[metalchick666]

Hi,

I've was hit by a driveby download that bypassed my Zone Alarm firewall and AVG antivirus. When using Firefox I get popups in IE. Also, I am no longer able to access my IMAP email using Outlook Express and I cannot get to a few antivirus programs suggested on this site such as the PandaScan and ATF Cleaner. I've tried to fix using AdAware, Spybot and AVG but they have not worked.

Here is my HiJack this log:
Logfile of HijackThis v1.99.1
Scan saved at 3:09:31 PM, on 4/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi6.ebay.com...I...t=8&rows=25
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://cgi6.ebay.com...I...t=8&rows=25
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [POINTER] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [NVIEW] "rundll32.exe" nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bits...om/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineco...loadcontrol.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildt...nce/install.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/gf.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://talisma.webe...bex/ieatgpc.cab
O21 - SSODL: ZoneAlarm - {85F60C7C-6FB9-A35C-C1D5-66DEF483E0A5} - C:\Program Files\Zone Labs\ZoneAlarm\images.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




Thanks in advance for your help!

[Advertisements]

Hi metalchick666,

I am currently working on your log under expert supervision and be back ASAP. Thanks.

Anthony.

[Anthony10]

Hi metalchick666,

I am currently working on your log under expert supervision and be back ASAP. Thanks.

Anthony.

[Anthony10]

Hi metalchick666,

Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).

If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.

-------------------

Launch AVG Anti-Spyware 7.5.

On the top of the main screen click Shield. Then click the word active to change it to inactive.

You will need to also update AVG Anti-Spyware 7.5 to the latest definition files. On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed.

Now close AVG Anti-Spyware 7.5 (don't scan just yet).

--------------------

Open HijackThis, run a scan, place a check next to the following entries and then click fix checked :

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildt...nce/install.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://talisma.webe...bex/ieatgpc.cab

------------------

Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).

---------------------

Make sure all windows are closed and run AVG Anti-Spyware 7.5. Click Scanner, then click on the Scan tab. Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine. Then click Apply all actions.

Once the scan has finished, click the Save report button, then click Save Report As. This will create a text file. Make sure you know where to find this file again.

---------------------

Then reboot back to Normal Mode.

---------------------

Go here and download Blacklight (fsbl.exe) and save it to your C folder.

XP Instructions

Rightclick on fsbl.exe and choose "Create Shortcut". Rightclick on the shortcut and choose "Send To > Desktop. When you have done this, go to your Desktop and rightclick on the new Shortcut and choose Properties. Where it says "Target" after fsbl.exe" hit your spacebar and then type /expert. Next click Apply and OK.

This is what the target information looks like on my computer.

C:\fsbl.exe /expert

To start Blacklight this time, doubleclick on the new Shortcut, accept the agreement and then click on Scan and wait for it to finish (you should see that it is running in Expert Mode now).

If it displays any hidden processes, don't do anything with them yet. Just click on "Close". It will create a log in Your C folder (fsbl-<date-and-time>.log).

Please copy and paste the Blacklight log file in your next post and your AVG log please, along with a new HijackThis scan. You can use separate posts if needed.

Anthony.

[metalchick666]

Hi Anthony,

I cannot download the ATF Cleaner. When I click on that link I get a box that says You Have Chosed to open ATF-Cleaner.exe, Would you like to save this file?

When I click on Save File it just disappears and never downloads. I even did a search through my files and folders and it did not save. I have tried numerous times.

[metalchick666]

Ok, I was able to download ATF cleaner.
Blacklight said No Hidden Items were found

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:06:07 PM 4/25/2007

+ Scan result:



C:\WINDOWS\icont.exe -> Adware.AdURL : Cleaned with backup (quarantined).
C:\Program Files\iWin Games\__delete_on_reboot__I_W_I_N_G_A_~_1_._D_L_L_ -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP852\A0118735.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\WINDOWS\furlxbeh.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1015.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1018.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\Program Files\hbinst\Hbinst.exe -> Adware.HotBar : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/BnzRMCore.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/BuzRMASFP.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/IYSENG.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/IgetClnt.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/MGDAERR.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/TFAPI.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/THPUI16.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/VOT32161.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/WRDMPS.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/alledit.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/amifil32.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/bac42d.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/dfmv2clt.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/dhmrtp.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/di7vb.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/doser.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/fgsrch.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/fpdrclnr.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/guard.tmp -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/hfd.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/hgtplug.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/jIvaprxy.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/jcsd400.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/kadsl1.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/mcl_qic.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/mhltus40.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/msg208.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/myorcl32.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/ojhlp30e.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/rVsapi32.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/unbmon.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/wcps.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/wfnotify.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/wisdmod.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/wpps.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/wxadmod.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/wyigest.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/xJctsrv.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/zvib.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Program Files\backup-20050630-221847-870.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Program Files\backups\backup-20051018-232815-654.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system\UpdInst.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Program Files\backups\backup-20070421-134417-241.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Program Files\backups\backup-20070421-134552-610.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Program Files\backups\backup-20070421-151653-762.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\vturrrq.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\install007.exe -> Trojan.SecondThought.ao : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\install007.exe -> Trojan.SecondThought.ao : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\install007.exe -> Trojan.SecondThought.ao : Cleaned with backup (quarantined).


::Report end

HIJACK THIS LOG:
Logfile of HijackThis v1.99.1
Scan saved at 11:14:43 PM, on 4/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi6.ebay.com...I...t=8&rows=25
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://cgi6.ebay.com...I...t=8&rows=25
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [POINTER] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [NVIEW] "rundll32.exe" nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bits...om/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineco...loadcontrol.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/gf.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/...aploader_v6.cab
O21 - SSODL: ZoneAlarm - {85F60C7C-6FB9-A35C-C1D5-66DEF483E0A5} - C:\Program Files\Zone Labs\ZoneAlarm\images.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks!

[Anthony10]

Hi,

We will use a different method to empty the Temporary files.

Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click Yes.

------------

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

------------

Disable your antivirus program and go here and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee.

When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All. Then copy/paste that log back here.

Anthony.

[metalchick666]

Hi. Thanks for the reply. I downloaded and ran Cleanup!

Here is the HijackThis uninstall_list.txt

Absolute HTML Compressor 1.14
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0.9
Adobe Shockwave Player
ALi USB2.0 Driver
Alohabob PC Relocator Ultra Control
AOL Instant Messenger
Apple Software Update
ArcSoft PhotoImpression
AVG 7.5
AVG Anti-Spyware 7.5
Azureus
Blasterball 2 from Compaq (remove only)
Blaze Audio RipEditBurn 2 Trial
Bounce from Compaq (remove only)
Cannonballs from Compaq (remove only)
CD/Spectrum Pro
CleanUp!
Compaq Connections
Compaq Organize
DFX for MUSICMATCH
DirectX 9 Hotfix - KB839643
DivX Codec 3.1alpha release
Excavation from Compaq (remove only)
Five Card Frenzy from Compaq (remove only)
GemMaster 3 from Compaq (remove only)
HijackThis 2.0.0
Honeycombs from Compaq (remove only)
HP Deskjet Preloaded Printer Drivers
HP Printer Scanner Copier Enhancer
Intel® Extreme Graphics Driver
Intel® 810 Chipset Graphic Driver End User Diagnostics Software
IntelliMover Data Transfer Demo
Internet Explorer Q903235
Internet Lottery 1.2.0
iPod for Windows 2005-09-06
Ipswitch WS_FTP LE
iTunes
iWin Games (remove only)
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
Jewel Quest II (remove only)
KBD
Lexmark X6100 Series
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Macromedia Flash Player 8
MGI PhotoSuite 8.06 (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft IntelliPoint 4.0
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Office XP Professional
Microsoft Plus! Digital Media Edition
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Works 7.0
Mozilla Firefox (2.0.0.2)
Mozilla Firefox (2.0.0.3)
MP3 Splitter & Joiner
MUSICMATCH® Jukebox
MySpaceIM
NVIDIA Gart Driver
NVIDIA Windows 2000/XP Display Drivers
OLYMPUS CAMEDIA Master 4.2
One-touch Multimedia Keyboard
Orbital from Compaq (remove only)
Otto from Compaq (remove only)
Outerinfo
Print to Fax
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2003 New User Edition
QuickTime
RealOne Player
RecordNow!
Registrar Lite 2.00
S3Display
S3Gamma2
S3Info2
S3Overlay
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896426)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Shockwave
Slyder from Compaq (remove only)
SonicWALL Global VPN Client
SoulSeek Client 156b
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
VX2 Cleaner plug-in for Ad-Aware SE
WebEx
Winamp3 (remove only)
Windows Driver Package - Realtek Semiconductor Corp. MEDIA 12/12/2003 5.10.00.5410
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB820291
Windows XP Hotfix - KB821253
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB883357
Windows XP Hotfix - KB883939
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Hotfix - KB897715
Windows XP Hotfix - KB905915
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB916281
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
Windows XP Hotfix (SP2) [See q329256 for more information]
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q329112
Windows XP Hotfix (SP2) Q329909
Windows XP Hotfix (SP2) Q331958
Windows XP Hotfix (SP2) Q811789
Windows XP Hotfix (SP2) Q814995
WinRAR archiver
Yahoo! Messenger
ZoneAlarm

Here is the BitDefender report:

BitDefender Online Scanner

Scan report generated at: Sat, Apr 28, 2007 - 16:23:34

Scan path: A:\;C:\;D:\;E:\;

Statistics
Time
02:26:31
Files
495241
Folders
8257
Boot Sectors
3
Archives
28634
Packed Files
42478

Results
Identified Viruses
7
Infected Files
20
Suspect Files
2
Warnings
0
Disinfected
0
Deleted Files
21
Engines Info
Virus Definitions
503004
Engine build
AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)
Scan plugins
14
Archive plugins
38
Unpack plugins
6
E-mail plugins
6
System plugins
1
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File

Status

C:\hp\bin\Terminator.exe

Infected with: Trojan.Killapp.30208.A

C:\hp\bin\Terminator.exe

Disinfection failed

C:\hp\bin\Terminator.exe

Deleted

C:\Program Files\AdwareAway.exe=>(Inno Installer o)=>(Inno Module 9)

Infected with: Generic.Malware.sp!.FC7A718F

C:\Program Files\AdwareAway.exe=>(Inno Installer o)=>(Inno Module 9)

Disinfection failed

C:\Program Files\AdwareAway.exe=>(Inno Installer o)=>(Inno Module 9)

Deleted

C:\Program Files\AdwareAway.exe=>(Inno Installer o)

Update failed

C:\Program Files\backups\backup-20070421-134552-201.dll

Infected with: MemScan:Trojan.Vundo.AP

C:\Program Files\backups\backup-20070421-134552-201.dll

Disinfection failed

C:\Program Files\backups\backup-20070421-134552-201.dll

Deleted

C:\Program Files\backups\backup-20070421-151653-115.dll

Infected with: MemScan:Trojan.Vundo.AP

C:\Program Files\backups\backup-20070421-151653-115.dll

Disinfection failed

C:\Program Files\backups\backup-20070421-151653-115.dll

Deleted

C:\Program Files\Network Associates\McAfee VirusScan\OldEngine\BOOTSCAN.sav

Suspected of: One_Half.3591

C:\Program Files\Network Associates\McAfee VirusScan\OldEngine\BOOTSCAN.sav

Disinfection failed

C:\Program Files\Network Associates\McAfee VirusScan\OldEngine\BOOTSCAN.sav

Deleted

C:\Program Files\Network Associates\McAfee VirusScan\OldEngine\SCAN86.sav

Suspected of: One_Half.3591

C:\Program Files\Network Associates\McAfee VirusScan\OldEngine\SCAN86.sav

Disinfection failed

C:\Program Files\Network Associates\McAfee VirusScan\OldEngine\SCAN86.sav

Deleted

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP852\A0118756.exe

Infected with: Backdoor.Agent.WR

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP852\A0118756.exe

Disinfection failed

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP852\A0118756.exe

Deleted

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP852\A0118757.dll

Infected with: MemScan:Trojan.Vundo.DLM

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP852\A0118757.dll

Disinfection failed

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP852\A0118757.dll

Deleted

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP852\A0118758.dll

Infected with: MemScan:Trojan.Vundo.DLM

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP852\A0118758.dll

Disinfection failed

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP852\A0118758.dll

Deleted

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP852\A0118759.dll

Infected with: MemScan:Trojan.Vundo.DLM

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP852\A0118759.dll

Disinfection failed

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP852\A0118759.dll

Deleted

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP852\A0118764.dll

Infected with: MemScan:Trojan.Vundo.DLM

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP852\A0118764.dll

Disinfection failed

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP852\A0118764.dll

Deleted

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP853\A0119240.exe

Infected with: Trojan.Killapp.30208.A

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP853\A0119240.exe

Disinfection failed

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP853\A0119240.exe

Deleted

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP853\A0119241.dll

Infected with: MemScan:Trojan.Vundo.AP

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP853\A0119241.dll

Disinfection failed

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP853\A0119241.dll

Deleted

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP853\A0119242.dll

Infected with: MemScan:Trojan.Vundo.AP

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP853\A0119242.dll

Disinfection failed

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP853\A0119242.dll

Deleted

C:\WINDOWS\cfgmgr52\TMPC.bsx

Infected with: Generic.Qhost.F850957B

C:\WINDOWS\cfgmgr52\TMPC.bsx

Disinfection failed

C:\WINDOWS\cfgmgr52\TMPC.bsx

Deleted

C:\WINDOWS\system32\ecaqixco.dll

Infected with: Trojan.Vundo.AN

C:\WINDOWS\system32\ecaqixco.dll

Disinfection failed

C:\WINDOWS\system32\ecaqixco.dll

Deleted

C:\WINDOWS\system32\ftjyjyli.dll

Infected with: Trojan.Vundo.AN

C:\WINDOWS\system32\ftjyjyli.dll

Disinfection failed

C:\WINDOWS\system32\ftjyjyli.dll

Deleted

C:\WINDOWS\system32\gebyx.dll

Infected with: MemScan:Trojan.Vundo.AP

C:\WINDOWS\system32\gebyx.dll

Disinfection failed

C:\WINDOWS\system32\gebyx.dll

Delete failed

C:\WINDOWS\system32\nmijhtnm.dll

Infected with: Trojan.Vundo.AN

C:\WINDOWS\system32\nmijhtnm.dll

Disinfection failed

C:\WINDOWS\system32\nmijhtnm.dll

Deleted

C:\WINDOWS\system32\rrfejguv.dll

Infected with: Trojan.Vundo.AN

C:\WINDOWS\system32\rrfejguv.dll

Disinfection failed

C:\WINDOWS\system32\rrfejguv.dll

Deleted

C:\WINDOWS\system32\taddrwcc.dll

Infected with: Trojan.Vundo.AN

C:\WINDOWS\system32\taddrwcc.dll

Disinfection failed

C:\WINDOWS\system32\taddrwcc.dll

Deleted

C:\WINDOWS\system32\wtydwpqh.dll

Infected with: Trojan.Vundo.AN

C:\WINDOWS\system32\wtydwpqh.dll

Disinfection failed

C:\WINDOWS\system32\wtydwpqh.dll

Deleted


Also, I have never seen this before and thought it was interesting (and awful!). When I went to the Bitdefender site, a WinAntiSpyware banner was inserted into the html of the Bitdefender code. This was not a popup and it tried to mask itself as part of the site itself. I am uploading the screenshot in case you are interested in seeing it and I have the html code saved as well.

Attached Thumbnails

• 

[Anthony10]

Hi,

Please Go to Start – Settings – Control Panel. Click on Add/Remove Programs. Click on the following program and click on Remove. Then close the Control Panel.

Outerinfo

-----------

Please download VundoFix.exe to your desktop

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

------------

Download Deckard's System Scanner (DSS) to your Desktop.
Note: You must be logged onto an account with administrator privileges.


1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, it will create two text files - main.txt <- this one will be maximized and extra.txt<-this one will be minimized on your Taskbar.
4. Copy/paste both logs back here please (they will also be located at C:\Deckard\System Scanner) and post the contents of C:\vundofix.txt

[metalchick666]

Hi there! Done and here are the files you requested.

Deckard's System Scanner v20070426.43
Run by Owner on 2007-05-01 at 22:57:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
63: 2007-05-02 02:58:00 UTC - RP855 - Deckard's System Scanner Restore Point
62: 2007-04-29 07:40:49 UTC - RP854 - System Checkpoint
61: 2007-04-28 06:38:06 UTC - RP853 - System Checkpoint
60: 2007-04-25 18:33:52 UTC - RP852 - before cleaning adware
59: 2007-04-25 18:27:41 UTC - RP851 - Restore Operation


-- First Restore Point --
1: 2007-02-01 02:02:35 UTC - RP793 - System Checkpoint


Performed disk cleanup.


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:58:25 PM, on 5/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\HIJACK~2\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi6.ebay.com...I...t=8&rows=25
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://cgi6.ebay.com...I...t=8&rows=25
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {05FC8C8B-E628-4E78-8D9B-42A687977FB3} - C:\WINDOWS\System32\prlprlgx.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {613CC5E1-207F-47E1-BC79-3C122A0232B8} - C:\WINDOWS\System32\gebyx.dll (file missing)
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [POINTER] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\System32\pmprcunx.dll",realset
O4 - HKCU\..\Run: [NVIEW] "rundll32.exe" nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bits...om/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineco...loadcontrol.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/gf.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/...aploader_v6.cab
O20 - Winlogon Notify: vturrrq - vturrrq.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: ZoneAlarm - {85F60C7C-6FB9-A35C-C1D5-66DEF483E0A5} - C:\Program Files\Zone Labs\ZoneAlarm\images.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~2\backups\) --------------------

backup-20070425-192459-393 O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildt...nce/install.cab
backup-20070425-192500-693 O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://talisma.webe...bex/ieatgpc.cab

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL %1,%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser %1,%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 RCFOX (SonicWALL IPsec Driver) - c:\windows\system32\drivers\rcfox.sys <Not Verified; SonicWALL, Inc.; RCFOX IPSec Driver>
R3 WinDriver (WinDriver kernel module) - c:\windows\system32\drivers\windrvr.sys <Not Verified; Jungo; WinDriver Device Driver>

S3 Wdm1 (USB Bridge Cable Driver) - c:\windows\system32\drivers\usbbc.sys <Not Verified; ; PC-Linq Bridge Cable>
S4 AloPar - c:\windows\system32\drivers\alopar.sys <Not Verified; Eisenworld, Inc.; AloPar Port Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 PackethSvc (Virtual NIC Service) - c:\windows\system32\packethsvc.exe <Not Verified; America Online, Inc.; America Online>

S3 RampartSvc (SonicWall VPN Client Service) - c:\program files\sonicwall\sonicwall global vpn client\rampartsvc.exe <Not Verified; SonicWALL, Inc.; RampartSvc Module>


-- Scheduled Tasks -------------------------------------------------------------

2007-03-15 13:26:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2005-01-06 18:28:51 364 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2007-04-01 and 2007-05-01 -----------------------------

2007-05-01 22:31:46 0 d-------- C:\VundoFix Backups
2007-04-28 13:42:29 0 d-------- C:\WINDOWS\BDOSCAN8
2007-04-25 14:53:41 0 d-------- C:\Program Files\Hijack This
2007-04-21 15:21:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-04-21 14:36:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-04-18 23:33:30 0 d-------- C:\Program Files\xloadnet


-- Find3M Report ---------------------------------------------------------------

2007-04-30 21:27:52 0 d-------- C:\Program Files\SpywareBlaster
2007-04-28 14:47:29 0 d-------- C:\Program Files\backups
2007-04-25 23:06:52 2142 --a------ C:\Program Files\fsbl-20070426023705.log
2007-04-25 22:32:59 515 --a------ C:\Program Files\Shortcut to fsbl.lnk <SHORTC~1.LNK>
2007-04-25 22:05:35 0 d-------- C:\Program Files\hbinst
2007-04-25 14:52:36 0 d-------- C:\Program Files\iWin Games
2007-04-25 14:23:14 0 d-------- C:\Program Files\Online Services
2007-04-25 10:04:43 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-04-23 23:03:26 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-04-21 15:16:04 5629 --a------ C:\Program Files\hijackthis.log
2007-04-06 23:55:47 0 d-------- C:\Program Files\Soulseek
2007-03-29 23:14:30 4212 ---h----- C:\WINDOWS\System32\zllictbl.dat
2007-03-23 17:09:07 0 d-------- C:\Documents and Settings\Owner\Application Data\webex
2007-03-23 17:08:42 199751 --a------ C:\WINDOWS\System32\atasnt40.dll <Not Verified; WebEx Communications, Inc; WebEx Application Sharing>
2007-03-23 13:05:56 0 d-------- C:\Documents and Settings\Owner\Application Data\SonicWALL
2007-03-23 13:00:03 0 d-------- C:\Program Files\Common Files\Deterministic Networks
2007-03-23 12:59:53 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-03-23 12:59:44 0 d-------- C:\Program Files\SonicWALL
2007-03-23 12:58:54 0 d-------- C:\Program Files\Common Files\InstallShield
2007-02-14 23:21:24 1682333 --a------ C:\Program Files\jewel-quest-2-setup.exe


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{05FC8C8B-E628-4E78-8D9B-42A687977FB3} C:\WINDOWS\System32\prlprlgx.dll [x]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{613CC5E1-207F-47E1-BC79-3C122A0232B8} C:\WINDOWS\System32\gebyx.dll [x]
{8CA5ED52-F3FB-4414-A105-2E3491156990} C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"POINTER"="\"C:\\Program Files\\Microsoft Hardware\\Mouse\\point32.exe\""
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"Lexmark X6100 Series"="\"C:\\Program Files\\Lexmark X6100 Series\\lxbfbmgr.exe\""
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe\" /STARTUP"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"InfoData"="rundll32.exe \"C:\\WINDOWS\\System32\\pmprcunx.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"NVIEW"="\"rundll32.exe\" nview.dll,nViewLoadHook"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9 -reboot 1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=dword:00000000
"Btn_Search"=dword:00000000
"NoBandCustomize"=dword:00000000
"NoToolbarCustomize"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{3F9D0C61-737D-44D1-BD80-91AF857061CC}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"ZoneAlarm"="{85F60C7C-6FB9-A35C-C1D5-66DEF483E0A5}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vturrrq

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AloPar.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\Parallel Arbitrator

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"="C:\\PROGRAM FILES\\AIM95\\aim.exe -cnetwait.odl"
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinampAgent"="\"C:\\Program Files\\Winamp3\\winampa.exe\""
"ALiUSBfix"="C:\\WINDOWS\\System32\\GREENMARK.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~3.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^naai.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\naai.exe"
"backup"="C:\\WINDOWS\\pss\\naai.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\naai.exe"
"item"="naai"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Quicken Scheduled Updates.lnk"
"backup"="C:\\WINDOWS\\pss\\Quicken Scheduled Updates.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Quicken\\bagent.exe "
"item"="Quicken Scheduled Updates"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 1.1.0.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\OpenOffice.org 1.1.0.lnk"
"backup"="C:\\WINDOWS\\pss\\OpenOffice.org 1.1.0.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\OPENOF~1.0\\program\\QUICKS~1.EXE "
"item"="OpenOffice.org 1.1.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdTools Service]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdTools"
"hkey"="HKLM"
"command"="C:\\Program Files\\AdTools Service\\AdTools.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCXMNTR"
"hkey"="HKLM"
"command"="ALCXMNTR.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CasStub]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="casstub"
"hkey"="HKCU"
"command"="C:\\Program Files\\CasStub\\casstub.exe -run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccRegVfy"
"hkey"="HKLM"
"command"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KavSvc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="raapku"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\raapku.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Keyboard Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MMKeybd"
"hkey"="HKLM"
"command"="C:\\Program Files\\Netropa\\One-touch Multimedia Keyboard\\MMKeybd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MediaAccK"
"hkey"="HKLM"
"command"="C:\\Program Files\\Media Access\\MediaAccK.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notn]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="eber"
"hkey"="HKCU"
"command"="C:\\Documents and Settings\\Owner\\Application Data\\eber.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OmniPass]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="scureapp"
"hkey"="HKLM"
"command"="C:\\Program Files\\Softex\\OmniPass\\scureapp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qgxsre]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qgxsre"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\qgxsre.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Remind_XP"
"hkey"="HKLM"
"command"="\"C:\\Windows\\Creator\\Remind_XP.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebInstall2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="insE"
"hkey"="HKLM"
"command"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\insE.tmp /R /A"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Winamp3\\winampa.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=dword:00000002
"omniserv"=dword:00000002
"Fax"=dword:00000003

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



-- Hosts -----------------------------------------------------------------------

127.0.0.1 qckjmp.com
127.0.0.1 c.qckjmp.com
127.0.0.1 cjt1.net
127.0.0.1 t.trafficmp.com
127.0.0.1 ad.specificmedia.com


