[Kathyf]

running Windows 2000

hijackthis log today after AVG was run: Other logs below

Logfile of HijackThis v1.99.1
Scan saved at 4:09:57 PM, on 11/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\DIRECWAY\BIN\dpcstart.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MSAC-FD1\MSstat.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\123 Free Solitaire\123FreeSolitaire.exe
C:\Documents and Settings\Administrator.KATHY-87KGFDBWY\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hughesnet.myway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {19615DDD-9DA2-B17E-7F76-09F134AFF1A8} - C:\WINNT\system32\ebvfvpc.dll
O2 - BHO: (no name) - {2BFF1EE6-0885-114B-F933-0195C3EC2C60} - C:\WINNT\system32\mryhppe.dll
O2 - BHO: (no name) - {2D86128A-F318-A748-A871-09AFA0430634} - C:\WINNT\system32\sciekad.dll
O2 - BHO: (no name) - {38A238E6-D148-00FC-0659-05E0D9E9C777} - C:\WINNT\system32\rtfwllj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5B430B52-E33B-71A6-E866-06A2CCCD6CF4} - C:\WINNT\system32\hnrakod.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [OSS] c:\winnt\system32\rk.exe -boot
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HP OfficeJet Series 500] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 500 NT\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 500\Install"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NetworkStartup] net share IPC$ /delete /yes
O4 - HKLM\..\Run: [Secure1] net share C$ /delete /yes
O4 - HKLM\..\Run: [Secure2] net share D$ /delete /yes
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [avoxlek.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\avoxlek.dll,zxgijgc
O4 - HKLM\..\Run: [Ultimate Cleaner] "C:\Program Files\Ultimate Cleaner\App.exe" hide
O4 - HKLM\..\Run: [yojicrj.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\yojicrj.dll,kefcjl
O4 - HKLM\..\Run: [vwplxah.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\vwplxah.dll,rmwtxcf
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [tvvxwpm.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\tvvxwpm.dll,zbjenmd
O4 - HKLM\..\Run: [pdvyeng.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\pdvyeng.dll,drjbxce
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [wnplayer] wnplayer.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Memory Stick Monitor.lnk = C:\Program Files\MSAC-FD1\MSstat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/...nx.1.0.0.67.cab
O16 - DPF: {2FB42B58-A74B-49B3-A6EA-53F0FB8483D2} (AdminimizerX.Editor) - http://www.adminimiz...dminimizerX.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safe...lscbase8460.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D866585-6FE2-4869-88C9-58421144DF25}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D866585-6FE2-4869-88C9-58421144DF25}: NameServer = 66.82.4.8
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINNT\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Hughes Network Systems - C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
O23 - Service: fxSVC (fxScanner) - Unknown owner - C:\WINNT\fxsvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

HiJackThis Uninstall log
Ad-Aware SE Personal
Adobe Acrobat 7.0.8 Professional
Adobe Creative Suite
Adobe PageMaker Plug-in Pack
Adobe SVG Viewer 3.0
American Greetings® Art & More Store
ArcSoft Panorama Maker 3
AVG Anti-Spyware 7.5
CK Creative Clips and Fonts for Home, Family & Pets
CK McCormick Creative Clips & fonts
DING!
DIRECWAY
Google Toolbar for Internet Explorer
Hardwood Solitaire III Lite
HijackThis 1.99.1
HP All-in-One 2000
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart Essential
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solution Center 7.0
ImageMixer VCD/DVD2 for OLYMPUS
Internet Explorer Q903235
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 6
Kaspersky Online Scanner
LeapFrog® LeapPrint
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Flash Player 8
Memory Stick / Floppy Disk Adaptor
MGI PhotoSuite 8.1 (Remove Only)
Microsoft Data Access Components KB870669
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Professional
Microsoft Web Publishing Wizard 1.52
Nero
NetObjects Fusion 5.0
Norton WMI Update
OCR Software by I.R.I.S 7.0
OLYMPUS Master
Panda ActiveScan
Perfect Scrapbook Maker Express
Preclick PhotoBack Plug-in
PrintMaster 7.00
ProSavageDDR and Utilities
QuickTime
RealPlayer Basic
RelevantKnowledge
S3Display
S3Gamma2
S3Info2
S3Overlay
Serif DrawPlus 3.0
Smart Link 56K Voice Modem
Spybot - Search & Destroy 1.3
SureThing CD Labeler
TaxACT 2005
Trijinx
TrojanHunter 4.6
USB 2.0 Setup program
Walgreens PhotoShow Express
Windows 2000 Hotfix - KB819696
Windows 2000 Hotfix - KB823182
Windows 2000 Hotfix - KB823559
Windows 2000 Hotfix - KB824105
Windows 2000 Hotfix - KB825119
Windows 2000 Hotfix - KB826232
Windows 2000 Hotfix - KB828035
Windows 2000 Hotfix - KB828741
Windows 2000 Hotfix - KB828749
Windows 2000 Hotfix - KB835732
Windows 2000 Hotfix - KB837001
Windows 2000 Hotfix - KB839643
Windows 2000 Hotfix - KB839645
Windows 2000 Hotfix - KB840315
Windows 2000 Hotfix - KB840987
Windows 2000 Hotfix - KB841356
Windows 2000 Hotfix - KB841533
Windows 2000 Hotfix - KB841872
Windows 2000 Hotfix - KB841873
Windows 2000 Hotfix - KB842526
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB871250
Windows 2000 Hotfix - KB873333
Windows 2000 Hotfix - KB873339
Windows 2000 Hotfix - KB883939
Windows 2000 Hotfix - KB885250
Windows 2000 Hotfix - KB885835
Windows 2000 Hotfix - KB885836
Windows 2000 Hotfix - KB888113
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB890047
Windows 2000 Hotfix - KB890175
Windows 2000 Hotfix - KB890859
Windows 2000 Hotfix - KB891711
Windows 2000 Hotfix - KB891781
Windows 2000 Hotfix - KB893066
Windows 2000 Hotfix - KB893086
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB894320
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896727
Windows 2000 Hotfix - KB897715
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899588
Windows 2000 Hotfix - KB901214
Windows 2000 Service Pack 4
Windows Installer 3.1 (KB893803)
Windows Live OneCare safety scanner
Windows Media Player 7.1
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Hotfix [See Q828026 for more information]
WinZip

Panda Active Scan Log as of 11/26/06


Incident Status Location

Adware:adware/commad Not disinfected Windows Registry
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/sqwire Not disinfected Windows Registry
Spyware:spyware/marketscore Not disinfected Windows Registry
Adware:adware/ieplugin Not disinfected Windows Registry
Adware:adware/searchexe Not disinfected Windows Registry
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Administrator.KATHY-87KGFDBWY\Cookies\administrator@adtech[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Administrator.KATHY-87KGFDBWY\Cookies\administrator@maxserving[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator.KATHY-87KGFDBWY\Cookies\administrator@questionmarket[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator.KATHY-87KGFDBWY\Cookies\administrator@statcounter[1].txt
Spyware:Cookie/Atwola Not disinfected C:\WINNT\Cookies\administrator@atwola[1].txt
Spyware:Cookie/360i Not disinfected C:\WINNT\Cookies\[email protected][2].txt
Virus:Trj/Jupillites.G Disinfected C:\WINNT\system32\dxvwpcym.exe



Please advise as to how to rid my registry of cmdservice entries

THANK YOU IN ADVANCE for your help and all you do here.
Kathy

Edited by Kathyf, 26 November 2006 - 04:30 PM.

