[soh]

I have recently (within last week) reformatted my machine - a clean install of XP. It has taken me a couple of days to organise AV protection, and I also only finished downloading Service Pack 2. After scanning today I fuond over 70 infections with AdAware, over 50 with Spybot S &D, and over 180 with AVG.
Seem to have cleaned a lot of them but am still having problems. AVG Shield keeps pointing out things that seem to belong to something called Zlob. Also something callin iteslf AdComm. Many other nuisances, but am mostly worried about Trojans, awful popups and holdups.

[Advertisements]

Welcome to G2G's Malware Forum.

My name is Technical_1 and I will be analyzing your log.

As I am still in training, my posts must first be approved by one of the instructors before posting them here for you. This is to ensure accurate information for you. Thanks for your understanding. I'll be back with some help as quickly as possible.

[Technical_1]

Welcome to G2G's Malware Forum.

My name is Technical_1 and I will be analyzing your log.

As I am still in training, my posts must first be approved by one of the instructors before posting them here for you. This is to ensure accurate information for you. Thanks for your understanding. I'll be back with some help as quickly as possible.

[Technical_1]

• Please Download Hijack This.
• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

[soh]

Thanks. One added complication since my last post is that my IE browser has been hijacked by www.ieuptodate. Here is the HJT logfile:


Logfile of HijackThis v1.99.1
Scan saved at 12:23:22, on 05/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\AOL\1162221018\ee\AOLHostManager.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\AOL\1162221018\ee\AOLServiceHost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
c:\program files\common files\aol\1162221018\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\Photodex\ProShowProducer\proshow.exe
C:\Program Files\Photodex\ProShowProducer\dshow.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Photodex\ProShowProducer\pxplay.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Owner\Local Settings\Temp\wz6870\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ncic.org.uk/
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1162221018\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvdeg.dll,startup
O4 - HKLM\..\Run: [pkthwtn.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\pkthwtn.dll,trleccg
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ipxawgk.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ipxawgk.dll,lwviykf
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.h...edsolutions.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A968AA4-C8BD-42BC-B88C-4662B70AF1DE}: NameServer = 205.188.146.145
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3RlcGhlbiBPJ0hhcmE\command.exe (file missing)
O23 - Service: MS Common Service - Unknown owner - C:\WINDOWS\System32\mscomserv.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

[Technical_1]

Hello again soh,

There are definitely a couple problems there. Also, the fact that there are no 02 or 020 entries leads me to believe we have something hiding as well. Let's rename Hijack This to something else and get another scan.

• Rename Hijack This.
  • Right Click on Hijack This and select rename.
  • Change the name to AnalyseThat.exe
  From now on, when I refer to running a scan or fixing any entries with Hijack This, you will use Analyze That.
  
• Please re-open HiJackThis and scan and save a new log file.
• Post Logs
  • New Hijack This Log

[soh]

What is the purpose of renaming?

Here it is, and thanks

Logfile of HijackThis v1.99.1
Scan saved at 18:39:11, on 05/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\1162221018\ee\AOLHostManager.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\AOL\1162221018\ee\AOLServiceHost.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
c:\program files\common files\aol\1162221018\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Canon\ZoomBrowser EX\Program\ZoomBrowser.exe
C:\Program Files\Common Files\AOL\1162221018\ee\AOLServiceHost.exe
C:\Documents and Settings\Owner\Desktop\Analyse That.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ncic.org.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt4.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {63832A44-CE12-48FC-C72A-07D2380FAA2A} - C:\WINDOWS\system32\rubcwlf.dll
O2 - BHO: (no name) - {69A91084-62E1-4781-13B2-04CE44E795D5} - C:\WINDOWS\System32\klyiwbh.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C9276FDF-CCCC-4DF3-86A3-F3507717E1B1} - C:\WINDOWS\System32\ddaya.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\System32\nfiwvhfr.dll
O2 - BHO: (no name) - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINDOWS\system32\jkkkjii.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1162221018\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvdeg.dll,startup
O4 - HKLM\..\Run: [pkthwtn.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\pkthwtn.dll,trleccg
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ipxawgk.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ipxawgk.dll,lwviykf
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.h...edsolutions.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A968AA4-C8BD-42BC-B88C-4662B70AF1DE}: NameServer = 205.188.146.145
O20 - Winlogon Notify: ddaya - C:\WINDOWS\System32\ddaya.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkkkjii - C:\WINDOWS\SYSTEM32\jkkkjii.dll
O20 - Winlogon Notify: winpdc32 - winpdc32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3RlcGhlbiBPJ0hhcmE\command.exe (file missing)
O23 - Service: MS Common Service - Unknown owner - C:\WINDOWS\System32\mscomserv.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

[Technical_1]

What is the purpose of renaming?