-- End of Deckard's System Scanner: finished at 2007-05-01 at 22:59:03 ---------

Deckard's System Scanner v20070426.43
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.50GHz
Percentage of Memory in Use: 40%
Physical Memory (total/avail): 630.98 MiB / 373.94 MiB
Pagefile Memory (total/avail): 1137.98 MiB / 906.76 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1984.44 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 32.29 GiB total, 2.97 GiB free.
D: is Fixed (FAT32) - 4.96 GiB total, 0.91 GiB free.
E: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.1_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-LK4RLMSU41
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\YOUR-LK4RLMSU41
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\QuickTime\QTSystem\;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier"
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.1_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=YOUR-LK4RLMSU41
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Absolute HTML Compressor 1.14 --> "C:\Program Files\Absolute HTML Compressor\unins000.exe"
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~2\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~2\INSTALL.LOG
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~3\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~3\Install.log
ALi USB2.0 Driver --> C:\WINDOWS\System32\UnUSB20.EXE RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8E1DCD15-C9F1-49CE-807B-198C8241EB6B}\SETUP.EXE" -uninst
Alohabob PC Relocator Ultra Control --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{D7DE2E7F-9927-491C-AFEE-CA4AB9EB4E63}
AOL Instant Messenger --> C:\Program Files\Aim95\uninstll.exe -LOG= C:\Program Files\Aim95\install.log -OEM=
Apple Software Update --> MsiExec.exe /I{5B433733-BB31-4B40-BCBA-DDED37626641}
ArcSoft PhotoImpression --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\PhotoImpression\Uninst.isu"
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Azureus --> C:\Program Files\Azureus\Uninstall.exe
Blasterball 2 from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\350CC34B-2B8E-4EE5-AE4D-F04FDF37DC39\Uninstall.exe"
Blaze Audio RipEditBurn 2 Trial --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Blaze Audio\RipEditBurn 2 Trial\Uninst.isu"
Bounce from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\29FF6D07-4A15-41F1-9D5E-E0F3A58012C6\Uninstall.exe"
Cannonballs from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\99C981FF-0F90-4259-B2A6-D3B1A1589A0A\Uninstall.exe"
CD/Spectrum Pro --> C:\WINDOWS\DelCDSP.exe
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
Compaq Connections --> C:\WINDOWS\BWUnin-6.2.3.66L.exe -AppId 1940576
Compaq Organize --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0122362-6333-4DE4-93F6-A5A2F3CC101A}\Setup.exe" UNINSTALL
DFX for MUSICMATCH --> C:\PROGRA~1\DFX\MUSICM~1\UNWISE.EXE C:\PROGRA~1\DFX\MUSICM~1\INSTALL.LOG
DirectX 9 Hotfix - KB839643 --> C:\WINDOWS\$NtUninstallKB839643-DirectX9$\spuninst\spuninst.exe
DivX Codec 3.1alpha release --> C:\WINDOWS\System32\rundll32.exe setupapi,InstallHinfSection Remove_DivX 132 C:\WINDOWS\INF\DivX.inf
Excavation from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\9A8CE71F-71D5-4555-B355-85481DC99B80\Uninstall.exe"
Five Card Frenzy from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\2FDCC229-354D-4279-ABEF-CE17E355BFFA\Uninstall.exe"
GemMaster 3 from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\AD0E57E8-ABB1-4BF6-9AFF-0C7DDA1710CD\Uninstall.exe"
HijackThis 1.99.1 --> C:\Program Files\Hijack This\HijackThis.exe /uninstall
Honeycombs from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\623398D3-0B1E-4A63-A019-9BA8E77962AD\Uninstall.exe"
HP Deskjet Preloaded Printer Drivers --> MsiExec.exe /X{F419D20A-7719-4639-8E30-C073A040D878}
HP Printer Scanner Copier Enhancer --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hewlett-Packard Company\Pavilion\Enhancers\HP Printer Scanner Copier\Uninst.isu"
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Intel® 810 Chipset Graphic Driver End User Diagnostics Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Intel\GfxDrvEUD\Uninst.isu"
IntelliMover Data Transfer Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14589F05-C658-4594-9429-D437BA688686}\Setup.exe" -l0x9
Internet Explorer Q903235 --> C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q903235.inf
Internet Lottery 1.2.0 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\SPK210.Inf, DefaultUninstall
iPod for Windows 2005-09-06 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2E4E8905-5F24-4AEA-84E2-923CC12E3AB1} /l1033
Ipswitch WS_FTP LE --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\WS_FTP\Uninst.isu"
iTunes --> MsiExec.exe /I{5878FF02-3B8F-4309-B4E5-0D3DB6F2E8E6}
iWin Games (remove only) --> "C:\Program Files\iWin Games\Uninstall.exe"
Java 2 Runtime Environment, SE v1.4.1_02 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFCE5837-FC21-11D6-9D24-00010240CE95}\setup.exe" Anytext
Java Web Start --> "C:\Program Files\Java Web Start\uninst-javaws.exe"
Jewel Quest II (remove only) --> "C:\Program Files\iWin.com\Jewel Quest II\Uninstall.exe"
KBD --> C:\HP\KBD\KBD.EXE uninstalled
Lexmark X6100 Series --> C:\WINDOWS\System32\spool\drivers\w32x86\3\LXBFUN5C.EXE -dLexmark X6100 Series
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 2.5 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
MGI PhotoSuite 8.06 (Remove Only) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MGI\PSUITE80\Uninst.isu"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft IntelliPoint 4.0 --> MsiExec.exe /I{01BDFB08-EE88-4E5E-94A6-AE9EDCFA40C5}
Microsoft Money 2003 --> MsiExec.exe /I{01F9D88C-3C86-4E82-840A-101A3221F67A}
Microsoft Money 2003 System Pack --> MsiExec.exe /I{02B42D23-10F2-4862-ADA4-3DF1EA0021B2}
Microsoft Office XP Professional --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0050048383C9}
Microsoft Plus! Digital Media Edition --> MsiExec.exe /I{C6A7AF96-4EB1-4AAE-8318-1AB393C64F88}
Microsoft Visual J# .NET Redistributable Package 1.1 --> MsiExec.exe /X{1A655D51-1423-48A3-B748-8F5A0BE294C8}
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Mozilla Firefox (2.0.0.2) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MP3 Splitter & Joiner --> "C:\Program Files\MP3 Splitter & Joiner\unins000.exe"
MUSICMATCH® Jukebox --> C:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.exe
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
NVIDIA Gart Driver --> C:\WINDOWS\System32\nvugart.exe Uninstall C:\WINDOWS\System32\Nvgart.nvu,NVIDIA Gart Driver
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvhp.inf
OLYMPUS CAMEDIA Master 4.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{30BB4D60-81DB-11D5-BB77-00400536ABAC}\setup.exe" CAMEDIA Master 4.2
One-touch Multimedia Keyboard --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Netropa\One-touch Multimedia Keyboard\Uninst.isu" -c"C:\Program Files\Netropa\One-touch Multimedia Keyboard\uninst.dll"
OpenOffice.org 1.1.0 --> C:\Program Files\OpenOffice.org1.1.0\program\setup.exe -deinstall
Orbital from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\26DC0ED6-93A7-43C1-8DC5-EC16079580F9\Uninstall.exe"
Otto from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\8A225900-C06D-41DD-B66C-43840D472758\Uninstall.exe"
Print to Fax --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5BF2B19D-9C79-492A-8969-F059F06A627F}\setup.exe" -l0x9 ControlPanel
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
Python 2.2 combined Win32 extensions --> C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
Python 2.2.1 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
Quicken 2003 New User Edition --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F61F2821-694C-475F-99AB-6AF2EFDF40FD} anything
QuickTime --> MsiExec.exe /I{55BF0E5F-EA8E-4C13-A8B4-9E4857F5A2DE}
RealOne Player --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Registrar Lite 2.00 --> "C:\Program Files\Registrar Lite\unwise.exe" C:\PROGRA~1\REGIST~1\INSTALL.LOG
S3Display --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Display'
S3Gamma2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Gamma2'
S3Info2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Info2'
S3Overlay --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Overlay'
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\System32\MACROMED\SHOCKW~2\UNWISE.EXE C:\WINDOWS\System32\MACROMED\SHOCKW~2\INSTALL.LOG
Slyder from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\8567FC11-B0BF-49CD-9EF0-959413FA103D\Uninstall.exe"
SonicWALL Global VPN Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{53648F92-1CC5-22D2-A6DF-00A0C9A23BCD}\setup.exe" -l0x9 -FromCPL
SoulSeek Client 156b --> "C:\Program Files\Soulseek\uninstall.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
VX2 Cleaner plug-in for Ad-Aware SE --> C:\PROGRA~1\Lavasoft\AD-AWA~2\Plugins\VX2CLE~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~2\Plugins\VX2CLE~1\INSTALL.LOG
WebEx --> C:\WINDOWS\DOWNLO~1\atcliun.exe
Winamp3 (remove only) --> C:\Program Files\Winamp3\uninst-wa3.EXE
Windows Driver Package - Realtek Semiconductor Corp. MEDIA 12/12/2003 5.10.00.5410 --> C:\WINDOWS\System32\DRVSTORE\DFx.DriverAssembly.cfb7d3fc0ab7f7a3133a6c25509eaf3479108975\DPInst.exe /u DFx.DriverAssembly.cfb7d3fc0ab7f7a3133a6c25509eaf3479108975
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- End of Deckard's System Scanner: finished at 2007-05-01 at 22:59:03 ---------


VundoFix V6.3.21

Checking Java version...

Scan started at 10:31:46 PM 5/1/2007

Listing files found while scanning....