[Advertisements]

Hi

Please download ComboFix and save it to your desktop. We will use it later

Please download the Killbox by Option^Explicit. We will use it later



Please run a scan with HijackThis and check the following lines for removal:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {19615DDD-9DA2-B17E-7F76-09F134AFF1A8} - C:\WINNT\system32\ebvfvpc.dll
O2 - BHO: (no name) - {2BFF1EE6-0885-114B-F933-0195C3EC2C60} - C:\WINNT\system32\mryhppe.dll
O2 - BHO: (no name) - {2D86128A-F318-A748-A871-09AFA0430634} - C:\WINNT\system32\sciekad.dll
O2 - BHO: (no name) - {38A238E6-D148-00FC-0659-05E0D9E9C777} - C:\WINNT\system32\rtfwllj.dll
O2 - BHO: (no name) - {5B430B52-E33B-71A6-E866-06A2CCCD6CF4} - C:\WINNT\system32\hnrakod.dll
O4 - HKLM\..\Run: [avoxlek.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\avoxlek.dll,zxgijgc
O4 - HKLM\..\Run: [yojicrj.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\yojicrj.dll,kefcjl
O4 - HKLM\..\Run: [vwplxah.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\vwplxah.dll,rmwtxcf
O4 - HKLM\..\Run: [tvvxwpm.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\tvvxwpm.dll,zbjenmd
O4 - HKLM\..\Run: [pdvyeng.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\pdvyeng.dll,drjbxce
O4 - HKLM\..\RunServices: [wnplayer] wnplayer.exe
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINNT\Documents\Settings\winsys2f.dll (file missing)

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

Please download delcmdservice (by Marckie), and save it to your Desktop.
http://users.telenet...lcmdservice.zip

* Unzip the content to your Desktop (a folder named delcmdservice)
* Double-click on the delcmdservice folder
* Double-click on delreg.bat to launch the tool
* When the tool has finished, please reboot your computer.

After the Reboot

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply with a new Hijack log.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

[loophole]

Hi

Please download ComboFix and save it to your desktop. We will use it later

Please download the Killbox by Option^Explicit. We will use it later



Please run a scan with HijackThis and check the following lines for removal:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {19615DDD-9DA2-B17E-7F76-09F134AFF1A8} - C:\WINNT\system32\ebvfvpc.dll
O2 - BHO: (no name) - {2BFF1EE6-0885-114B-F933-0195C3EC2C60} - C:\WINNT\system32\mryhppe.dll
O2 - BHO: (no name) - {2D86128A-F318-A748-A871-09AFA0430634} - C:\WINNT\system32\sciekad.dll
O2 - BHO: (no name) - {38A238E6-D148-00FC-0659-05E0D9E9C777} - C:\WINNT\system32\rtfwllj.dll
O2 - BHO: (no name) - {5B430B52-E33B-71A6-E866-06A2CCCD6CF4} - C:\WINNT\system32\hnrakod.dll
O4 - HKLM\..\Run: [avoxlek.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\avoxlek.dll,zxgijgc
O4 - HKLM\..\Run: [yojicrj.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\yojicrj.dll,kefcjl
O4 - HKLM\..\Run: [vwplxah.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\vwplxah.dll,rmwtxcf
O4 - HKLM\..\Run: [tvvxwpm.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\tvvxwpm.dll,zbjenmd
O4 - HKLM\..\Run: [pdvyeng.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\pdvyeng.dll,drjbxce
O4 - HKLM\..\RunServices: [wnplayer] wnplayer.exe
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINNT\Documents\Settings\winsys2f.dll (file missing)

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

Please download delcmdservice (by Marckie), and save it to your Desktop.
http://users.telenet...lcmdservice.zip

* Unzip the content to your Desktop (a folder named delcmdservice)
* Double-click on the delcmdservice folder
* Double-click on delreg.bat to launch the tool
* When the tool has finished, please reboot your computer.

After the Reboot

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply with a new Hijack log.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

[Kathyf]

Loophole, when I ran combofix after about 4 minutes the screen went blue and my desktop was gone, clicking on my desktop icon in the task bar got me back to it BUT it continues to go blue if I click on anything else. All I did see while combofix ran was lots of entries of 'Cannot find' didn't file names. Did I do something incorrectly? below is the current hijackthis log
THANK YOU so much for your time and help.

