Hello!

1. Got XP in January. Ran perfect for months. Had a friend who kept sending me hundreds of emails containing Internet attachments - one was some sort of greeting card that caused Outlook Express to suddenly crash and trashed my mail profiles. It seemed to be running stuff in the background. After this my system slowed to a crawl. I told my friend to take me off her group list, created new profiles, did a system restore and an AVG scan, and everything seemed back to normal for the past month.

2. Yesterday, AVG Shield displayed "Virus Detected" and now keeps popping up every 30 seconds reporting "Trojan horse Clicker.FR", with a different long file name each time. It put a file in the vault which I deleted. Clicking the Heal and Move to Vault buttons usually displayed a message that it was "impossible to complete the action" and "access to the file is denied", but after doing all the stuff in step 3 below, on subsequent occurrences the buttons started to work sometimes. Also, IE began to display a lurid toolbar and put adult-type bookmarks in my favorites which I deleted.

3. I have done many things that you suggested, most would not complete:
Ad-aware SE (computer hung)
CWShredder (inconclusive - computer hung)
Spybot S&D (computer hung - but I was able to immunize)
Ewido (computer hung - left it on for 7 hours but no results or report)
Trend Housecall (computer hung)
Tojanhunter (worked the best, found six keys in the Registry and 1 Adware file)
Deleted all my cookies in IE. Not sure if this was a good thing, but it got rid of the lurid toolbar.

4. I have rebooted and repeated all of the above with no avail. I am now posting my Hijack log and will wait for your advice. Thanks in advance for your help!

*****BEGIN HIJACK LOG*****

Logfile of HijackThis v1.99.1
Scan saved at 12:21:04 PM, on 7/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BellSouth\Connection Tool\IPClient.exe
C:\Program Files\BellSouth\Connection Tool\IPMon32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.iquicksearch.net/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dogpile.com/info.dogpl.toolbar/...orms/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: (no name) - {C4BF810A-2F7B-41D3-088E-B25B7C875BA9} - 10010.dll (file missing)
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.dogpile.com/index.gsp"); (C:\Documents and Settings\John Wolfe\Application Data\Mozilla\Profiles\default\fbafr2so.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\John Wolfe\Application Data\Mozilla\Profiles\default\fbafr2so.slt\prefs.js)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\BellSouth\Connection Tool\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\BellSouth\Connection Tool\IPMon32.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ssweeper] xsetup.exe
O4 - HKLM\..\Run: [new32] mozilla-text.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [dgefs.exe] C:\WINDOWS\system32\dgefs.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [media64] cnftips.exe
O4 - HKCU\..\Run: [Shaitan1678] porka_.exe
O4 - HKCU\..\Run: [progmen] SYSTRAV.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135316169155
O16 - DPF: {B495C654-5860-45D4-8EAA-5663B9393F33} (OVA Class) - http://go.microsoft.com/fwlink/?linkid=49480
O17 - HKLM\System\CCS\Services\Tcpip\..\{62B61D65-2DFA-4CB5-B338-D6B9D5FE19A8}: NameServer = 85.255.114.100,85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D7DFD4F-9FDE-4EF7-8EF6-4C2E294DC12B}: NameServer = 85.255.114.100,85.255.112.63
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.100 85.255.112.63
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.100 85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.100 85.255.112.63
O20 - AppInit_DLLs: C:\WINDOWS\system32\wmfhotfix.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

*****END HIJACK LOG*****

This post has been edited by johnfw: Jul 10 2006, 06:28 AM

Hi johnfw,

Please open HijackThis and click Scan. Put a check next to these:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.iquicksearch.net/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dogpile.com/info.dogpl.toolbar/...orms/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.iquicksearch.net/search.htm
R3 - URLSearchHook: (no name) - {C4BF810A-2F7B-41D3-088E-B25B7C875BA9} - 10010.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [ssweeper] xsetup.exe
O4 - HKLM\..\Run: [new32] mozilla-text.exe
O4 - HKLM\..\Run: [dgefs.exe] C:\WINDOWS\system32\dgefs.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [media64] cnftips.exe
O4 - HKCU\..\Run: [Shaitan1678] porka_.exe
O4 - HKCU\..\Run: [progmen] SYSTRAV.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{62B61D65-2DFA-4CB5-B338-D6B9D5FE19A8}: NameServer = 85.255.114.100,85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D7DFD4F-9FDE-4EF7-8EF6-4C2E294DC12B}: NameServer = 85.255.114.100,85.255.112.63
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.100 85.255.112.63
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.100 85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.100 85.255.112.63