Sometimes, as is the case here, the offender can hide from Hijack This as well as some of the scanners. We rename Hijack This to get it to show it's ugly head. If you look at your second log a little closer now, you will see that you have some entries under the 02 and 020 sections. Those were not there in the first log. This however, does not mean they are all bad. We will get the ones we need as we go along.

Let's get at cleaning you up.

• Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt, along with any other requested logs, in your next reply.
  Note: It is possible that VundoFix encountered a file it could not remove.
  In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
• Let's get an Uninstall List from HijackThis:
  • Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.
• Please re-open HiJackThis and scan and save a new log file.
• Post Logs
  • Vundofix.txt
  • Uninstall List
  • New Hijack This Log

[soh]

Here goes....


VundoFix V6.2.6

Checking Java version...

Java version is 1.5.0.8

Scan started at 01:30:29 06/11/2006

Listing files found while scanning....

C:\WINDOWS\system32\klyiwbh.dll
C:\WINDOWS\system32\rubcwlf.dll
C:\WINDOWS\System32\ddaya.dll
C:\WINDOWS\System32\ayadd.ini
C:\WINDOWS\System32\ayadd.bak1
C:\WINDOWS\System32\ayadd.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\klyiwbh.dll
C:\WINDOWS\system32\klyiwbh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rubcwlf.dll
C:\WINDOWS\system32\rubcwlf.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\ddaya.dll
C:\WINDOWS\System32\ddaya.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\ayadd.ini
C:\WINDOWS\System32\ayadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\ayadd.bak1
C:\WINDOWS\System32\ayadd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\ayadd.bak2
C:\WINDOWS\System32\ayadd.bak2 Has been deleted!

Performing Repairs to the registry.
Done!
__________________________________________________________________________

Absolute Sound Recorder version 3.4.3
Ad-Aware SE Personal
Adobe Acrobat 6.0 Professional
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 1.0
Adobe InDesign CS
Adobe Stock Photos 1.0
AOL Coach Version 1.0(Build:20040229.1 uk)
AOL Connectivity Services
AOL Toolbar
AOL UK (Choose which version to remove)
AOL Uninstaller
AOL You've Got Pictures Screensaver
Araneae 5.0.0
AV Music Morpher 2.0.97 Gold
AVG Anti-Spyware 7.5
BitTorrent 4.26.0
BT Voyager 105 ADSL Modem
BT Voyager Modem AOL Test
Canon Camera Support Core Library
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window DVC for ZoomBrowser EX
Canon Camera Window for ZoomBrowser EX
Canon EOS Kiss_N REBEL_XT 350D WIA Driver
Canon Internet Library for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 1.6.1
Canon Utilities EOS Capture 1.3
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
ConvertXtoDVD 2.0.13
Dell ResourceCD
DivX Codec
DivX Player
dlatray.exe
EPSON PhotoQuicker3.5
EPSON Print CD
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
ESPR200 Reference Guide
ESPR200 Software Guide
ffdshow (remove only)
HijackThis 1.99.1
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
Image Resizer Powertoy for Windows XP
Intel® Extreme Graphics Driver
J2SE Runtime Environment 5.0 Update 8
LimeWire 4.12.6
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
MemoriesOnTV 3.0.3
Microsoft Office FrontPage 2003
Microsoft Office XP Professional with FrontPage
Mozilla Firefox (2.0)
PCHealth
PCI Audio Driver
Photodex Presenter
PIF DESIGNER2.1
Power MP3 Cutter Joiner 1.12
PowerDVD
Print Screen Deluxe
ProShow Gold
ProShow Producer
QuickTime
RealPlayer Basic
RecordNow.exe
ScanToWeb
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
SGTRAY.EXE
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SoundMAX
Spybot - Search & Destroy 1.4
Ulead DVD MovieFactory 4.0
Ulead iPhoto Express 1.1
Uninstall Plus! Trial v3.2
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885295
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
WinZip