C:\WINDOWS\System32\agdwjntv.dll
C:\WINDOWS\System32\gebyx.dll
C:\WINDOWS\system32\pmprcunx.dll
C:\WINDOWS\system32\vturrrq.dll
C:\WINDOWS\system32\xnucrpmp.ini
C:\WINDOWS\System32\xybeg.bak1
C:\WINDOWS\System32\xybeg.bak2
C:\WINDOWS\System32\xybeg.ini

Beginning removal...

Attempting to delete C:\WINDOWS\System32\agdwjntv.dll
C:\WINDOWS\System32\agdwjntv.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\gebyx.dll
C:\WINDOWS\System32\gebyx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmprcunx.dll
C:\WINDOWS\system32\pmprcunx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xnucrpmp.ini
C:\WINDOWS\system32\xnucrpmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\xybeg.bak1
C:\WINDOWS\System32\xybeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\xybeg.bak2
C:\WINDOWS\System32\xybeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\xybeg.ini
C:\WINDOWS\System32\xybeg.ini Has been deleted!

Performing Repairs to the registry.
Done!

[metalchick666]

Now that I've completed the above actions, I get this error upon startup of my computer:

RUNDLL
Error loading C:\WINDOWS\System32\pmprcunx.dll
The specified module could not be found

[Anthony10]

Please Go to Start – Settings – Control Panel. Click on Add/Remove Programs. Click on the following programs and click on Remove. Then close the Control Panel.

xloadnet
hbinst
iWin Games


---------------------

Launch ATF-Cleaner, and select "Select All", then click Empty Selected (and close ATF).

If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.

--------------------

Open HijackThis, run a scan, place a check next to the following entries and then click fix checked :

O2 - BHO: (no name) - {05FC8C8B-E628-4E78-8D9B-42A687977FB3} - C:\WINDOWS\System32\prlprlgx.dll (file missing)
O2 - BHO: (no name) - {613CC5E1-207F-47E1-BC79-3C122A0232B8} - C:\WINDOWS\System32\gebyx.dll (file missing
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL (file missing

O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\System32\pmprcunx.dll",realset

O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineco...loadcontrol.cab

O20 - Winlogon Notify: vturrrq - vturrrq.dll (file missing)

------------------

Please download the OTMoveIt by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\System32\pmprcunx.dll
C:\Program Files\xloadnet
C:\Program Files\hbinst
C:\Program Files\iWin Games
C:\Program Files\jewel-quest-2-setup.exe

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


-------------------

Double-click on dss.exe and follow the prompts.
When it has finished, DSS will open two Notepads: main.txt and extra.txt
Use Save As to save both Notepad files to your Desktop and post them in your next reply. You can use separate posts if needed.

Anthony.

[metalchick666]

Thanks Anthony, I will follow these instructions when I get back home but before I do, I want to let you know that i use Iwin Games and Jewel Quest almost daily. I pay for a subscription. Also, I use PineConeResearch.com for my job so I don't really want to get rid of that. Is that ok?

[metalchick666]

Hi Anthony! Thanks for all your help so far.

These entries were not found in the Control Panel - Add/Remove Programs:
xloadnet
hbinst

I did not remove this one because it is a program that I paid for and use often:
iWin Games

I ran ATF Cleaner

I ran HiJack This and removed all but this entry because PineConeResearch is a site that I use often for work:
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineco...loadcontrol.cab

I ran OTMoveIT
This file was not found: C:\WINDOWS\System32\pmprcunx.dll

I did not get rid of these because I use them as stated above:
C:\Program Files\iWin Games
C:\Program Files\jewel-quest-2-setup.exe

I ran dss.exe but it only opened a main.txt notepad, it did not open the extra.txt notepad
Here is the contents of the main.txt file:

Deckard's System Scanner v20070426.43
Run by Owner on 2007-05-04 at 21:51:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:52:02 PM, on 5/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\HIJACK~2\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi6.ebay.com...I...t=8&rows=25
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://cgi6.ebay.com...I...t=8&rows=25
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [POINTER] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [NVIEW] "rundll32.exe" nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bits...om/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineco...loadcontrol.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/gf.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/...aploader_v6.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: ZoneAlarm - {85F60C7C-6FB9-A35C-C1D5-66DEF483E0A5} - C:\Program Files\Zone Labs\ZoneAlarm\images.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


-- Files created between 2007-04-04 and 2007-05-04 -----------------------------

2007-05-01 22:31:46 0 d-------- C:\VundoFix Backups
2007-04-28 13:42:29 0 d-------- C:\WINDOWS\BDOSCAN8
2007-04-25 14:53:41 0 d-------- C:\Program Files\Hijack This
2007-04-21 15:21:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-04-21 14:36:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft


-- Find3M Report ---------------------------------------------------------------

2007-04-30 21:27:52 0 d-------- C:\Program Files\SpywareBlaster
2007-04-28 14:47:29 0 d-------- C:\Program Files\backups
2007-04-25 23:06:52 2142 --a------ C:\Program Files\fsbl-20070426023705.log
2007-04-25 22:32:59 515 --a------ C:\Program Files\Shortcut to fsbl.lnk <SHORTC~1.LNK>
2007-04-25 14:52:36 0 d-------- C:\Program Files\iWin Games
2007-04-25 14:23:14 0 d-------- C:\Program Files\Online Services
2007-04-25 10:04:43 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-04-23 23:03:26 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-04-21 15:16:04 5629 --a------ C:\Program Files\hijackthis.log
2007-04-06 23:55:47 0 d-------- C:\Program Files\Soulseek
2007-03-29 23:14:30 4212 ---h----- C:\WINDOWS\System32\zllictbl.dat
2007-03-23 17:09:07 0 d-------- C:\Documents and Settings\Owner\Application Data\webex
2007-03-23 17:08:42 199751 --a------ C:\WINDOWS\System32\atasnt40.dll <Not Verified; WebEx Communications, Inc; WebEx Application Sharing>
2007-03-23 13:05:56 0 d-------- C:\Documents and Settings\Owner\Application Data\SonicWALL
2007-03-23 13:00:03 0 d-------- C:\Program Files\Common Files\Deterministic Networks
2007-03-23 12:59:53 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-03-23 12:59:44 0 d-------- C:\Program Files\SonicWALL
2007-03-23 12:58:54 0 d-------- C:\Program Files\Common Files\InstallShield
2007-02-14 23:21:24 1682333 --a------ C:\Program Files\jewel-quest-2-setup.exe


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"POINTER"="\"C:\\Program Files\\Microsoft Hardware\\Mouse\\point32.exe\""
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"Lexmark X6100 Series"="\"C:\\Program Files\\Lexmark X6100 Series\\lxbfbmgr.exe\""
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe\" /STARTUP"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"NVIEW"="\"rundll32.exe\" nview.dll,nViewLoadHook"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9 -reboot 1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=dword:00000000
"Btn_Search"=dword:00000000
"NoBandCustomize"=dword:00000000
"NoToolbarCustomize"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{3F9D0C61-737D-44D1-BD80-91AF857061CC}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"ZoneAlarm"="{85F60C7C-6FB9-A35C-C1D5-66DEF483E0A5}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AloPar.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\Parallel Arbitrator

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"="C:\\PROGRAM FILES\\AIM95\\aim.exe -cnetwait.odl"
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinampAgent"="\"C:\\Program Files\\Winamp3\\winampa.exe\""
"ALiUSBfix"="C:\\WINDOWS\\System32\\GREENMARK.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~3.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^naai.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\naai.exe"
"backup"="C:\\WINDOWS\\pss\\naai.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\naai.exe"
"item"="naai"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Quicken Scheduled Updates.lnk"
"backup"="C:\\WINDOWS\\pss\\Quicken Scheduled Updates.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Quicken\\bagent.exe "
"item"="Quicken Scheduled Updates"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 1.1.0.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\OpenOffice.org 1.1.0.lnk"
"backup"="C:\\WINDOWS\\pss\\OpenOffice.org 1.1.0.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\OPENOF~1.0\\program\\QUICKS~1.EXE "
"item"="OpenOffice.org 1.1.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdTools Service]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdTools"
"hkey"="HKLM"
"command"="C:\\Program Files\\AdTools Service\\AdTools.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCXMNTR"
"hkey"="HKLM"
"command"="ALCXMNTR.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CasStub]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="casstub"
"hkey"="HKCU"
"command"="C:\\Program Files\\CasStub\\casstub.exe -run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccRegVfy"
"hkey"="HKLM"
"command"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KavSvc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="raapku"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\raapku.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Keyboard Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MMKeybd"
"hkey"="HKLM"
"command"="C:\\Program Files\\Netropa\\One-touch Multimedia Keyboard\\MMKeybd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MediaAccK"
"hkey"="HKLM"
"command"="C:\\Program Files\\Media Access\\MediaAccK.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notn]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="eber"
"hkey"="HKCU"
"command"="C:\\Documents and Settings\\Owner\\Application Data\\eber.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OmniPass]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="scureapp"
"hkey"="HKLM"
"command"="C:\\Program Files\\Softex\\OmniPass\\scureapp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qgxsre]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qgxsre"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\qgxsre.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Remind_XP"
"hkey"="HKLM"
"command"="\"C:\\Windows\\Creator\\Remind_XP.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebInstall2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="insE"
"hkey"="HKLM"
"command"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\insE.tmp /R /A"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Winamp3\\winampa.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=dword:00000002
"omniserv"=dword:00000002
"Fax"=dword:00000003

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-05-04 at 21:52:39 ---------

[OwNt]

metalchick666,

Anthony will be without internet for awhile, so I will take over this topic for him until such time as he can return.

Step #1
Please copy and paste the following into notepad, saving it to your desktop as "fixme.reg" - include the quotes when saving it.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^naai.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdTools Service]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CasStub]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KavSvc]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notn]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qgxsre]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebInstall2]

Next, please double click it and when it asks whether to merge with the registry answer yes.
You should get a message saying it was successful.

Step #2
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\naai.exe
C:\WINDOWS\pss\naai.exe
C:\Program Files\AdTools Service
C:\Program Files\CasStub
C:\WINDOWS\System32\raapku.exe
C:\Program Files\Media Access
C:\Documents and Settings\Owner\Application Data\eber.exe
C:\windows\system32\qgxsre.exe

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Please post the log from OTMoveit and a new log from Hijackthis in your next reply.
How is your machine running now, any pop-ups or similiar?

[metalchick666]

Thanks for helpingout OwNt!

The pop-ups are currently gone.

Did the "fixme.reg" and OTMoveIT. Unfortunately I didn't copy the results before I closed it but here are the results if I try to run it now:

File/Folder C:\Documents and Settings\All Users\Start Menu\Programs\Startup\naai.exe not found.
File/Folder C:\WINDOWS\pss\naai.exe not found.
File/Folder C:\Program Files\AdTools Service not found.
File/Folder C:\Program Files\CasStub not found.
File/Folder C:\WINDOWS\System32\raapku.exe not found.
File/Folder C:\Program Files\Media Access not found.
File/Folder C:\Documents and Settings\Owner\Application Data\eber.exe not found.
File/Folder C:\windows\system32\qgxsre.exe not found.

Created on 05/10/2007 22:53:30


Here is the new HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 10:57:29 PM, on 5/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi6.ebay.com...I...t=8&rows=25
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://cgi6.ebay.com...I...t=8&rows=25
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [POINTER] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [NVIEW] "rundll32.exe" nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bits...om/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineco...loadcontrol.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/gf.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/...aploader_v6.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: ZoneAlarm - {85F60C7C-6FB9-A35C-C1D5-66DEF483E0A5} - C:\Program Files\Zone Labs\ZoneAlarm\images.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe