Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Wpaa.dll and winfixer [RESOLVED]

Started by ehall , Oct 17 2005 04:52 PM

This topic is locked

#1
ehall

Posted 17 October 2005 - 04:52 PM

Member

Member
10 posts

I have run all of the steps, but can't get shredder to work. I have continual Winfixer pop ups. When I run ewido I contiunally show winnt/ system32/wpaa.dll. I'm going to needsome help removing everything on here, and getting windows running efficiently again. On my last defrag, there were files in winnt that could not be moved. That's what got me searching. Thanks in advance for the assistance. Below if the log:

Logfile of HijackThis v1.99.1
Scan saved at 6:46:50 PM, on 10/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\wdfmgr.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\wbem\wmiapsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dmadmin.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy\AudioHQ\AHQTBU.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Common Files\AOL\1097525485\ee\AOLHostManager.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Common Files\AOL\1097525485\ee\AOLServiceHost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINNT\System32\wbem\wmiprvse.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
c:\program files\common files\aol\1097525485\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINNT\System32\alg.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\TrojanHunter 4.2\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WINPAT~1.EXE
C:\PROGRA~1\AMERIC~1.0C\waol.exe
C:\PROGRA~1\AMERIC~1.0C\shellmon.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fccj.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.se1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.se1.attbb.net