__________________________________________________________________________



Logfile of HijackThis v1.99.1
Scan saved at 01:47:41, on 06/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\AOL\1162221018\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1162221018\ee\AOLServiceHost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\rundll32.exe
c:\program files\common files\aol\1162221018\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\Analyse That.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ncic.org.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt0.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {63832A44-CE12-48FC-C72A-07D2380FAA2A} - C:\WINDOWS\system32\rubcwlf.dll (file missing)
O2 - BHO: (no name) - {69A91084-62E1-4781-13B2-04CE44E795D5} - C:\WINDOWS\System32\klyiwbh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C9276FDF-CCCC-4DF3-86A3-F3507717E1B1} - C:\WINDOWS\System32\ddaya.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\System32\nfiwvhfr.dll
O2 - BHO: (no name) - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINDOWS\system32\jkkkjii.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1162221018\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvdeg.dll,startup
O4 - HKLM\..\Run: [pkthwtn.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\pkthwtn.dll,trleccg
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ipxawgk.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ipxawgk.dll,lwviykf
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.h...edsolutions.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A968AA4-C8BD-42BC-B88C-4662B70AF1DE}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkkkjii - C:\WINDOWS\SYSTEM32\jkkkjii.dll
O20 - Winlogon Notify: winpdc32 - winpdc32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: MS Common Service - Unknown owner - C:\WINDOWS\System32\mscomserv.exe (file missing)
O23 - Service: (Network Monitor) - Unknown owner - C:\WINDOWS\.exe (file missing)
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

[Technical_1]

Hello again soh,

Looks like you've got some new variants of Vundo there. Before we continue killing them off, I would like to ask a favor of you. Since this version is new, and the tool did not detect it, I need you to upload a copy of the offending file(s) so the creator of Vundofix can add them to the tool.

• Upload Files
  • Please go here to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: C:\WINDOWS\system32\jkkkjii.dll in the second filename box
  • In the comments, please mention that I asked you to upload this file.
  • Click on Send File
• Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the entry below into the top box:
    
    • C:\WINDOWS\system32\jkkkjii.dll
  • Click Add Files and Click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
• Post Logs
  • vundofix.txt
  • New Hijack This Log

Edited by Technical_1, 06 November 2006 - 08:16 PM.

[soh]

Sorry, but I cannot find C:\WINDOWS\system32\jkkkjii.dll on my system.

I am enclosing the HJT and Vundo logs.

Something new: My AOL spyware scanner (which runs in the background all the time but rarely finds anything) has come up with these tonight:

ISearch
ImIServerIEPlugin
Puper DB
Puper

Finally, I have something on my computer which barks at me! Honestly, every now and then my computer makes noises like a dog barking at me. I know its malware of some sort, but I cannot track it down.

Logfile of HijackThis v1.99.1
Scan saved at 22:59:25, on 07/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\1162221018\ee\AOLHostManager.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\1162221018\ee\AOLServiceHost.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
c:\program files\common files\aol\1162221018\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1162221018\ee\AOLServiceHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Documents and Settings\Owner\Desktop\Analyse That.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ncic.org.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1274E11D-9701-4647-A7DB-100573A47130} - C:\WINDOWS\system32\geebc.dll (file missing)
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {63832A44-CE12-48FC-C72A-07D2380FAA2A} - C:\WINDOWS\system32\rubcwlf.dll (file missing)
O2 - BHO: (no name) - {69A91084-62E1-4781-13B2-04CE44E795D5} - C:\WINDOWS\System32\klyiwbh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C9276FDF-CCCC-4DF3-86A3-F3507717E1B1} - C:\WINDOWS\System32\ddaya.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\System32\nfiwvhfr.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1162221018\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvdeg.dll,startup
O4 - HKLM\..\Run: [pkthwtn.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\pkthwtn.dll,trleccg
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ipxawgk.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ipxawgk.dll,lwviykf
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.h...edsolutions.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A968AA4-C8BD-42BC-B88C-4662B70AF1DE}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winpdc32 - winpdc32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: MS Common Service - Unknown owner - C:\WINDOWS\System32\mscomserv.exe (file missing)
O23 - Service: (Network Monitor) - Unknown owner - C:\WINDOWS\.exe (file missing)
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe




VundoFix V6.2.6

Checking Java version...

Java version is 1.5.0.8

Scan started at 01:30:29 06/11/2006

Listing files found while scanning....

C:\WINDOWS\system32\klyiwbh.dll
C:\WINDOWS\system32\rubcwlf.dll
C:\WINDOWS\System32\ddaya.dll
C:\WINDOWS\System32\ayadd.ini
C:\WINDOWS\System32\ayadd.bak1
C:\WINDOWS\System32\ayadd.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\klyiwbh.dll
C:\WINDOWS\system32\klyiwbh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rubcwlf.dll
C:\WINDOWS\system32\rubcwlf.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\ddaya.dll
C:\WINDOWS\System32\ddaya.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\ayadd.ini
C:\WINDOWS\System32\ayadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\ayadd.bak1
C:\WINDOWS\System32\ayadd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\ayadd.bak2
C:\WINDOWS\System32\ayadd.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.6

Checking Java version...

Java version is 1.5.0.8

Scan started at 20:07:05 07/11/2006

Listing files found while scanning....

C:\WINDOWS\system32\geebc.dll
C:\WINDOWS\system32\cbeeg.ini
C:\WINDOWS\system32\cbeeg.bak1
C:\WINDOWS\system32\cbeeg.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\geebc.dll
C:\WINDOWS\system32\geebc.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\cbeeg.ini
C:\WINDOWS\system32\cbeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbeeg.bak1
C:\WINDOWS\system32\cbeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbeeg.bak2
C:\WINDOWS\system32\cbeeg.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\geebc.dll
C:\WINDOWS\system32\geebc.dll Has been deleted!

Performing Repairs to the registry.
Done!

[Technical_1]

Finally, I have something on my computer which barks at me! Honestly, every now and then my computer makes noises like a dog barking at me.

I can honestly say, that's a new one on me. Let's keep getting them and see if it clears up.

• Remove Questionable Programs. Go to Start > Control Panel > Add/Remove Programs. Scroll down to and highlight each of the following programs and select uninstall/remove:
  • Viewpoint Media Player<-----Related Link
    
• Remove Bad Services
  • Go to Start->Run and type in notepad and hit OK.
  • Then copy and paste the contents of the following Quote box into Notepad:
    
    

    sc stop MS Common Service
    sc delete MS Common Service
    del delete.bat

  • Save the file as "delete.bat". <== Make sure to save it with the quotes.
  • Double click delete.bat.
• Please download the Killbox by Option^Explicit.
  
  Note:In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
• Please RUN HijackThis.
  • . Click the SCAN button to produce a log.
  • Place a check mark beside the following items:
    
    O2 - BHO: (no name) - {1274E11D-9701-4647-A7DB-100573A47130} - C:\WINDOWS\system32\geebc.dll (file missing)
    O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt0.dll (file missing)
    O2 - BHO: (no name) - {63832A44-CE12-48FC-C72A-07D2380FAA2A} - C:\WINDOWS\system32\rubcwlf.dll (file missing)
    O2 - BHO: (no name) - {69A91084-62E1-4781-13B2-04CE44E795D5} - C:\WINDOWS\System32\klyiwbh.dll (file missing)
    O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\System32\nfiwvhfr.dll
    O4 - HKLM\..\Run: [ipxawgk.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ipxawgk.dll,lwviykf
  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
• Please double-click Killbox.exe to run it.
  • Select
    • "Delete on Reboot
    • Then click on the "All Files" button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C
    
    C:\WINDOWS\System32\nfiwvhfr.dll
    C:\WINDOWS\system32\ipxawgk.dll
    
  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
  If your computer does not restart automatically, please restart it manually.
• Please download ATF Cleaner by Atribune.
  This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.
  If you use Firefox browserClick Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  If you use Opera browserClick Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  Click Exit on the Main menu to close the program.
  For Technical Support, double-click the e-mail address located at the bottom of each menu.
• Scan with AVG Anti-Spyware 7.5
  • Please update and scan your system with the free version of AVG Anti-Spyware Scanner: AVG Anti-Spyware 7.5
  • From the main ewido screen, click on UPDATE in the top menu, then click the Start Update link.
  • After the update finishes (the status bar near the top will inform you of progress), click on the Scanner button in the top menu, then click on the Settings tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
  • Click on the Scan tab. Then click on Complete System Scan. This scan will take a while, please be patient.
  • Once the scan is complete, you will be prompted if any items are found that need attention. Select Apply all actions. This will take a moment or two.
  • When AVG Anti-Spyware Scanner reports All Actions Have been Applied you can close AVG Anti-Spyware Scanner. The report was automatically saved if the settings were set as instructed. The report will be located at C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
• Please re-open HiJackThis and scan and save a new log file.
• Post Logs
  • AVG Anti-Spyware Results
  • New Hijack This Log