[kooldudeman]

tried removing it with smitrem
tried ewido
tried spybot
tried trend micro
tried adaware plus


Logfile of HijackThis v1.99.1
Scan saved at 7:45:30 PM, on 11/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis.exe

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winload32] C:\WINDOWS\SYSTEM32\Winload32.exe
O4 - HKLM\..\Run: [WinLoad] C:\WINDOWS\system32\Winload.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133741024\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE" /autocheck
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.11.1.5\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptoda...pdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1073001353796
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} -
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

[Advertisements]

Hi kooldudeman

Welcome to GTG!

* Click here to download SmitfraudFix.zip and save it to your desktop.

• Unzip (extract) the contents of SmitfraudFix.zip to a new SmitfraudFix folder on your desktop.
• Don't do anything with it yet. You'll run it later in safe mode.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm


* Download the free version of AVG Anti-Spyware 7.5 here.

• Click on the "Download Now" button and save the setup file to your desktop.
• Doubleclick on the avgas-setup file to begin the installation.
• When the installation is complete, open AVG Anti-Spyware and update the definition files.
• On the main screen click on the "Update now" link and the update should begin immediately.
  • If the update does not begin, select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
• When the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
• If you cannot download the updates, update manuallly according to the directions here.
• If you do the manual update, look under "Full database" and click the "Download now" button.
• DO NOT run a scan yet. You will do that later in safe mode.

* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Run AVG Anti-Spyware:

• Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
• It will then begin the scanning process, be patient it may take a while for the scan to complete.
• When the scan is complete, you must select an action.
• Select "Apply all actions"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen
• Save the report as a text file and save it to your desktop.
• Close AVG Anti-Spyware.

* Run the SmitfraudFix:

• Open the SmitfraudFix folder again and double-click the smitfraudfix.cmd file.
• Select option #2 - Clean by typing 2 and press "Enter" to delete the infected files.
• You will receive this prompt:
  
  • "Registry cleaning - Do you want to clean the registry ?"
• Answer "Yes" by typing Y and press "Enter" and it will begin cleaning the infection.
• Next the tool will check to see if wininet.dll is infected.
• You may be prompted to replace the infected wininet.dll file if it is found.
• Answer "Yes" by typing Y and press "Enter".
• The tool may need to restart your computer to finish the cleaning process.
• If it doesn't restart your computer automatically when it is finished, restart it back to Windows normally yourself.
• A text file will appear onscreen, with results from the cleaning process.
• Copy and paste the contents of that report into your next reply to this thread along with a new Hijack This log.
• If the report doesn't open after you restart back to Windows normally, the report can be found at the root of the system drive, usually C:\rapport.txt.

[Flrman1]

Hi kooldudeman

Welcome to GTG!

* Click here to download SmitfraudFix.zip and save it to your desktop.

• Unzip (extract) the contents of SmitfraudFix.zip to a new SmitfraudFix folder on your desktop.
• Don't do anything with it yet. You'll run it later in safe mode.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm


* Download the free version of AVG Anti-Spyware 7.5 here.

• Click on the "Download Now" button and save the setup file to your desktop.
• Doubleclick on the avgas-setup file to begin the installation.
• When the installation is complete, open AVG Anti-Spyware and update the definition files.
• On the main screen click on the "Update now" link and the update should begin immediately.
  • If the update does not begin, select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
• When the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
• If you cannot download the updates, update manuallly according to the directions here.
• If you do the manual update, look under "Full database" and click the "Download now" button.
• DO NOT run a scan yet. You will do that later in safe mode.

* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Run AVG Anti-Spyware:

• Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
• It will then begin the scanning process, be patient it may take a while for the scan to complete.
• When the scan is complete, you must select an action.
• Select "Apply all actions"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen
• Save the report as a text file and save it to your desktop.
• Close AVG Anti-Spyware.

