i need help when i scan with ca yahoo antispy it shows darksma but for norton it doesntLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:53:26 AM, on 7/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\Explorer.EXE
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Safari\Safari.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [NotebookHardwareControl] "C:\Program Files\Notebook Hardware Control\nhc.exe" -quiet
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [c017c955] rundll32.exe "C:\windows\system32\qcwvgqye.dll",b
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - AppInit_DLLs: aviyvv.dll
O21 - SSODL: BootSDRAM - {c9d529f1-139e-4324-a4a1-b9c466b18e92} - C:\windows\Resources\BootSDRAM.dll
O21 - SSODL: PreBootCheck - {6cb3baaa-a62c-44a5-9911-780e202bfba4} - C:\windows\Resources\AlrtStd.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8784 bytes



This post has been edited by Keven01: Aug 4 2008, 10:42 PM

Hi there,

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
• Double click on AVZ.exe to run it.
• Run an update by clicking the Auto Update button on the Right of the Log window:
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• After the update, from the "File" menu, choose "Standard Scripts"
• Put a check next to item 2: Advanced System Investigation
• Click Execute selected scripts
• At the next prompt, click the OK button
• Let the scan run and click "OK" when the completion prompt pops up
• Now Close out of the Standard Scripts window, and exit AVZ
• Navigate to the avz4 folder and locate the folder LOG
• Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
• Attach virusinfo_syscheck.htm to your next reply, along with virusinfo_syscheck.zip.

here is the attachments you wanted

and

Hi there

• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
  
  
  • 
    C:\windows\System32\Drivers\spyb.sys
  
  
• Click on the Upload button
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Next,

Go to add or remove programs and uninstall Viewpoint and delete C:\program files\Viewpoint.

1. Double click on AVZ.exe
2. Click on File, then Custom Scripts
3. Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )
   
   CODE
   begin
   SetAVZGuardStatus(True);
   DelBHO('{D6258CA6-2028-4CDD-B496-CACC18721A60}');
   DelBHO('{dda53789-cb35-4cb2-bb46-25e1d205dfe9}');
   DelBHO('{36C38422-602D-48A3-8110-4174CBDDA12C}');
   DeleteService('Viewpoint Manager Service');
   StopService('Viewpoint Manager Service');
   DeleteFile('C:\windows\system32\geBqQGXO.dll');
   DeleteFile('C:\windows\system32\iSecurity.cpl');
   DeleteFile('geBqQGXO.dll');
   DeleteFile('C:\windows\system32\960932\960932.dll');
   DeleteFile('C:\windows\system32\ejwwxu.dll');
   DeleteFile('D:\autorun.inf');
   DeleteFile('C:\Program Files\iSecurity\v20\iSecurity.cpl');
   SearchRootkit(true, true);
   BC_ImportDeletedList;
   BC_Activate;
   ExecuteSysClean;
   RebootWindows(true);
   end.
4. Note: When you run the script, your PC will be restarted
5. Click Run
6. Restart your PC if it doesn't do it automatically.

Then,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

And Finally,

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Note:These logs may be too large to post in one reply, if so, please post extra.txt in a separate reply.

This post has been edited by Mike: Aug 6 2008, 01:09 PM

for some reason my comp wont let me download both Malwarebytes' Anti-Malware and Deckards system scanner

Do you have access to another PC where you could possibly transfer the tools?

Are you getting an error when downloading it?

no it says that windows found this file is poteintally harmful so windows has blocked it

Can you get this to run?

Download and scan with SUPERAntiSpyware Free for Home Users

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
• Under "Configuration and Preferences", click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan.
• Click "Next" to start the scan. Please be patient while it scans your computer.
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes".
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

Run it and try downloading the tool again - does it work? If not do this please.

Please download OTScanIt.exe to your Desktop.
Double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close all other programs.
• Open the OTScanIt folder and double-click on OTScanIt.exe to start the program
• (if you are running on Vista then right-click the program and choose Run as Administrator).
• In the Drivers section click on Non-Microsoft.
• Under Additional Scans click the checkboxes in front of the following items to select them:
  
  Reg - BotCheck
  File - Additional Folder Scans
  
• Do not change any other settings.
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and attach the file in your next post, do not try to copy/paste it into the post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

for the SUPERAntiSpyware.exe when i run it a windows installer message pops up and says windows installer cannot be accesed

How is OTScanIt going? Also what about the results from VIRScan.org?

