007 7:53 PM 5.10 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Y32UH2WW\global[1].css 6/16/2007 7:52 PM 4.18 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Y32UH2WW\LocalResultsBackground[1].gif 6/16/2007 7:52 PM 1012 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Y32UH2WW\map_icon-h[1].gif 6/16/2007 7:53 PM 194 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Y32UH2WW\mqcopy[1].gif 6/16/2007 7:53 PM 539 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Y32UH2WW\nothing[1].gif 6/16/2007 7:53 PM 44 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Y32UH2WW\poi_shadow[1].png 6/16/2007 7:53 PM 27.71 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Y32UH2WW\search;_ylt=A0geu68ihnRGYWQBM8RXNyoA[1].htm 6/16/2007 7:54 PM 47.88 KB Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Y32UH2WW\stc-close[1].gif 6/16/2007 7:53 PM 634 bytes Hidden from Windows API.
C:\Documents and Settings\Ivy B\Local Settings\Temporary Internet Files\Content.IE5\Y32UH2WW\Support[1].js 6/16/2007 7:52 PM 38.57 KB Hidden from Windows API.
C:\WINDOWS\SYSTEM32\DRIVERS\runtime2.sys 5/21/2007 11:19 PM 38.38 KB Hidden from Windows API.

LoPhatPhuud

Jun 18 2007, 03:58 AM

My first choice would have been GMER, but we have already tried that. Gridoft has a free rootkit remover so lets try that. THe link and info is here: http://www.grisoft.com/doc/download-free-a...ootkit/us/crp/0

If that fails, then all I can suggest is reformat and re-install. That may be a good idea anyway.

Generic4444

Jun 19 2007, 03:40 AM

I ran the rootkit program and the computer had an error again and showed the blue screen I described before.

Therefore, I'm going to have to install XP again. Pardon my computer ignorance, but is it as simple as putting in the XP disk and going from there, or is there something I need to do beforehand to "format" the computer?

Thanks.

LoPhatPhuud

Jun 19 2007, 04:35 AM

If you do a full install, it should refornat the hard disk first. It really it just a easy as putting the XP CD in the drive, reboot from the CD and go from there.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.