* Run the SmitfraudFix:

• Open the SmitfraudFix folder again and double-click the smitfraudfix.cmd file.
• Select option #2 - Clean by typing 2 and press "Enter" to delete the infected files.
• You will receive this prompt:
  
  • "Registry cleaning - Do you want to clean the registry ?"
• Answer "Yes" by typing Y and press "Enter" and it will begin cleaning the infection.
• Next the tool will check to see if wininet.dll is infected.
• You may be prompted to replace the infected wininet.dll file if it is found.
• Answer "Yes" by typing Y and press "Enter".
• The tool may need to restart your computer to finish the cleaning process.
• If it doesn't restart your computer automatically when it is finished, restart it back to Windows normally yourself.
• A text file will appear onscreen, with results from the cleaning process.
• Copy and paste the contents of that report into your next reply to this thread along with a new Hijack This log.
• If the report doesn't open after you restart back to Windows normally, the report can be found at the root of the system drive, usually C:\rapport.txt.

[Flrman1]

* Also open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad. Copy and paste that list here.

[kooldudeman]

this is the avg log
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:35:44 PM 11/28/2006

+ Scan result:



C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP194\A0055898.dll -> Adware.Aws : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP213\A0059233.dll -> Adware.Aws : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP184\A0054912.exe -> Adware.ClickSpring : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP179\A0054328.dll -> Adware.EZula : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP183\A0054740.dll -> Adware.EZula : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP184\A0054874.dll -> Adware.EZula : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP184\A0054982.dll -> Adware.EZula : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP186\A0055124.dll -> Adware.EZula : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP186\A0055145.dll -> Adware.EZula : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP187\A0055274.dll -> Adware.EZula : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP189\A0055403.dll -> Adware.EZula : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP191\A0055463.dll -> Adware.EZula : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP191\A0055464.dll -> Adware.EZula : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP191\A0055465.dll -> Adware.EZula : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP195\A0056169.dll -> Adware.EZula : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP198\A0056270.dll -> Adware.EZula : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP234\A0067147.dll -> Adware.EZula : No action taken.
C:\Documents and Settings\Tyler\Local Settings\Temporary Internet Files\Content.IE5\PELA8UAA\122[1].net -> Adware.Maxifiles : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP189\A0055327.exe -> Adware.Maxifiles : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP238\A0069763.ocx -> Adware.MediaMotor : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP209\A0057802.dll -> Adware.PrintView : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP238\A0069730.dll -> Adware.PurityScan : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP213\A0059235.dll -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP232\A0066084.dll -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP232\A0066085.exe -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP232\A0066086.exe -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP234\A0067158.exe -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP234\A0067529.dll -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP234\A0067530.exe -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP238\A0068668.exe -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP238\A0068703.exe -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP239\A0069786.exe -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP239\A0069787.dll -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP247\A0070375.exe -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP213\A0059234.exe -> Adware.SurfSide : No action taken.
C:\!KillBox\justin_new.exe -> Adware.TrafficSol : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP171\A0052355.dll -> Adware.TrafficSol : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP234\A0067145.dll -> Adware.TrafficSol : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP238\A0068690.exe -> Adware.TrafficSol : No action taken.
C:\WINDOWS\system32\adrotate.dll -> Adware.TrafficSol : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP221\A0059580.exe -> Adware.Trymedia : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP238\A0069728.dll -> Adware.Virtumonde : No action taken.
C:\WINDOWS\system32\cbxywtt.dll -> Adware.Virtumonde : No action taken.
C:\WINDOWS\system32\gebbxyv.dll -> Adware.Virtumonde : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP173\A0052763.exe -> Adware.ZenoSearch : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP173\A0052765.exe -> Adware.ZenoSearch : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP173\A0052766.exe -> Adware.ZenoSearch : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP178\A0054134.exe -> Adware.ZenoSearch : No action taken.
C:\Documents and Settings\Tyler\Local Settings\Temporary Internet Files\Content.IE5\PELA8UAA\wlzip32[1].exe -> Downloader.Agent.bca : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP213\A0059229.exe -> Downloader.Agent.c : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP130\A0032923.dll -> Downloader.Zlob.aix : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP133\A0033529.dll -> Downloader.Zlob.ajg : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP232\A0066088.exe -> Downloader.Zlob.axt : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP234\A0066177.exe -> Downloader.Zlob.aya : No action taken.
C:\WINDOWS\system32\CompControls.ocx -> Not-A-Virus.Monitor.Win32.PCTattletale.a : No action taken.
C:\WINDOWS\system32\MSN32.dll -> Not-A-Virus.Monitor.Win32.PCTattletale.a : No action taken.
C:\WINDOWS\system32\explorer32\chattext.dll -> Not-A-Virus.Monitor.Win32.PCTattletale.a : No action taken.
C:\Program Files\Cain\Abel.dll -> Not-A-Virus.PSWTool.Win32.Cain.284 : No action taken.
C:\Program Files\Cain\Abel.exe -> Not-A-Virus.PSWTool.Win32.Cain.284 : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP131\A0032936.dll -> Not-A-Virus.PSWTool.Win32.Cain.284 : No action taken.
C:\System Volume Information\_restore{A4A08791-9E85-41CF-B774-D096D3F6C4B9}\RP131\A0032946.exe -> Not-A-Virus.PSWTool.Win32.Cain.284 : No action taken.
:mozilla.85:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.86:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.19:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.56:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.57:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.58:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.59:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.60:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.61:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.21:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.54:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.55:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.73:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.94:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
C:\Documents and Settings\Tom\Cookies\tom@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.76:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.77:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.31:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.33:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.35:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.36:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
C:\Documents and Settings\Tom\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.20:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.22:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.23:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.24:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.65:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.Webtrendslive : No action taken.
:mozilla.66:C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\5vcz6odh.default\cookies.txt -> TrackingCookie.Webtrendslive : No action taken.