Close all other windows except HijackThis and click Fix Checked.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text file will open (report.txt)

Finally, please post the contents of the text file that opened earlier (you can find it at C:\fixwareout\report.txt if you closed it), along with a new HijackThis log into this topic.

Hello Armodeluxe,

Thank you for helping me. I may have screwed it up because I ended up doing the process twice, but here are the reports: HijackThis first, then FixWareout.

Logfile of HijackThis v1.99.1
Scan saved at 7:03:00 PM, on 7/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BellSouth\Connection Tool\IPClient.exe
C:\Program Files\BellSouth\Connection Tool\IPMon32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.dogpile.com/index.gsp"); (C:\Documents and Settings\John Wolfe\Application Data\Mozilla\Profiles\default\fbafr2so.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\John Wolfe\Application Data\Mozilla\Profiles\default\fbafr2so.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\BellSouth\Connection Tool\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\BellSouth\Connection Tool\IPMon32.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [SDAutoScan] "C:\Program Files\SpywareDetector\SpywareDetector.exe" -AUTOSCAN
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135316169155
O16 - DPF: {B495C654-5860-45D4-8EAA-5663B9393F33} (OVA Class) - http://go.microsoft.com/fwlink/?linkid=49480
O20 - AppInit_DLLs: C:\WINDOWS\system32\wmfhotfix.dll
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

*********************************

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
* csr.exe C:\WINDOWS\System32\CSEFS.EXE
* csr.exe C:\WINDOWS\System32\CSMCS.EXE
* csr.exe C:\WINDOWS\System32\CSOLF.EXE
* csr.exe C:\WINDOWS\System32\CSYDH.EXE

»»»»» Misc files
* thequicklink C:\WINDOWS\System32\{022C4~1.DLL
* thequicklink C:\WINDOWS\System32\{4595E~1.DLL
* thequicklink C:\WINDOWS\System32\{4E871~1.DLL
* thequicklink C:\WINDOWS\System32\{AA07D~1.DLL
* thequicklink C:\WINDOWS\System32\{F13D0~1.DLL

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSEFS.EXE 51,202 2006-07-07
C:\WINDOWS\SYSTEM32\CSMCS.EXE 51,298 2006-07-10
C:\WINDOWS\SYSTEM32\CSOLF.EXE 51,202 2006-07-10
C:\WINDOWS\SYSTEM32\CSYDH.EXE 51,224 2006-07-11
C:\WINDOWS\SYSTEM32\DMNQO.EXE 44,047 2004-08-04
C:\WINDOWS\SYSTEM32\DMSLD.EXE 44,112 2004-08-04
C:\WINDOWS\SYSTEM32\DMWLI.EXE 44,047 2004-08-04
Other suspects
Directory of C:\WINDOWS\system32
{022C470D-FA39-48D5-B9FE-AD27ACA8F24E}.dll
{F13D0D4B-D8CD-4556-9693-89BCF937F0D5}.dll
{4595E91B-EEE4-45CE-B59D-CA523342DD7A}.dll
{AA07D764-3E09-4F9F-8CF8-73E9CD9620DE}.dll
{4E8716FA-0B7E-4856-B2E0-A0514228CC42}.dll
{9B21F135-04C1-4AE5-9D55-DE8AE1C2CF29}.exe
{C64F0BD1-B4AA-4BBD-9B20-DE6DB0D23A5D}.exe
{D60BFD51-B993-4BF2-97C6-4DF9CB0879EC}.exe
{0F7CEBE8-A357-4872-8621-BDE0F79AF4D9}.exe
{78725ADA-534F-4F51-9BE2-5780986ACB34}.exe
{5FE6DED4-AE58-480E-9E29-9B3A493F94CB}.exe
{7F5B092A-BFF7-4F16-A17A-704DC5DBAAE0}.exe
{B5CE8ED3-5CD0-4911-A051-187DDB8728AB}.exe
{8B3256F8-FA3F-4232-84DC-021A8A67C433}.exe
{60204492-604A-4CB3-8AB2-F785201B6A9C}.exe
{83F6A846-61DE-4521-832A-679F4C8C861A}.exe
{5EC65BC8-C32A-4175-B677-63E4B81CCC0D}.exe
{AA191EB3-9C8D-4879-A260-8BA03AF4D197}.exe
{18CE99AD-FEDC-4594-85FD-167C981DAE1B}.exe
{E063BF7A-1461-4746-8887-D36EFE2EF08F}.exe
{0427B4EB-8F02-45AB-9A39-573899C6943D}.exe
{A3D3785B-A091-4DBD-8CEE-BDBC205702D9}.exe
{FA7912A4-7C19-4FC0-9FB6-C7678A67EC6D}.exe
{9308B6D6-FE33-4299-BEAF-5E4117727833}.exe
{5C652950-630E-49D4-9FB4-6AED4A70F4C7}.exe
{15A4B8C1-C4CD-4AFA-9823-71697C57FF49}.exe
{8694ABF9-9439-4F3B-9FBF-EE674AFC597F}.exe
{A249270D-966B-4882-9ADE-27FF64ACF09B}.exe
{B7DD396B-AC07-4902-9A2F-B66B68B2D848}.exe
{88897968-8634-4726-8BB3-EAB4CF4BCE1A}.exe
{79F20D86-1FE7-4932-A7E1-950CFD714818}.exe
{27FFC9B5-AC46-4BA7-B1AB-AF3C5C8811E1}.exe
{074D1B40-D492-4BDE-8FD3-B9C9CF31EF3A}.exe
{6AD9AC74-CD67-4301-9F07-2941171DC34F}.exe
{EA9ABA6A-9BBE-4ACE-A202-734B846B7B25}.exe
{26BCBB93-DC81-49E1-99CA-792AA4319AE1}.exe
{F86267A3-E667-4BD7-BE98-28D55071EE1A}.exe
{68C07A49-73F0-44D1-9244-B50583050AA4}.exe
{234A2F68-71DA-44CF-A020-1AF063E13BFB}.exe
{9BDC7E4F-5999-4AEF-B1E3-B7A1C30D559D}.exe
{8DC93A65-A8D7-408C-9144-948887890297}.exe
{5F9614CE-356E-4BA0-8B8A-CB990CC6F062}.exe
{D554EC64-1F39-42F3-9CEA-CDA08F1674FE}.exe
{E53CD838-08F9-4636-B20C-9A169F2E984E}.exe
{617A409C-B3F7-46EA-8BC1-321F473A9D99}.exe
{6076CBC6-C69E-4A0F-84B4-1BAF04210338}.exe
{6D2A3A9A-722B-4081-BA2C-DA76CCA0DCF8}.exe
{AD9E3AA5-A176-4F79-8DE3-2228A70E8D05}.exe
{F89F5842-482F-4057-B13F-748E6410B072}.exe
{DAD56445-75CE-4825-874B-7A9CBB007B0F}.exe
{4D1CFB94-D075-4865-9FAA-B534949633C2}.exe
{27C20F18-0595-4B98-BF9F-A85C43A0F99F}.exe
{8C4E995C-5CDB-4023-A274-E2267C1CFC46}.exe
{8AB3354E-2AF6-4E9A-B3A6-5D15A490E2E1}.exe
{A663F243-79EA-4819-B679-6E72E767CA25}.exe
{CB391832-151C-49B0-9329-6BE08E891D79}.exe
{CF64CE3C-62D9-4351-BAF0-7727B0E434A5}.exe
{72A1663B-782D-4FE4-ACFF-0715A65252E6}.exe
{1D0C6AA1-B9BF-4F37-874E-34B4EC6D455E}.exe
{645C76FE-AEAA-4CB2-8493-5305C6EC38A0}.exe
{C57767F3-FC8C-416D-8203-843645422A04}.exe
{912B9705-03DF-4B8C-96BE-BBA898B7AB7F}.exe
{6CCD21BB-2BD6-4F6A-9676-CB3A16BD244B}.exe
{D1213E6F-5BA1-4349-AC2D-E9E09A788C9D}.exe
{107BF431-19C9-45B1-B8FF-E89B8C3E40E3}.exe
{017DFD27-C45D-4B6B-ADE8-FCCD266F2D04}.exe
{1E020CE7-C654-4B5C-83A2-FAA75FAA5AD3}.exe
{58E8D297-B899-457E-A9EA-E9A19F5721E0}.exe
{0CC83555-0A52-4EAA-B0D9-4F70D2903444}.exe
{C0E98081-BEAF-4EA9-8D8A-8042A4BF05A8}.exe
{A16E253B-0BD0-4023-8AB3-E422553588DB}.exe
{07D0F146-99F5-4C31-9E2F-04F103CA3C14}.exe
{5358500A-FD3A-4BA2-8BD5-97EECAA35946}.exe
{27AD3C7D-EE56-4F96-B029-064E04D3BFC1}.exe
{52DDD5EA-23EA-450D-AC8C-FDCD1446CE63}.exe
{519F1F8A-DC68-4DB7-A8C1-3B6BD38CE940}.exe
{19BE2FF9-D3F0-4A6E-9B40-5F6E4C7A5F5E}.exe
{AC4E95D9-AFBA-4523-BC7B-D1671DFF806F}.exe
{98B9B556-78EF-46D5-A4C4-555E0B297A8D}.exe
{339179B6-57DB-4C51-AE7C-4D05C0DB6818}.exe
{B1E5E47E-C1B1-4E73-818A-17CD0FA66E8C}.exe
{8CE14610-BB7F-460F-93BF-C010177207C6}.exe
{44F8683B-D49B-4D37-949D-6CDA4297CD58}.exe
{C9F371CB-401D-46C2-800C-BD812EFEC871}.exe
{04A0F998-D545-4695-9DE2-4BA139DACF69}.exe
{BAB345F3-4BA7-47B5-AEC8-CB0AC5C79FB5}.exe
{2A7621A9-57E1-43E2-83A8-694F706EB782}.exe
{580FA8A5-F3A1-4F21-9A96-57FC5D6A4CEF}.exe
{AF48C7E3-B691-4688-BD75-7FF4B255465C}.exe
{844F8F71-3E65-4A9B-9E1D-033D282F9522}.exe
{FE502D4C-7D3A-463F-ACB5-CCA96266D046}.exe
{5BD368DE-92AD-490E-A792-E20E7B39C0FE}.exe
{FD56D6DD-EB43-4AE7-8648-A98927BD4E1D}.exe
{2B6DE47C-4043-4216-9D9E-1C005148B7BB}.exe
{975AB1AD-8D09-4927-893A-807D21F97040}.exe
{FC5A6245-3988-4DA0-A47F-2883060E119D}.exe
{FAE1FCEC-EE29-4FC5-B9B8-301B43F99782}.exe
{24069E0C-2D77-45FB-BD44-4D74567C34A7}.exe
{EC96A6B9-AC2F-4E1A-9DCC-7A8E7C2C57A2}.exe
{6CA2325A-B915-4BD0-8214-ACD41F7F9638}.exe
{D57DE7AF-CB6F-419B-8CE3-4F72097BEB0E}.exe
{2CC695F1-FC76-4997-A98B-5B4DE496EE6B}.exe
{1AEA727F-ED76-4DB8-BB5F-C2DCFC9B782D}.exe
{F76BB1B5-413F-4954-B7EF-FA1F8AE75A43}.exe
{60750A80-F853-4366-B6AF-0F2CF9719B9C}.exe
{A8BEC790-5115-4AE8-A8C4-2EDBB36278EA}.exe
{9ACA86DB-335D-470F-8149-DF1F8E957E1D}.exe
{4D96CD4D-BFD0-48C1-871B-A742894A1C9F}.exe
{030F119D-6D19-4C4E-88F2-C010FF4DF926}.exe
{8E8F27FD-8F8C-4954-B9EA-A68F05315E74}.exe
{EC9A66B5-1601-44B1-8412-8702E614E766}.exe
{6D8EA27D-DD64-433E-B12E-F0D790CF4C98}.exe
{EF153BB3-C000-41B9-AB23-E9DED8BE234F}.exe
{AECAC598-0FDE-4D4A-A8A0-F1F3BF1A5241}.exe
{DE5A24E7-4F52-4B13-A1AE-0C5E670F0139}.exe
{14D668C4-BF45-4613-8BF7-54377FBFE348}.exe
{BB9B2EF2-912C-453A-8077-0061BA44DA85}.exe
{A0253C11-D8A4-4C01-8869-443D5D3DBD99}.exe
{EAB69EDE-7DDB-485B-A588-BAFA66B21E8C}.exe
{AE79E544-5C72-4B28-B6E2-9F1A7F495AF5}.exe
{170AB2DF-AD0E-448B-98B8-CF1DA62198F6}.exe
{8A377347-5702-47A4-82BC-CEA45686BE32}.exe
{FA96742B-3060-469C-8130-175DD9856C6F}.exe
{7EF3448C-C34D-4820-922A-598BC92F5D22}.exe
{30D6F925-F7CA-4838-BA76-EA10D697A21A}.exe
{EF331ACF-8EBC-4F1D-B9F6-AC4D113B4EF6}.exe

Ok, there are a bunch of files Fixwareout found, Ewido should get those CLSID files, and since you already have it installed, let's try it first and then we can delete any leftovers manually. From the instructions below skip the first two steps and start with the third

First download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

1. Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
2. Once the setup is complete you will need run ewido and update the definition files.
3. On the main screen select the icon "Update" then select the "Update now" link.
   • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
6. Under "Reports"
   • Select "Automatically generate report after every scan"
   • Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

1. Reboot your computer into SafeMode. You can do this by restarting your computer and just before Windows starts to load tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
   IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
2. Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
4. ewido will now begin the scanning process, be patient this may take a little time.
   Once the scan is complete do the following:
5. If you have any infections you will prompted, then select "Apply all actions"
6. Next select the "Reports" icon at the top.
7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
8. Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.

The Support.com software is making backups of all the cookies, that's why the Ewido log was so long and even after 3 divisions it was still cut off, but I saw what I needed to see at the beginning, Ewido got the files with the CLSIDs. So the files to delete manually is a much shorter list now.

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Then delete these files in your System32 folder if still present, since I couldn't see the whole Ewido log they might have been listed later, but check if they exist and if so, delete:

C:\WINDOWS\System32\{022C4~1.DLL
C:\WINDOWS\System32\{4595E~1.DLL
C:\WINDOWS\System32\{4E871~1.DLL
C:\WINDOWS\System32\{AA07D~1.DLL
C:\WINDOWS\System32\{F13D0~1.DLL
C:\WINDOWS\SYSTEM32\CSEFS.EXE
C:\WINDOWS\SYSTEM32\CSYDH.EXE
C:\WINDOWS\SYSTEM32\DMNQO.EXE
C:\WINDOWS\SYSTEM32\DMSLD.EXE
C:\WINDOWS\SYSTEM32\DMWLI.EXE

Also delete everything in this folder in bold but not the folder itself. In the future also before scanning with Ewido empty that folder first, that will reduce the scan time considerably.

C:\Program Files\Support.com\backup\co

Then let's run an online scan and see if we catch anything else.

Please do an online scan with Kaspersky WebScanner. If you have any quarantined items in your antivirus, please delete those archives before the scan.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:
  Select My Computer
• This program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

It's starting to look clean! Here is my Kaspersky log.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, July 13, 2006 7:53:52 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 14/07/2006
Kaspersky Anti-Virus database records: 207161
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 69892
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:59:38

Infected Object Name / Virus Name / Last Action
C:\bf77562d5833c5e1607e8746ec7ab736\sp1\update\spcustom.dll Object is locked skipped
C:\bf77562d5833c5e1607e8746ec7ab736\sp1\update\update.exe Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Creative\CADI\Preset\PCI_BUS1102-5-211102-E400.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Support.com\Profiles\John Wolfe\triggers.log Object is locked skipped
C:\Documents and Settings\John Wolfe\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\John Wolfe\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\John Wolfe\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\John Wolfe\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\John Wolfe\Local Settings\Temp\Perflib_Perfdata_ba8.dat Object is locked skipped
C:\Documents and Settings\John Wolfe\Local Settings\Temp\~DF7A1A.tmp Object is locked skipped
C:\Documents and Settings\John Wolfe\Local Settings\Temp\~DFFC9A.tmp Object is locked skipped
C:\Documents and Settings\John Wolfe\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\John Wolfe\ntuser.dat Object is locked skipped
C:\Documents and Settings\John Wolfe\NTUSER.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Creative\ShareDLL\CADI\CTPLang.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Very well.

This entry in your log:

O20 - AppInit_DLLs: C:\WINDOWS\system32\wmfhotfix.dll

Indicates that you applied the hotfix when that WMF exploit was discovered, but Microsoft issued a patch after that.

Take the following steps to remove unofficial patches and install Microsoft's official patch to protect against the WMF hole:

Step 1. Reboot your system to clear any infected image files from memory.

Step 2. If you installed an early version of MS06-001 that was leaked via some Web sites, run the Add/Remove Programs applet from the Control Panel. Uninstall patch number 912919, which interferes with installation of the official patch.

Step 3. Use Microsoft Update or Windows Update to download and apply MS06-001 and any other patches you may need.

Step 4. Reboot.

Step 5. Uninstall the unofficial Guilfanov patch, by using one of the following methods:

1. On individual PCs, run the Add/Remove Programs applet from the Control Panel. Uninstall the patch entitled "Windows WMF Metafile Vulnerability HotFix";

2. Or, at a command prompt, run the following command:

"C:\Program Files\WindowsMetafileFix\unins000.exe" /SILENT

3. Or, if you used a Microsoft Installer (.msi) file to install the patch on multiple machines, you can uninstall the unofficial patch using this command:

msiexec.exe /X{E1CDC5B0-7AFB-11DA-8CD6-0800200C9A66} /qn

Step 6. Re-register the Shell Image View Control DLL if you previously deregistered it. (You might have deregistered the DLL using the same command as shown below, but with -u surrounded by spaces after regsvr32). The following command re-registers the DLL. From the Start menu, select Run and then type:

regsvr32 %windir%\system32\shimgvw.dll


Step 7. Optionally, reboot one more time just for good measure. (The Internet Storm Center says this is not required, but doesn't hurt.)

Then let me see a final HijackThis log to make sure nothing is coming back.

I'm having a little trouble with the last steps, with Windows Update. The Windows Installer v3.1 will not install and the Genuine Advantage validation tool won't either, even though I have had no problem with it in the past. Because of this I can't continue on to the critical updates. My Windows version is licensed, so I don't know what the deal is but I will call Microsoft tomorrow for help, and then I can finish your instructions.

I wonder if any of the malware tampered with Windows Update settings. Let's try a regfix to restore the default settings and see if that resolves the issue.

Now please copy the following text in the code box to Notepad. Make sure there is no empty line above
Windows Registry Editor Version 5.00. In Notepad go to File > Save As. Name it Fixit.reg, in the drop down box at the bottom choose "All Files", and save it on your desktop. Then double click on Fixit.reg and let it merge with the registry..Reboot when done and see if you're still having trouble..

The fixit.reg didn't help, so I called the MS help desk and they had me run "secedit" with a bunch of parameters to reset my security settings, and that allowed their Update tool to work on my computer again. Installed 47 updates! No sign of malware activity since I followed your procedure . Here's my current HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:59:54 PM, on 7/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Crea