Logfile of HijackThis v1.99.1
Scan saved at 08:40, on 06-11-26
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\DIRECWAY\BIN\dpcstart.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MSAC-FD1\MSstat.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\findstr.exe
C:\Documents and Settings\Administrator.KATHY-87KGFDBWY\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hughesnet.myway.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [OSS] c:\winnt\system32\rk.exe -boot
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HP OfficeJet Series 500] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 500 NT\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 500\Install"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NetworkStartup] net share IPC$ /delete /yes
O4 - HKLM\..\Run: [Secure1] net share C$ /delete /yes
O4 - HKLM\..\Run: [Secure2] net share D$ /delete /yes
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Ultimate Cleaner] "C:\Program Files\Ultimate Cleaner\App.exe" hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [pdvyeng.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\pdvyeng.dll,drjbxce
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Memory Stick Monitor.lnk = C:\Program Files\MSAC-FD1\MSstat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/...nx.1.0.0.67.cab
O16 - DPF: {2FB42B58-A74B-49B3-A6EA-53F0FB8483D2} (AdminimizerX.Editor) - http://www.adminimiz...dminimizerX.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safe...lscbase8460.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D866585-6FE2-4869-88C9-58421144DF25}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D866585-6FE2-4869-88C9-58421144DF25}: NameServer = 66.82.4.8
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Hughes Network Systems - C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
O23 - Service: fxSVC (fxScanner) - Unknown owner - C:\WINNT\fxsvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[loophole]

Hi Kathy

Please run a scan with HijackThis and check the following lines for removal:

O4 - HKLM\..\Run: [pdvyeng.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\pdvyeng.dll,drjbxce

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

. Lets try a different version of combofix Click here to download, save to the desktop.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply with a new hijack log :.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

[Kathyf]

Loophole, I'm back to work this week. I will do as you suggest when I get home this afternoon.

Again, THANKS a bunch
Kathy

[Kathyf]

Combofix log

Administrator - Mon 2006-11-27 4:31:25.56 Service Pack 4
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Administrator.KATHY-87KGFDBWY\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Default User.WINNT\Application Data\NetMon
C:\Documents and Settings\All Users.WINNT\Documents\Settings


((((((((((((((((((((((((((((((( Files Created from 2006-10-26 to 2006-11-26 ))))))))))))))))))))))))))))))))))


2006-11-25 00:24 3,968 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2006-11-24 19:17 <DIR> d-------- C:\WINNT\system32\ActiveScan
2006-11-24 19:06 94,720 --a------ C:\WINNT\system32\pdvyeng.dll
2006-11-24 19:06 71,168 --a------ C:\WINNT\system32\sciekad.dll
2006-11-24 10:56 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2006-11-24 10:32 <DIR> d-------- C:\Documents and Settings\Administrator.KATHY-87KGFDBWY\Application Data\TrojanHunter
2006-11-24 09:57 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2006-11-18 21:13 <DIR> d-------- C:\Program Files\MSN Games
2006-11-18 19:29 526 --a------ C:\WINNT\system32\dxvwgbbf.exe
2006-11-16 18:16 95,232 --a------ C:\WINNT\system32\tvvxwpm.dll
2006-11-16 18:16 71,680 --a------ C:\WINNT\system32\hnrakod.dll
2006-11-11 17:23 526 --a------ C:\WINNT\system32\dxvwlpsn.exe
2006-11-10 21:38 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\PlayFirst
2006-11-10 21:38 <DIR> d-------- C:\Documents and Settings\Administrator.KATHY-87KGFDBWY\Application Data\PlayFirst
2006-11-10 17:16 <DIR> d-------- C:\Documents and Settings\Administrator.KATHY-87KGFDBWY\Application Data\Image Zone Express
2006-11-10 17:02 <DIR> d-------- C:\Documents and Settings\Administrator.KATHY-87KGFDBWY\Application Data\HP
2006-11-10 17:01 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\HP
2006-11-10 16:56 <DIR> d-------- C:\Program Files\Common Files\HP
2006-11-10 16:53 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2006-11-10 16:52 16,496 -ra------ C:\WINNT\system32\drivers\HPZipr12.sys
2006-11-10 16:51 77,824 -ra------ C:\WINNT\system32\HPZIDS01.dll
2006-11-10 16:51 598,016 -ra------ C:\WINNT\system32\hpotscl2.dll
2006-11-10 16:51 49,664 -ra------ C:\WINNT\system32\drivers\HPZid412.sys
2006-11-10 16:51 48,128 --a------ C:\WINNT\system32\hpzll054.dll
2006-11-10 16:51 282,624 -ra------ C:\WINNT\system32\HPZc3212.dll
2006-11-10 16:51 254,026 -ra------ C:\WINNT\system32\hpovst09.dll
2006-11-10 16:51 229,376 -ra------ C:\WINNT\system32\hpotpusd.dll
2006-11-10 16:51 12,592 --a------ C:\WINNT\system32\drivers\usbscan.sys
2006-11-10 16:06 94,208 --a------ C:\WINNT\system32\HPZipt12.dll
2006-11-10 16:06 69,632 --a------ C:\WINNT\system32\HPZipm12.exe
2006-11-10 16:06 65,536 --a------ C:\WINNT\system32\HPZinw12.exe
2006-11-10 16:06 57,344 --a------ C:\WINNT\system32\HPZisn12.dll
2006-11-10 16:06 282,680 --a------ C:\WINNT\system32\HPZidr12.dll
2006-11-10 16:06 204,800 --a------ C:\WINNT\system32\HPZipr12.dll
2006-11-10 16:04 <DIR> d-------- C:\Program Files\HP
2006-11-10 16:03 21,872 --a------ C:\WINNT\system32\drivers\usbprint.sys
2006-11-10 16:02 <DIR> d-ah----- C:\Config.Msi
2006-11-07 21:56 95,744 --a------ C:\WINNT\system32\vwplxah.dll
2006-11-07 21:56 72,192 --a------ C:\WINNT\system32\ebvfvpc.dll
2006-10-29 23:03 <DIR> d-------- C:\Program Files\Southwest Airlines
2006-10-29 23:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-10-29 23:03 <DIR> d-------- C:\Documents and Settings\Administrator.KATHY-87KGFDBWY\Application Data\Southwest Airlines
2006-10-28 18:38 94,720 --a------ C:\WINNT\system32\yojicrj.dll
2006-10-28 18:38 72,704 --a------ C:\WINNT\system32\rtfwllj.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-26 17:32 -------- d-a------ C:\Program Files\WinZip
2006-11-26 17:25 -------- d-a------ C:\Program Files\Spybot - Search & Destroy
2006-11-26 17:21 -------- d-a------ C:\Program Files\MSAC-FD1
2006-11-26 16:53 -------- d-a------ C:\Program Files\Internet Explorer
2006-11-26 16:51 -------- d-------- C:\Program Files\Google
2006-11-25 23:06 -------- d-a------ C:\Program Files\123 Free Solitaire
2006-11-25 00:24 -------- d-a------ C:\Program Files\Grisoft
2006-11-18 15:48 -------- d-------- C:\Documents and Settings\Administrator.KATHY-87KGFDBWY\Application Data\Adobe
2006-11-10 16:55 -------- d-------- C:\Program Files\Hewlett-Packard
2006-10-29 23:03 -------- d-a------ C:\Program Files\Common Files
2006-10-26 18:27 -------- d-------- C:\Program Files\Windows Live Safety Center
2006-10-22 17:38 -------- d-------- C:\Program Files\Windows Defender
2006-10-22 16:33 -------- d---s---- C:\Documents and Settings\Administrator.KATHY-87KGFDBWY\Application Data\Microsoft
2006-10-15 14:36 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-15 14:36 -------- d-------- C:\Program Files\ArcSoft
2006-10-15 14:36 -------- d-------- C:\Documents and Settings\Administrator.KATHY-87KGFDBWY\Application Data\ArcSoft
2006-10-14 23:15 -------- d-------- C:\Documents and Settings\Administrator.KATHY-87KGFDBWY\Application Data\Google
2006-10-13 22:01 -------- d-------- C:\Documents and Settings\Administrator.KATHY-87KGFDBWY\Application Data\Ultimate Cleaner
2006-10-10 18:27 76560 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2006-10-10 08:13 94720 --a------ C:\WINNT\system32\avoxlek.dll
2006-10-10 08:13 73216 --a------ C:\WINNT\system32\mryhppe.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\WALGRE~1\\WALGRE~1\\data\\Xtras\\mssysmgr.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"NeroCheck"="C:\\WINNT\\System32\\NeroCheck.exe"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"OSS"="c:\\winnt\\system32\\rk.exe -boot"
"AdobeVersionCue"="C:\\Program Files\\Adobe\\Adobe Version Cue\\ControlPanel\\VersionCueTray.exe"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
@=""
"HP OfficeJet Series 500"="\"C:\\Program Files\\Hewlett-Packard\\HP OfficeJet Series 500 NT\\bin\\ktchnsnk.exe\" -reg \"Software\\Hewlett-Packard\\OfficeJet Series 500\\Install\""
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"NetworkStartup"="net share IPC$ /delete /yes"
"Secure1"="net share C$ /delete /yes"
"Secure2"="net share D$ /delete /yes"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"IntelliType"="\"C:\\Program Files\\Microsoft Hardware\\Keyboard\\type32.exe\""
"Ultimate Cleaner"="\"C:\\Program Files\\Ultimate Cleaner\\App.exe\" hide"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft Synchronization Manager"="mircup.exe"
"wnplayer"="wnplayer.exe"
"Micrsoft Driver"="windriver32.exe"
"NT-Virtual Device Manager"="ntvdmn.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0


Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\Symantec NetDetect.job

Completion time: Mon 2006-11-27 4:33:42.74
C:\ComboFix.txt ... 06-11-27 04:33
C:\ComboFix2.txt ... 06-11-26 08:35
C:\ComboFix3.txt ... 06-11-26 22:16


hijackthis log 11/27/06 after fix of suggested file

Logfile of HijackThis v1.99.1
Scan saved at 04:29, on 06-11-27
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\DIRECWAY\BIN\dpcstart.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MSAC-FD1\MSstat.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Administrator.KATHY-87KGFDBWY\Desktop\HijackThis.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprbUpdate.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hughesnet.myway.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [OSS] c:\winnt\system32\rk.exe -boot
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HP OfficeJet Series 500] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 500 NT\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 500\Install"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NetworkStartup] net share IPC$ /delete /yes
O4 - HKLM\..\Run: [Secure1] net share C$ /delete /yes
O4 - HKLM\..\Run: [Secure2] net share D$ /delete /yes
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Ultimate Cleaner] "C:\Program Files\Ultimate Cleaner\App.exe" hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [pdvyeng.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\pdvyeng.dll,drjbxce
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Memory Stick Monitor.lnk = C:\Program Files\MSAC-FD1\MSstat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/...nx.1.0.0.67.cab
O16 - DPF: {2FB42B58-A74B-49B3-A6EA-53F0FB8483D2} (AdminimizerX.Editor) - http://www.adminimiz...dminimizerX.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safe...lscbase8460.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D866585-6FE2-4869-88C9-58421144DF25}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D866585-6FE2-4869-88C9-58421144DF25}: NameServer = 66.82.4.8
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Hughes Network Systems - C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
O23 - Service: fxSVC (fxScanner) - Unknown owner - C:\WINNT\fxsvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


I think we may be getting close... still slow running but I haven't seen a 'you are infected' popup

Whoopeee... THANKS

[loophole]

Hi

We are getting close

Please run a scan with HijackThis and check the following lines for removal:

O4 - HKLM\..\Run: [pdvyeng.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\pdvyeng.dll,drjbxce

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.



Run Killbox

• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINNT\system32\dxvwgbbf.exe
  C:\WINNT\system32\tvvxwpm.dll
  C:\WINNT\system32\hnrakod.dll
  C:\WINNT\system32\dxvwlpsn.exe
  C:\WINNT\system32\vwplxah.dll
  C:\WINNT\system32\ebvfvpc.dll
  C:\WINNT\system32\yojicrj.dll
  C:\WINNT\system32\rtfwllj.dll
  C:\WINNT\system32\avoxlek.dll
  C:\WINNT\system32\mryhppe.dll
  
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

Post a new Hijack log and let me know how the computer is running

[Kathyf]

latest hijackthis log;

Logfile of HijackThis v1.99.1
Scan saved at 6:53:37 AM, on 11/27/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\DIRECWAY\BIN\dpcstart.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MSAC-FD1\MSstat.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator.KATHY-87KGFDBWY\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hughesnet.myway.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [OSS] c:\winnt\system32\rk.exe -boot
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HP OfficeJet Series 500] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 500 NT\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 500\Install"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NetworkStartup] net share IPC$ /delete /yes
O4 - HKLM\..\Run: [Secure1] net share C$ /delete /yes
O4 - HKLM\..\Run: [Secure2] net share D$ /delete /yes
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Ultimate Cleaner] "C:\Program Files\Ultimate Cleaner\App.exe" hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Memory Stick Monitor.lnk = C:\Program Files\MSAC-FD1\MSstat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/...nx.1.0.0.67.cab
O16 - DPF: {2FB42B58-A74B-49B3-A6EA-53F0FB8483D2} (AdminimizerX.Editor) - http://www.adminimiz...dminimizerX.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safe...lscbase8460.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D866585-6FE2-4869-88C9-58421144DF25}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D866585-6FE2-4869-88C9-58421144DF25}: NameServer = 66.82.4.8
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Hughes Network Systems - C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
O23 - Service: fxSVC (fxScanner) - Unknown owner - C:\WINNT\fxsvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

the file you wanted me to check for fix was not there... did I miss something?

Ran killbox with selection you said... received no msg after prompt for 'delete on reboot'

think we have got it? the restart was slow but getting online and windows coming up went well at least doesn't seem as slow and still no popups...

you are a genius and a lifesaver....

Kathy

[Kathyf]

O4 - HKLM\..\Run: [Ultimate Cleaner] "C:\Program Files\Ultimate Cleaner\App.exe" hide


this was one of the popups and I uninstall what my son had downloaded.... I don't want this on my computer... can I get rid of it?

THANKS

[loophole]

I wish I was a genius I completely missed that entry

You can fix that entry with Hijack

Now click >>start>>control panel >>add/remove programs and uninstall the following if present:
Ultimate Cleaner

Delete this folder:
C:\Program Files\Ultimate Cleaner

I'm not going to have you run an antivirus scan because you ran one earlier. But everything is back to normal?

[Kathyf]

The program doesn't show up in 'Add/Remove' nor is there a folder in 'Program files' ... where is that entry coming from and why does it say 'hide' at the end?

Other than that I seem to be running fine.... You are a genius... and the service of 'geekstogo' is a godsend for alot of folks.... THANK YOU, THANK YOU, THANK YOU!!!!!!!

I've run Ad Aware and Spybot again.. NOTHING in Spybot and only 1 tracking in Ad Aware

QUESTION! - Are there any of the programs or things I've downloaded as directed that need to be uninstalled and next what can I do to keep these items from getting back in my system???


Kathy

Edited by Kathyf, 27 November 2006 - 11:00 PM.