::Report end






and this is the smitfraud fix log
\SmitFraudFix v2.125

Scan done at 21:38:37.37, Tue 11/28/2006
Run from C:\Documents and Settings\Tom\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End




and this is the new hjt log it worldnt let me save the uninstall list.... the program just shut down


Logfile of HijackThis v1.99.1
Scan saved at 9:59:20 PM, on 11/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\SYSTEM32\explorer32\WinsysMngr32.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRAM FILES\BITTORRENT\BITTORRENT.EXE
C:\DOCUME~1\TYLER\LOCALS~1\TEMP\RAR$EX00.328\PROCEXP.EXE
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SYSTEM32\explorer32\WinsysMngr32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\2.11.1.5\PlaxoHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRAM FILES\YAHOO!\WIDGETENGINE\YAHOOWIDGETENGINE.EXE
C:\PROGRAM FILES\YAHOO!\WIDGETENGINE\YAHOOWIDGETENGINE.EXE
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\EXPLORER.EXE
C:\DOCUME~1\TYLER\LOCALS~1\TEMP\RAR$EX00.328\PROCEXP.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCMAIN.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis.exe

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winload32] C:\WINDOWS\SYSTEM32\Winload32.exe
O4 - HKLM\..\Run: [WinLoad] C:\WINDOWS\system32\Winload.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133741024\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [Tray Temperature] C:\DOCUME~1\Tyler\LOCALS~1\Temp\MiniBug.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.11.1.5\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptoda...pdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1073001353796
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} -
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

[Flrman1]

Please post the uninstall list as I requested:

* Also open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad. Copy and paste that list here.

[kooldudeman]

wenever i click save list hjt closes

[Flrman1]

* Download WinPFind

• Right Click the Zip Folder and Select "Extract All"
• Extract it somewhere you will remember like the Desktop
• Dont do anything with it yet!

* Click here for info on how to boot to safe mode if you don't already know how.


Reboot into Safe Mode


Doubleclick WinPFind.exe

• Click "Start Scan"
• It will scan the entire System, so please be patient and let it complete.