This post has been edited by Mike: Aug 7 2008, 12:40 PM

here is the superantispyware log
Memory items scanned : 358
Memory threats detected : 0
Registry items scanned : 9478
Registry threats detected : 3
File items scanned : 18115
File threats detected : 59

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\aoprndtws
HKLM\SOFTWARE\Microsoft\RemoveRP
HKU\S-1-5-21-1863405692-2512887711-682732193-1005\Software\Microsoft\rdfa

Adware.Rogue-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP0\A0000001.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP0\A0000002.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1\A0001004.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1\A0001005.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1\A0001006.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1\A0001007.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1\A0001012.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1\A0001013.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1\A0002018.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1\A0002017.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1\A0002019.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1\A0002020.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1\A0002872.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1\A0002873.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0033270.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0033271.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0033272.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0033282.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0033284.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0033287.LNK
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\DESKTOP\MALWARE PROTECTOR 2008.LNK
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\DESKTOP\SYSTEMDEFENDER.LNK

Adware.E404 Helper/Variant-C
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP3\A0002968.DLL
C:\WINDOWS\SYSTEM32\689371\689371.DLL

Trojan.SecurityCenter/Fake
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP3\A0004034.CPL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0032205.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0033286.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0033291.CPL

Adware.Vundo Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0022657.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0023664.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0024700.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0029951.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0032177.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0032168.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0032176.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0032195.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0032178.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0032179.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0032180.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0032181.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0032196.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0032197.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0032198.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0032199.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0032201.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0032202.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0032203.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0032204.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0033326.DLL
C:\WINDOWS\SYSTEM32\ADYNCBRF.DLL
C:\WINDOWS\SYSTEM32\AVIYVV.DLL
C:\WINDOWS\SYSTEM32\GQLLXKQV.DLL
C:\WINDOWS\SYSTEM32\MTBENAYQ.DLL

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0032200.DLL

Adware.E404 Helper/Variant-E
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP5\A0034363.DLL

Trojan.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\AAEOEA.DLL
C:\WINDOWS\SYSTEM32\AVMLIS.DLL
C:\WINDOWS\SYSTEM32\LKVRWL.DLL

Trojan.Vundo-Variant/Small-V2
C:\WINDOWS\SYSTEM32\BQIBJXVE.DLL


Here is the second one

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/05/2008 at 05:44 PM

Application Version : 4.15.1000

Core Rules Database Version : 3529
Trace Rules Database Version: 1519

Scan type : Complete Scan
Total Scan Time : 136:00:19

Memory items scanned : 332
Memory threats detected : 0
Registry items scanned : 9480
Registry threats detected : 0
File items scanned : 19210
File threats detected : 20

Adware.Vundo Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP7\A0034591.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP7\A0034584.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP7\A0034585.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP7\A0034586.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP7\A0034587.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP7\A0034588.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP7\A0034589.DLL
C:\WINDOWS\SYSTEM32\UXYXHQWR.DLL

Adware.Rogue-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP7\A0034581.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP7\A0034582.LNK

Adware.E404 Helper/Variant-C
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP7\A0034583.DLL

Trojan.Vundo-Variant/Small-V2
C:\WINDOWS\SYSTEM32\PJAMOHSB.DLL
C:\WINDOWS\SYSTEM32\PVLRILXY.DLL
C:\WINDOWS\SYSTEM32\SFTJQQCX.DLL
C:\WINDOWS\SYSTEM32\SMKOSXHF.DLL
C:\WINDOWS\SYSTEM32\TVMLEPON.DLL
C:\WINDOWS\SYSTEM32\WLICHJQE.DLL

Trojan.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\SSQNMDBB.DLL
C:\WINDOWS\SYSTEM32\VGGDOC.DLL
C:\WINDOWS\SYSTEM32\ZFEQJS.DLL



This post has been edited by Keven01: Aug 7 2008, 09:14 PM

Good,

• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
  
  
  • C:\windows\System32\Drivers\spyb.sys
  
  
• Click on the Upload button
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Then,

Let's see if you can run DSS now.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Note:These logs may be too large to post in one reply, if so, please post extra.txt in a separate reply.

If you cannot run DSS, please run OTScanIt as instructed here http://www.geekstogo.com/forum/how-remove-...52#entry1302052
and post the results

This post has been edited by Mike: Aug 8 2008, 04:01 AM

for the virscan.org it says file not found or something so here is the dss log
Deckard's System Scanner v20071014.68
Run by Keven Nguyen on 2008-08-06 20:01:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Keven Nguyen.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:50 PM, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\windows\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\windows\system32\nvsvc32.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\windows\system32\wuauclt.exe
C:\Documents and Settings\phuong nguyen\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\KEVENN~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =