I have been trying to remove all of the malware I stupidly wound up with on my laptop to no avail!!! Here is what I have done so far that hasn't worked:

I have run AVG antivirus, and removed about 25 files with that. I have also run Ad-aware, Spy-bot, and the Trend-Micro spyware versions, all removing a heck of a lot of files.

I thought I may have gotten it after I ran these in safe mode... It didn't look like anything was running in the background, but then I opened my browser and was smacked with all sorts of pop ups again. Here is the hijack this log that I just prepared again before posting. Any advice that can be given to me would be very appreciated!!!!

Jenn


Logfile of HijackThis v1.99.1
Scan saved at 10:44:50 AM, on 3/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CheckS02.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\797E7E7A84828.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\EQAdvice\EQAdvice.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\DOCUME~1\JENNIF~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\JENNIF~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jennifer Collins\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msnmember.my.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\nwinmrag.exe CORN001
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CheckS02.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [NJv7jy] "C:\WINDOWS\system32\dgfgql.exe"
O4 - HKLM\..\Run: [mousepad] C:\\mousepad1.exe
O4 - HKLM\..\Run: [miatzywA] C:\WINDOWS\miatzywA.exe
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [kVdtBOn] "C:\WINDOWS\system32\spytiqwuy.exe"
O4 - HKLM\..\Run: [keyboard] C:\\keyboard1.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [1A1F1F1B2523262] 797E7E7A84828.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\nwinmrag.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0002.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://taxwebwlbs1.trendmls.com/Resources/...er/fileopen.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.networksolutionsemailpopwizard....rueSwitchEC.exe
O18 - Protocol: bw+0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {8DB17231-FC0F-4974-A4C2-AA23956F443E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\jt2607fse.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Morphed! I think I can hear it laughing at me!!!!

Well, here are the next round of logs!!!

Avenger log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tcblextw

*******************

Script file located at: \??\C:\awikfwup.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\xxgxduyj.bat not found!
Deletion of file C:\xxgxduyj.bat failed!

Could not process line:
C:\xxgxduyj.bat
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

__________________________________________________________________________

Hijack this Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:24:58 PM, on 3/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\System32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msnmember.my.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [tabdfifh] C:\lnxgshku.bat
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Hello again Jenn

I have to agree with you, I can hear it to and I am quite deaf with this illness.

Well the news is, it did it again - morphed that is. It's not on any database which means that it is a random generated file name. Now these are fun! It most likely changes its name with reboots. If you haven't rebooted since the last log, there is a chance we can kill it with Avenger. If that fails we go onto phase two. The file name may change but its location stays the same

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [awmtvomq] C:\xxgxduyj.bat
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [tabdfifh] C:\lnxgshku.bat
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

04 entries are start-up files.

Since we can't use Killbox, delete on reboot, it will have to be a manual deletion.

Let's give it a go.

To be sure, rescan with HJT now and have a look at the area where the bad file is; note it's name and path. If it has changed again, substitute the one I have in the instructions.

Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger programme by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• Upon reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy & paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add Reply

Phase 2

Please set your system to show all files;
please see here if you're unsure how to do this.

Press the Control-Alt-Del keys together in order to enter the Task Manager.

Click on the Processes tab and end the following process:

lnxgshku or tabdfifh

Exit the Task Manager when finished.

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

O4 - HKLM\..\Run: [tabdfifh] C:\lnxgshku.bat

Click on Fix Checked when finished and exit HijackThis.

Using Windows Explorer, locate the following file, and delete it:

C:\lnxgshku.bat

Exit Explorer, and reboot as normal afterwards.

If it won't delete, try renaming it by adding 1 into the file name or changing the file type from bat to txt

This post has been edited by Crustyoldbloke: Mar 15 2006, 12:36 PM

Okay, so this run didn't go as smoothly... I ran the first Hijack this scan, and found the second highlighted "04" script, referencing lnxgshku.bat, but not the first. I checked that one as directed. I then did all the fun stuff with the avenger again.

I wanted to note that when I restarted the computer, Trend antispyware program popped up that a change was being made to startup, with a filename of gwdennqd.bat...

When I checked the processes in the Task Manager, I didn't find any. I reran Hijack this, and checked the log for te same file as before, and the new one I referenced above.

Also, when I went to delete the files from Windows explorer, I couldn't find any of them. I also did a full search to try to drag them up, to no avail. I did double check to make sure all files were visible, as per your instructions.....

I will post the newest logs in one second!

Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 5:09:20 PM, on 3/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msnmember.my.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


____________________________________________________________________________

Avenger Log:


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\og^ixcrc

*******************

Script file located at: \??\C:\WINDOWS\iyrhawaj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\lnxgshku.bat not found!
Deletion of file C:\lnxgshku.bat failed!

Could not process line:
C:\lnxgshku.bat
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

Hello again

I think we may have got our wires crossed there.

I think this might be the best solution at this stage.

Please download SpySweeper (It's a 14 day trial):

• Install it. Once the programme is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Options on the left side.
• Click the Sweep Options tab.
• Under What to Sweep please put a check next to the following:
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into your next reply.

This post has been edited by Crustyoldbloke: Mar 15 2006, 04:18 PM

Here is the log from the latest round, Spy Sweeper.

Thanks again for your patience in helping me through this. Hopefully we are getting there!



********
5:39 PM: | Start of Session, Wednesday, March 15, 2006 |
5:39 PM: Spy Sweeper started
5:39 PM: Sweep initiated using definitions version 634
5:39 PM: Starting Memory Sweep
5:45 PM: Memory Sweep Complete, Elapsed Time: 00:05:17
5:45 PM: Starting Registry Sweep
5:46 PM: Registry Sweep Complete, Elapsed Time:00:01:08
5:46 PM: Starting Cookie Sweep
5:46 PM: Found Spy Cookie: 2o7.net cookie
5:46 PM: jennifer collins@2o7[2].txt (ID = 1957)
5:46 PM: Found Spy Cookie: atlas dmt cookie
5:46 PM: jennifer collins@atdmt[2].txt (ID = 2253)
5:46 PM: Found Spy Cookie: mediaplex cookie
5:46 PM: jennifer collins@mediaplex[1].txt (ID = 6442)
5:46 PM: jennifer collins@msnportal.112.2o7[1].txt (ID = 1958)
5:46 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
5:46 PM: Starting File Sweep
5:47 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044156.exe". Access is denied
5:47 PM: Found Adware: surfsidekick
5:47 PM: a0041814.dll (ID = 257146)
5:48 PM: Found Adware: dollarrevenue
5:48 PM: a0044573.exe (ID = 260103)
5:48 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp353\a0041828.exe". Access is denied
5:48 PM: Found Adware: fullcontext
5:48 PM: a0044701.exe (ID = 209217)
5:49 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp353\a0041812.exe". Access is denied
5:50 PM: Found Adware: mirar webband
5:50 PM: a0044448.exe (ID = 158984)
5:50 PM: a0041920.exe (ID = 257229)
5:51 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp358\a0044278.exe". Access is denied
5:51 PM: Found Adware: bookedspace
5:51 PM: a0044576.exe (ID = 51662)
5:51 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp353\a0041829.exe". Access is denied
5:51 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp358\a0044284.exe". Access is denied
5:52 PM: Found Adware: command
5:52 PM: a0044714.vbs (ID = 231442)
5:52 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp358\a0044279.exe". Access is denied
5:52 PM: a0044706.exe (ID = 260102)
5:52 PM: a0041970.config (ID = 212361)
5:53 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp358\a0044280.exe". Access is denied
5:53 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp358\a0044286.exe". Access is denied
5:54 PM: a0044700.exe (ID = 258294)
5:55 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp353\a0041989.exe". Access is denied
5:55 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044154.exe". Access is denied
5:56 PM: a0044346.exe (ID = 212831)
5:57 PM: Found Adware: enbrowser
5:57 PM: a0044437.exe (ID = 254903)
5:57 PM: a0044713.exe (ID = 257804)
5:57 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044181.exe". Access is denied
5:58 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044218.exe". Access is denied
5:59 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044217.exe". Access is denied
6:00 PM: Found Adware: look2me
6:00 PM: a0044543.dll (ID = 159)
6:01 PM: a0041966.exe (ID = 212828)
6:01 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044229.exe". Access is denied
6:03 PM: a0044457.dll (ID = 208226)
6:04 PM: a0044439.exe (ID = 244277)
6:04 PM: a0044347.config (ID = 212361)
6:04 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044216.exe". Access is denied
6:05 PM: a0044541.dll (ID = 159)
6:05 PM: a0041968.exe (ID = 212830)
6:06 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044224.exe". Access is denied
6:06 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp353\a0041821.exe". Access is denied
6:06 PM: a0041969.exe (ID = 212831)
6:06 PM: a0044708.exe (ID = 244430)
6:07 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044175.exe". Access is denied
6:07 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044174.exe". Access is denied
6:07 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044197.exe". Access is denied
6:07 PM: a0041994.exe (ID = 257804)
6:07 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044190.exe". Access is denied
6:07 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044209.exe". Access is denied
6:07 PM: Found Adware: marketscore
6:07 PM: a0044710.dll (ID = 243051)
6:07 PM: a0044441.exe (ID = 245110)
6:07 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044192.exe". Access is denied
6:08 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044228.exe". Access is denied
6:08 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp353\a0041990.exe". Access is denied
6:08 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp353\a0041997.exe". Access is denied
6:08 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044182.exe". Access is denied
6:09 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044142.exe". Access is denied
6:09 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044151.exe". Access is denied
6:09 PM: a0044440.exe (ID = 245111)
6:09 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044230.exe". Access is denied
6:10 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044223.exe". Access is denied
6:10 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044148.exe". Access is denied
6:10 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044166.exe". Access is denied
6:10 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044213.exe". Access is denied
6:11 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044140.exe". Access is denied
6:11 PM: a0041988.exe (ID = 159564)
6:11 PM: a0044699.exe (ID = 257943)
6:12 PM: a0044707.exe (ID = 251279)
6:12 PM: Found Adware: maxifiles
6:12 PM: a0044703.exe (ID = 244762)
6:12 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044170.exe". Access is denied
6:12 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044205.exe". Access is denied
6:12 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044219.exe". Access is denied
6:12 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044158.exe". Access is denied
6:12 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044201.exe". Access is denied
6:12 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044186.exe". Access is denied
6:12 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044207.exe". Access is denied
6:12 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044210.exe". Access is denied
6:13 PM: a0044388.exe (ID = 260149)
6:13 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044180.exe". Access is denied
6:13 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044184.exe". Access is denied
6:13 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044152.exe". Access is denied
6:13 PM: a0044542.dll (ID = 159)
6:13 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp358\a0044285.exe". Access is denied
6:14 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044198.exe". Access is denied
6:14 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044202.exe". Access is denied
6:14 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044203.exe". Access is denied
6:14 PM: Found Trojan Horse: trojan-downloader-nextern
6:14 PM: a0044386.exe (ID = 254872)
6:14 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp358\a0044287.exe". Access is denied
6:14 PM: a0044584.dll (ID = 159)
6:15 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044162.exe". Access is denied
6:15 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044146.exe". Access is denied
6:15 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044188.exe". Access is denied
6:15 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044226.exe". Access is denied
6:15 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044143.exe". Access is denied
6:15 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044163.exe". Access is denied
6:16 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044195.exe". Access is denied
6:17 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044189.exe". Access is denied
6:17 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044214.exe". Access is denied
6:17 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044169.exe". Access is denied
6:17 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044160.exe". Access is denied
6:17 PM: a0042002.exe (ID = 244271)
6:17 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044227.exe". Access is denied
6:17 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044149.exe". Access is denied
6:17 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044193.exe". Access is denied
6:18 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044164.exe". Access is denied
6:18 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044178.exe". Access is denied
6:18 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044212.exe". Access is denied
6:18 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044187.exe". Access is denied
6:18 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044168.exe". Access is denied
6:18 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044157.exe". Access is denied
6:18 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044177.exe". Access is denied
6:18 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044179.exe". Access is denied
6:18 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044172.exe". Access is denied
6:18 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044220.exe". Access is denied
6:18 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044153.exe". Access is denied
6:18 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044206.exe". Access is denied
6:18 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044185.exe". Access is denied
6:18 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044225.exe". Access is denied
6:18 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044145.exe". Access is denied
6:18 PM: Warning: Failed to open file "c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp357\a0044196.exe". Access is denied
6:22 PM: Sweep Canceled
6:22 PM: File Sweep Complete, Elapsed Time: 00:35:37
6:22 PM: Traces Found: 39
6:58 PM: Removal process initiated
6:58 PM: Quarantining All Traces: fullcontext
6:58 PM: Quarantining All Traces: look2me
6:58 PM: Quarantining All Traces: dollarrevenue
6:58 PM: Quarantining All Traces: enbrowser
6:58 PM: Quarantining All Traces: marketscore
6:58 PM: Quarantining All Traces: maxifiles
6:58 PM: Quarantining All Traces: surfsidekick
6:58 PM: Quarantining All Traces: trojan-downloader-nextern
6:58 PM: Quarantining All Traces: bookedspace
6:58 PM: Quarantining All Traces: command
6:58 PM: Quarantining All Traces: mirar webband
6:58 PM: Quarantining All Traces: 2o7.net cookie
6:58 PM: Quarantining All Traces: atlas dmt cookie
6:58 PM: Quarantining All Traces: mediaplex cookie
6:59 PM: Removal process completed. Elapsed time 00:00:41
********
5:36 PM: | Start of Session, Wednesday, March 15, 2006 |
5:36 PM: Spy Sweeper started
5:37 PM: Your spyware definitions have been updated.
5:39 PM: | End of Session, Wednesday, March 15, 2006 |

That all looks very comforting, but did we get the bad guy?

If you can still see the bad file, continue with this:

Download:
RKFiles.zip

Create a new folder called C:\Antispyware\RKFiles

Extract the contents of RKFiles.zip into this new RKFiles folder.

Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Open the C:\Antispyware\RKFiles folder

* Locate and double-click the RKFILES.BAT to run this tool.
* Sit back and wait until it has finished.
* When it is finally finished a text file will open.
* Save the contents of that text file.

N.B.: It should save by default to C:\Log.txt . Please post that in your reply.

Reboot back to Normal Mode.

Please post a fresh HJT log from normal mode.

Thanks

This post has been edited by Crustyoldbloke: Mar 15 2006, 06:45 PM

Back again. Here are the latest logs.

C:\AntiSpyware

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\DivX.dll: PEC2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye


Logfile of HijackThis v1.99.1
Scan saved at 8:58:52 PM, on 3/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msnmember.my.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Congratulations! your new log is clean. Just a little bit more to do to prevent further infection.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
MICROSOFT ANTISPYWARE - With daily updates and scans, this programme offers good security against malware.
AD-AWARE PERSONAL – A fine free malware detector and removal programme
SPYBOT S&D – Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS FREE EDITION - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one (Windows XP has a built-in firewall).

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one antispyware programmes for “on demand” scanning, having two or more antivirus systems is not recommended as they may well cause conflicts and slowness.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep your Windows, antispyware and antivirus updated.

Do you still have a strange background?

Thank you again for all of your help! I do still have the black background peeking through under my current background, but I haven't seen any issues in a while regarding popups, and the such. I will keep an eye on it, and see if anything else comes up on the security scans. If you think the secondary desktop background may still be a concern, let me know!

Thank you!

Jenn

I wonder if that is something to do with your display settings?

Pay a visit to the Control Panel>Display. There are a few tabs that you can adjust there, that might help.

You may wish to try this also.

Please right click on this Wallpaper and choose Save Target As...Save it on your Desktop. Double click on it to run it and choose Yes to add it to the registry. Delete that .reg file when you are done.

Can you post a screenshot?

Everything seems to be running okay, so I am thinking maybe it is just me! The reason it concerned me, is because that was the first thing that I noticed when I got hit with all of the other stuff, and led me to believe that something was running, hidden in the background. I will just see how it goes, and hope for the best! But if it changes, you may see me popping back up in this forum!!!! There seem to be no other symptoms of any sort of infection, so I will keep my fingers crossed!

I tried running that registry fix, but I got an error message when attempting it.

That is strange, I just ran the reg file and all was OK.

Post a screen shot.

Go to Desktop. Click PRINT SCRN button. Go to PROGRAMS>ACCESSORIES>PAINT>EDIT>PASTE>FILE>SAVE AS> call it desktop.jpg and save it to Desktop.

Post into this thread by using File Attachments>Browse>Add This Attachment.

For some reason my print screen function does not work. Any suggestions on an alternative method???

Yes but it involves a digital camera or webcam