Reboot back to Normal Mode!

• Go to the WinPFind folder
• Locate WinPFind.txt
• Attach the WinPFind.txt to your next post here please.
• Don't try to copy and p[aste it. It will be too long for one post.

[kooldudeman]

winpfind thingy

Attached Files

•  WinPFind.Txt   48.57KB   154 downloads

[Flrman1]

Sorry for the late reply. Somehow I overlooked your last reply last night. I'm looking through the Winpfind log now. I'll post directions for you shortly.

[Flrman1]

1. Click here to download The Avenger by Swandog46 and save it to your desktop.

• Unzip the Avenger.zip file to extract ALL files it contains.
• Extract it to your desktop

2. Copy all the text contained in the quote box below to your Clipboard by highlighting it and pressing (Ctrl+C) or right clicking it and choosing "Copy":

Files to delete:
C:\WINDOWS\SYSTEM32\drvtad.dll
C:\WINDOWS\SYSTEM32\jpauxhcf.exe
C:\WINDOWS\SYSTEM32\kanhviia.dll
C:\WINDOWS\system32\dgjlm.bak1
C:\WINDOWS\system32\dgjlm.bak2
C:\WINDOWS\system32\dgjlm.ini
C:\WINDOWS\system32\dgjlm.ini2
C:\WINDOWS\system32\dgjlm.tmp
C:\WINDOWS\system32\gebbxvu.dll
C:\WINDOWS\system32\mljgd.dll
C:\WINDOWS\system32\xxywtsp.dll
C:\WINDOWS\system32\prahu.dll
C:\WINDOWS\system32\vorenbj.dll
C:\WINDOWS\system32\gebbxvu.dll
C:\WINDOWS\system32\fmrwyyf.dll
C:\WINDOWS\system32\ixt0.dll
C:\WINDOWS\SYSTEM32\Winload32.exe
C:\WINDOWS\system32\Winload.exe

Registry keys to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{099D0986-C204-F967-3343-00A64FA96FB9}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CAE0B22-FFB7-417E-8CFF-4465CF632F70}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4F44A60F-2842-AF62-27AC-07AC7B862A69}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{755bbd1a-aa59-456c-afeb-b4c42c4dcb6f}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AB985708-C77E-4E06-AA17-C1EBA99889FE}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CF0B24E7-942A-B3DE-79E7-B19EFB4054B2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebbxvu
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\opnnnop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjks32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winosz32

Registry values to delete:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks | {3CAE0B22-FFB7-417E-8CFF-4465CF632F70}

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text that you copied to clipboard from the quote box above into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Come back here to this thread. Copy and paste the contents of c:\avenger.txt into your reply along with a fresh Hijack This log .

[kooldudeman]

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\nkkpxgrx

*******************

Script file located at: \??\C:\Documents and Settings\dottkmay.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\SYSTEM32\drvtad.dll deleted successfully.


File C:\WINDOWS\SYSTEM32\jpauxhcf.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\jpauxhcf.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\jpauxhcf.exe
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\kanhviia.dll deleted successfully.
File C:\WINDOWS\system32\dgjlm.bak1 deleted successfully.
File C:\WINDOWS\system32\dgjlm.bak2 deleted successfully.
File C:\WINDOWS\system32\dgjlm.ini deleted successfully.
File C:\WINDOWS\system32\dgjlm.ini2 deleted successfully.
File C:\WINDOWS\system32\dgjlm.tmp deleted successfully.
File C:\WINDOWS\system32\gebbxvu.dll deleted successfully.
File C:\WINDOWS\system32\mljgd.dll deleted successfully.
File C:\WINDOWS\system32\xxywtsp.dll deleted successfully.


File C:\WINDOWS\system32\prahu.dll not found!
Deletion of file C:\WINDOWS\system32\prahu.dll failed!

Could not process line:
C:\WINDOWS\system32\prahu.dll
Status: 0xc0000034

File C:\WINDOWS\system32\vorenbj.dll deleted successfully.


File C:\WINDOWS\system32\gebbxvu.dll not found!
Deletion of file C:\WINDOWS\system32\gebbxvu.dll failed!

Could not process line:
C:\WINDOWS\system32\gebbxvu.dll
Status: 0xc0000034

File C:\WINDOWS\system32\fmrwyyf.dll deleted successfully.


File C:\WINDOWS\system32\ixt0.dll not found!
Deletion of file C:\WINDOWS\system32\ixt0.dll failed!

Could not process line:
C:\WINDOWS\system32\ixt0.dll
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\Winload32.exe deleted successfully.
File C:\WINDOWS\system32\Winload.exe deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{099D0986-C204-F967-3343-00A64FA96FB9} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CAE0B22-FFB7-417E-8CFF-4465CF632F70} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4F44A60F-2842-AF62-27AC-07AC7B862A69} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} deleted successfully.


Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AB985708-C77E-4E06-AA17-C1EBA99889FE} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AB985708-C77E-4E06-AA17-C1EBA99889FE} failed!
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CF0B24E7-942A-B3DE-79E7-B19EFB4054B2} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebbxvu deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljgd deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\opnnnop deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjks32 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winosz32 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks|{3CAE0B22-FFB7-417E-8CFF-4465CF632F70} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.







Logfile of HijackThis v1.99.1
Scan saved at 7:12:19 AM, on 12/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\EXPLORER.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\PROGRAM FILES\VALVE\STEAM\STEAM.EXE
C:\Program Files\Plaxo\2.5.10.17\PlaxoHelper.exe
C:\PROGRAM FILES\BITTORRENT\BITTORRENT.EXE
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - {CF0B24E7-942A-B3DE-79E7-B19EFB4054B2} - C:\WINDOWS\system32\prahu.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {37BC7EF2-E4AA-4E4B-9F10-CBF5AA342956} - C:\WINDOWS\system32\mljgd.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winload32] C:\WINDOWS\SYSTEM32\Winload32.exe
O4 - HKLM\..\Run: [WinLoad] C:\WINDOWS\system32\Winload.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133741024\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [Tray Temperature] C:\DOCUME~1\Tyler\LOCALS~1\Temp\MiniBug.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.17\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptoda...pdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1073001353796
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} -
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

[Flrman1]

Try posting the uninstall list now please:

* Open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad. Copy and paste that list here.

[kooldudeman]

888Bar
Acoustica Effects Pack
Ad-Aware SE Plus
Adobe Download Manager 1.2 (Remove Only)
Adobe PhotoDeluxe 2.0
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0.7
AOL Instant Messenger
AOL Uninstaller (Choose which Products to Remove)
ArcSoft PhotoStudio 5.5
ArcSoft Software Suite
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI DVD Decoder 2.2.0.0
ATI HYDRAVISION
ATI Multimedia Center 8.8.0.0
AuthorScript Engine 1.0
AutoHotkey 1.0.44.06
AVG Anti-Spyware 7.5
BitTorrent 5.0.1
Cain & Abel v2.9
Calendar Creator
Canon PhotoRecord
Canon PIXMA iP4000
Canon Utilities Easy-PhotoPrint
Carmen Sandiego's Great Chase Through Time
DAO
DAO (Data Access Objects) 3.5
DeadAIM
DFX for Windows Media Player
DivX Player
DivX Pro Trial
DVD Shrink 3.2
Easy Chef's Million Recipes
Easy-WebPrint
Empire Earth II
Enable S3 for USB Device
G-Force
Google Earth
Google Video Uploader
Google Web Accelerator
GUIDE PLUS+™ for Windows® System - ATI
HashTab Shell Extension 1.11 for x64
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Image Transfer
ImageMixer for Sony
InterActual Player
iPod for Windows 2006-01-10
iPod Updater 2004-11-15
IrfanView (remove only)
ISO Recorder
ISO Recorder
iTunes
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
JD Secure 3.1
LEGO Chess
Lemmings for Windows 95
Macromedia Flash Player 8
Macromedia Shockwave Player
MapSource - US Topo v3.02
Marvell Miniport Driver
MatchWare Mediator 7 Std Installation
Mavis Beacon Teaches Typing 9.0.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Age of Empires II
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Visual C++ 2005 Express Edition - ENU
Microsoft Visual C++ 2005 Express Edition - ENU
Microsoft Web Publishing Wizard 1.52
MicroStaff WINASPI
Mighty Math Number Heroes
Mozilla Firefox (2.0)
MS Access 97 SP2
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
Nero Media Player
Nero OEM
NeroVision Express 2
Nikon Message Center
NVIDIA Drivers
OpenMG Limited Patch 4.2-05-07-27-01
OpenMG Secure Module 4.2.00
Palm Desktop
Palm Desktop
PictureProject
Plaxo Toolbar for Outlook (with AIM Enhancements)
Plugin Manager 2.1
Plustek Scanner Installation
Pocket Tunes 3.0.9
Pocket Video Maker - PALM Edition Uninstaller
PowerDVD
QuickBooks Pro 2006
QuickTime
Realtek AC'97 Audio
Registry Mechanic 6.0
Risk II
Schoolhouse Rock: Math Rock
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
SonicStage 3.2
Sony ACID Pro 5.0c
Sony Ericsson PC Suite 1.20.237
Sony Media Manager 2.0
Sony USB Driver
SpongeBob SquarePants Employee of the Month
Spybot - Search & Destroy 1.4
Steam
StepMania (remove only)
Super Solvers Reading Ages 9-12
The ClueFinders Reading Adventures Ages 9-12
The Print Shop Signature Greetings 1.0
TI Connect 1.6
Trend Micro PC-cillin Internet Security 2006
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Valve Hammer Editor
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Defender
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888240
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WINTREB
WinZip
Xfire (remove only)
XviD MPEG-4 Video Codec
Yahoo! Widget Engine

[Flrman1]

Copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* Go to Add/Remove programs and uninstall these:

888Bar
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
Viewpoint Manager (Remove Only)
Viewpoint Media Player

Note: If any of these will not uninstall, skip it and move on with the rest. Make note of any that don't uninstall and let me know about it so we can deal with it later.


* Now go here and install the latest version of Java.


* Click here to download ATF Cleaner by Atribune and save it to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.
• If you use Firefox:
• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

• If you use Opera:
• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

[*]Click Exit on the Main menu to close the program.
[/list]
** Before you proceed with the removal directions below you need to turn off Windows Defender's realtime protection as it will interfere with the changes we are trying to make.

• Open Windows Defender and click on Tools > General Settings.
• Scroll down and remove the check by "Turn on realtime protection (recommended)".
• Click "Save"
• Restart your computer.
• Leave it disabled until we are finished here.

* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)

R3 - URLSearchHook: (no name) - {CF0B24E7-942A-B3DE-79E7-B19EFB4054B2} - C:\WINDOWS\system32\prahu.dll (file missing)

O2 - BHO: (no name) - {37BC7EF2-E4AA-4E4B-9F10-CBF5AA342956} - C:\WINDOWS\system32\mljgd.dll (file missing)

O4 - HKLM\..\Run: [winload32] C:\WINDOWS\SYSTEM32\Winload32.exe

O4 - HKLM\..\Run: [WinLoad] C:\WINDOWS\system32\Winload.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -

O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} -

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} -


* Restart your computer.


* Run ActiveScan online virus scan here

When the scan is finished, click on the "Save Report" button an save the results of the scan to your desktop.

Post a new HiJackThis log along with the results from ActiveScan

[kooldudeman]

my add/remove programs thing doesnt work.... it says that rundll32.dll is missing