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {05D07E37-C174-C206-5180-803677E769CC} - C:\WINNT\system32\crbc.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0890C38B-C419-2318-EA0C-7712872D7ADE} - C:\WINNT\atlgd32.dll (file missing)
O2 - BHO: Class - {0E424FB3-194F-2E07-E737-BAD30DA5D8EC} - C:\WINNT\system32\appph.dll (file missing)
O2 - BHO: Class - {19A72A9E-9283-25A1-64C8-866A3A28A5F6} - C:\WINNT\system32\apiku32.dll (file missing)
O2 - BHO: Class - {22325BCC-0213-A97E-7060-1D4EE1016CA5} - C:\WINNT\system32\mfcyj.dll (file missing)
O2 - BHO: Class - {24A66A2E-5AFE-E8EF-B293-C15F0CC19B46} - C:\WINNT\mswo32.dll (file missing)
O2 - BHO: Class - {2563929E-316C-F72B-8239-387401B74A15} - C:\WINNT\crjl.dll (file missing)
O2 - BHO: Class - {2847602D-6D1B-DCC7-7CF2-9CF30941EDB1} - C:\WINNT\ipwa.dll (file missing)
O2 - BHO: Class - {33D4D199-FF79-3F6E-5962-4588C8D320C1} - C:\WINNT\ntop32.dll (file missing)
O2 - BHO: Class - {350B7874-6CC5-2A96-4063-F0654618D016} - C:\WINNT\system32\d3zp32.dll (file missing)
O2 - BHO: Class - {3AD02A5D-3509-CB9B-49BF-0D92FBCC75E5} - C:\WINNT\system32\appqp.dll (file missing)
O2 - BHO: Class - {3F52D4A9-BDA9-2350-2B47-3E676005557F} - C:\WINNT\apion32.dll (file missing)
O2 - BHO: Class - {42C3F9E1-E5EC-8D60-235E-E061D1A24CC1} - C:\WINNT\system32\d3px32.dll (file missing)
O2 - BHO: Class - {4623E5AA-A481-42A8-431A-F4A828B026C8} - C:\WINNT\system32\crnw.dll (file missing)
O2 - BHO: Class - {47C152DB-AE7A-3E36-847C-F6C3371F19DC} - C:\WINNT\system32\msjv.dll (file missing)
O2 - BHO: Class - {4A9C09E1-BE38-5B61-F6B0-FC8C4F9B1F4B} - C:\WINNT\system32\sdkdz.dll (file missing)
O2 - BHO: Class - {522CB6F2-4EC1-3D01-1BA4-08731177DBEF} - C:\WINNT\system32\d3nk.dll (file missing)
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINNT\system32\mljji.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {54066D1A-4314-BDDA-AF4C-7988FA7126F6} - C:\WINNT\system32\iedz32.dll (file missing)
O2 - BHO: Class - {55B83C66-7426-6E0B-D792-DCEDEF3235B8} - C:\WINNT\system32\ntlr.dll (file missing)
O2 - BHO: Class - {5B9FC8ED-09FA-DD7A-656B-A9B820722D8E} - C:\WINNT\apiit.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Class - {5E5DDEAA-B5C5-DA6C-D909-F69AC5959350} - C:\WINNT\system32\javasp32.dll (file missing)
O2 - BHO: Class - {6286962A-8362-F853-5123-9596EBAA02B1} - C:\WINNT\system32\ipxx.dll (file missing)
O2 - BHO: Class - {62AB99CC-091F-850A-E460-EABFEC3ADBD7} - C:\WINNT\crlu.dll (file missing)
O2 - BHO: Class - {7055D377-44A2-1793-E109-C6FE15F0A9AB} - C:\WINNT\system32\iers32.dll (file missing)
O2 - BHO: Class - {75F61DED-E153-F229-9AB9-8E94124F8BCC} - C:\WINNT\mfcwa.dll (file missing)
O2 - BHO: Class - {7B904279-FECE-5773-109E-6815C3C64301} - C:\WINNT\winnf32.dll (file missing)
O2 - BHO: Class - {7CCF032E-3929-94D8-3DD1-7627B255F03A} - C:\WINNT\system32\d3vb32.dll (file missing)
O2 - BHO: Class - {7E126171-1C59-6D31-9CD3-D456A5E3A506} - C:\WINNT\system32\windr32.dll (file missing)
O2 - BHO: Class - {849D7683-C485-1C1F-89B3-70721F4992F0} - C:\WINNT\addaq32.dll (file missing)
O2 - BHO: Class - {874130E9-74F4-92CF-5462-FF757D6E0958} - C:\WINNT\system32\javauq32.dll (file missing)
O2 - BHO: Class - {8F454325-0365-F6F8-102C-1E5865E5CFF6} - C:\WINNT\appoo.dll (file missing)
O2 - BHO: Class - {94B28763-2071-EE36-47DB-41FCF486D906} - C:\WINNT\system32\addhc32.dll (file missing)
O2 - BHO: Class - {97E13E93-404D-7B56-2E68-64A4233A09EC} - C:\WINNT\system32\apime32.dll (file missing)
O2 - BHO: Class - {9874A3A4-9A8B-4BC9-7D80-650C13E8DF47} - C:\WINNT\system32\sysvq32.dll (file missing)
O2 - BHO: Class - {9EE2E3C8-AEC4-B7AA-BD52-DD5683D56316} - C:\WINNT\system32\appkr32.dll (file missing)
O2 - BHO: Class - {A12EE654-124B-9F8F-8176-85CD983DE149} - C:\WINNT\ipil32.dll (file missing)
O2 - BHO: Class - {A16A2FEE-C4F4-AC59-72DD-E206DF7346F5} - C:\WINNT\system32\sysld.dll (file missing)
O2 - BHO: Class - {A4824BBF-1F31-D2A8-0B10-F18DC8B36A8F} - C:\WINNT\netay32.dll (file missing)
O2 - BHO: Class - {AEB83F78-1294-69C2-3DC3-67897E8D89B2} - C:\WINNT\system32\netqp32.dll (file missing)
O2 - BHO: Class - {AEF0D772-9A66-07AD-1543-16A1762F757D} - C:\WINNT\addfs32.dll (file missing)
O2 - BHO: Class - {AF4A207C-7B65-ED75-89CC-D0E5F2482316} - C:\WINNT\appmb32.dll (file missing)
O2 - BHO: Class - {B05401ED-FDEB-8A21-A5DA-21D057B7FF3C} - C:\WINNT\system32\msdr32.dll (file missing)
O2 - BHO: Class - {B4FBCE5E-0DE0-1F85-BBEE-94F8BB59715E} - C:\WINNT\system32\crhb.dll (file missing)
O2 - BHO: Class - {BA6B10FB-8ED9-41DC-2CBA-A8E1758AFF52} - C:\WINNT\system32\syspw.dll (file missing)
O2 - BHO: Class - {BD33F509-69D9-3D97-5169-D30E8D7C13C2} - C:\WINNT\system32\addkv32.dll (file missing)
O2 - BHO: Class - {BEFF86F7-0F01-F8C8-2D60-DE9E0AC52F70} - C:\WINNT\sdkqf32.dll (file missing)
O2 - BHO: Class - {C8A61254-758B-74CD-8265-94E2E2DE2D77} - C:\WINNT\atlsv.dll (file missing)
O2 - BHO: Class - {CE8BBD4B-3988-AAFE-F6B1-292789B605C6} - C:\WINNT\system32\appql.dll (file missing)
O2 - BHO: Class - {D06461BA-7139-C7D8-21C4-CDA52D19B793} - C:\WINNT\winry.dll (file missing)
O2 - BHO: Class - {D27BAD24-7587-9A8D-3226-239B86AA6E16} - C:\WINNT\apids32.dll (file missing)
O2 - BHO: Class - {E11BBE0A-102A-66F9-15F2-319B4EF4B065} - C:\WINNT\system32\atlca.dll (file missing)
O2 - BHO: Class - {E8D24001-B7AD-B035-877A-B914CF19AD59} - C:\WINNT\addat32.dll (file missing)
O2 - BHO: Class - {F15C2353-EE47-0DA4-3A48-92FD11BC5959} - C:\WINNT\winva32.dll (file missing)
O2 - BHO: Class - {F2529D81-E3AD-492D-C89C-FEDCDCEC1551} - C:\WINNT\system32\winbh.dll (file missing)
O2 - BHO: Class - {F2F8DD4A-9FFB-EABC-D625-4E2A75A166B2} - C:\WINNT\sysnn.dll (file missing)
O2 - BHO: Class - {F3E5AB9F-4002-F8ED-E625-FA38BE180B29} - C:\WINNT\javaea32.dll (file missing)
O2 - BHO: Class - {FBFFB061-1E0D-0C13-72CB-E938C5B7DE0C} - C:\WINNT\system32\msgp32.dll (file missing)
O2 - BHO: Class - {FF6C683B-4AB2-9CF1-5F23-8EC1A2F97B5A} - C:\WINNT\system32\msue32.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AudioHQU] C:\Program Files\Creative\SBAudigy\AudioHQ\AHQTBU.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1097525485\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [waol.exe] C:\Program Files\America Online 9.0e\waol.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [ntxw.exe] C:\WINNT\ntxw.exe
O4 - HKLM\..\Run: [msdr.exe] C:\WINNT\system32\msdr.exe
O4 - HKLM\..\Run: [mfcgs.exe] C:\WINNT\mfcgs.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [mfcsp32.exe] C:\WINNT\system32\mfcsp32.exe
O4 - HKLM\..\Run: [MPFEXE] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe /scan
O4 - HKCU\..\Run: [UltimateBuddy] C:\Program Files\UltimateBuddy\UltimateBuddy.exe
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comne...iveSekurity.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.co...GenXInstall.cab
O16 - DPF: {405BBF5B-2FD8-4614-AC51-D8566F635B94} (SafeWallet Class) - http://idsm.citadelp...s/WalletCab.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...99/mcinsctl.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.co...InstallAsst.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...tzip/RdxIE6.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.na...pdatePortal.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {7160FB1B-3DE0-4C42-81F0-41B4269990B0} (MSN Money Ticker) - http://fdl.msn.com/p.../v12/ticker.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.146.72.210...sCamControl.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.co...ts/DeltaCVX.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.co...oaderSigned.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...534/mcfscan.cab
O18 - Protocol: bw+0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: mljji - C:\WINNT\system32\mljji.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

#2
greyknight17

Posted 17 October 2005 - 05:00 PM

Malware Expert

Visiting Consultant
16,560 posts

Welcome to GTG.

Do you know what this program is for?

O4 - HKCU\..\Run: [UltimateBuddy] C:\Program Files\UltimateBuddy\UltimateBuddy.exe

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Uninstall these via the Add/Remove panel:

XoftSpy - if you didn't buy this program yet, uninstall it. Here is my reason why - it’s known to be rogueware in the past and I highly recommend that you uninstall it. Rogue/Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Right click and copy the below lines. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\WINNT\ntxw.exe
C:\WINNT\system32\msdr.exe
C:\WINNT\mfcgs.exe
C:\Program Files\XoftSpy\
C:\WINNT\system32\mfcsp32.exe
C:\Program Files\WinFixer 2005\

If you get a PendingOperations message, just close it and restart your computer manually.

Please download VundoFix.exe at http://www.atribune....ds/VundoFix.exe to your desktop.

* Double-click VundoFix.exe to extract the files.
* After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key (or F5 in some machines) until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
* Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
* Please type the following file path (make sure to enter it exactly as below!):

C:\WINNT\system32\mljji.dll

* Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
* When asked for a second path, enter -> C:\WINNT\system32\ijjlm.*
* Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
* The fix will run then HijackThis will open.
* In HijackThis, please place a check next to the following items and click FIX CHECKED:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {05D07E37-C174-C206-5180-803677E769CC} - C:\WINNT\system32\crbc.dll (file missing)
O2 - BHO: Class - {0890C38B-C419-2318-EA0C-7712872D7ADE} - C:\WINNT\atlgd32.dll (file missing)
O2 - BHO: Class - {0E424FB3-194F-2E07-E737-BAD30DA5D8EC} - C:\WINNT\system32\appph.dll (file missing)
O2 - BHO: Class - {19A72A9E-9283-25A1-64C8-866A3A28A5F6} - C:\WINNT\system32\apiku32.dll (file missing)
O2 - BHO: Class - {22325BCC-0213-A97E-7060-1D4EE1016CA5} - C:\WINNT\system32\mfcyj.dll (file missing)
O2 - BHO: Class - {24A66A2E-5AFE-E8EF-B293-C15F0CC19B46} - C:\WINNT\mswo32.dll (file missing)
O2 - BHO: Class - {2563929E-316C-F72B-8239-387401B74A15} - C:\WINNT\crjl.dll (file missing)
O2 - BHO: Class - {2847602D-6D1B-DCC7-7CF2-9CF30941EDB1} - C:\WINNT\ipwa.dll (file missing)
O2 - BHO: Class - {33D4D199-FF79-3F6E-5962-4588C8D320C1} - C:\WINNT\ntop32.dll (file missing)
O2 - BHO: Class - {350B7874-6CC5-2A96-4063-F0654618D016} - C:\WINNT\system32\d3zp32.dll (file missing)
O2 - BHO: Class - {3AD02A5D-3509-CB9B-49BF-0D92FBCC75E5} - C:\WINNT\system32\appqp.dll (file missing)
O2 - BHO: Class - {3F52D4A9-BDA9-2350-2B47-3E676005557F} - C:\WINNT\apion32.dll (file missing)
O2 - BHO: Class - {42C3F9E1-E5EC-8D60-235E-E061D1A24CC1} - C:\WINNT\system32\d3px32.dll (file missing)
O2 - BHO: Class - {4623E5AA-A481-42A8-431A-F4A828B026C8} - C:\WINNT\system32\crnw.dll (file missing)
O2 - BHO: Class - {47C152DB-AE7A-3E36-847C-F6C3371F19DC} - C:\WINNT\system32\msjv.dll (file missing)
O2 - BHO: Class - {4A9C09E1-BE38-5B61-F6B0-FC8C4F9B1F4B} - C:\WINNT\system32\sdkdz.dll (file missing)
O2 - BHO: Class - {522CB6F2-4EC1-3D01-1BA4-08731177DBEF} - C:\WINNT\system32\d3nk.dll (file missing)
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINNT\system32\mljji.dll
O2 - BHO: Class - {54066D1A-4314-BDDA-AF4C-7988FA7126F6} - C:\WINNT\system32\iedz32.dll (file missing)
O2 - BHO: Class - {55B83C66-7426-6E0B-D792-DCEDEF3235B8} - C:\WINNT\system32\ntlr.dll (file missing)
O2 - BHO: Class - {5B9FC8ED-09FA-DD7A-656B-A9B820722D8E} - C:\WINNT\apiit.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Class - {5E5DDEAA-B5C5-DA6C-D909-F69AC5959350} - C:\WINNT\system32\javasp32.dll (file missing)
O2 - BHO: Class - {6286962A-8362-F853-5123-9596EBAA02B1} - C:\WINNT\system32\ipxx.dll (file missing)
O2 - BHO: Class - {62AB99CC-091F-850A-E460-EABFEC3ADBD7} - C:\WINNT\crlu.dll (file missing)
O2 - BHO: Class - {7055D377-44A2-1793-E109-C6FE15F0A9AB} - C:\WINNT\system32\iers32.dll (file missing)
O2 - BHO: Class - {75F61DED-E153-F229-9AB9-8E94124F8BCC} - C:\WINNT\mfcwa.dll (file missing)
O2 - BHO: Class - {7B904279-FECE-5773-109E-6815C3C64301} - C:\WINNT\winnf32.dll (file missing)
O2 - BHO: Class - {7CCF032E-3929-94D8-3DD1-7627B255F03A} - C:\WINNT\system32\d3vb32.dll (file missing)
O2 - BHO: Class - {7E126171-1C59-6D31-9CD3-D456A5E3A506} - C:\WINNT\system32\windr32.dll (file missing)
O2 - BHO: Class - {849D7683-C485-1C1F-89B3-70721F4992F0} - C:\WINNT\addaq32.dll (file missing)
O2 - BHO: Class - {874130E9-74F4-92CF-5462-FF757D6E0958} - C:\WINNT\system32\javauq32.dll (file missing)
O2 - BHO: Class - {8F454325-0365-F6F8-102C-1E5865E5CFF6} - C:\WINNT\appoo.dll (file missing)
O2 - BHO: Class - {94B28763-2071-EE36-47DB-41FCF486D906} - C:\WINNT\system32\addhc32.dll (file missing)
O2 - BHO: Class - {97E13E93-404D-7B56-2E68-64A4233A09EC} - C:\WINNT\system32\apime32.dll (file missing)
O2 - BHO: Class - {9874A3A4-9A8B-4BC9-7D80-650C13E8DF47} - C:\WINNT\system32\sysvq32.dll (file missing)
O2 - BHO: Class - {9EE2E3C8-AEC4-B7AA-BD52-DD5683D56316} - C:\WINNT\system32\appkr32.dll (file missing)
O2 - BHO: Class - {A12EE654-124B-9F8F-8176-85CD983DE149} - C:\WINNT\ipil32.dll (file missing)
O2 - BHO: Class - {A16A2FEE-C4F4-AC59-72DD-E206DF7346F5} - C:\WINNT\system32\sysld.dll (file missing)
O2 - BHO: Class - {A4824BBF-1F31-D2A8-0B10-F18DC8B36A8F} - C:\WINNT\netay32.dll (file missing)
O2 - BHO: Class - {AEB83F78-1294-69C2-3DC3-67897E8D89B2} - C:\WINNT\system32\netqp32.dll (file missing)
O2 - BHO: Class - {AEF0D772-9A66-07AD-1543-16A1762F757D} - C:\WINNT\addfs32.dll (file missing)
O2 - BHO: Class - {AF4A207C-7B65-ED75-89CC-D0E5F2482316} - C:\WINNT\appmb32.dll (file missing)
O2 - BHO: Class - {B05401ED-FDEB-8A21-A5DA-21D057B7FF3C} - C:\WINNT\system32\msdr32.dll (file missing)
O2 - BHO: Class - {B4FBCE5E-0DE0-1F85-BBEE-94F8BB59715E} - C:\WINNT\system32\crhb.dll (file missing)
O2 - BHO: Class - {BA6B10FB-8ED9-41DC-2CBA-A8E1758AFF52} - C:\WINNT\system32\syspw.dll (file missing)
O2 - BHO: Class - {BD33F509-69D9-3D97-5169-D30E8D7C13C2} - C:\WINNT\system32\addkv32.dll (file missing)
O2 - BHO: Class - {BEFF86F7-0F01-F8C8-2D60-DE9E0AC52F70} - C:\WINNT\sdkqf32.dll (file missing)
O2 - BHO: Class - {C8A61254-758B-74CD-8265-94E2E2DE2D77} - C:\WINNT\atlsv.dll (file missing)
O2 - BHO: Class - {CE8BBD4B-3988-AAFE-F6B1-292789B605C6} - C:\WINNT\system32\appql.dll (file missing)
O2 - BHO: Class - {D06461BA-7139-C7D8-21C4-CDA52D19B793} - C:\WINNT\winry.dll (file missing)
O2 - BHO: Class - {D27BAD24-7587-9A8D-3226-239B86AA6E16} - C:\WINNT\apids32.dll (file missing)
O2 - BHO: Class - {E11BBE0A-102A-66F9-15F2-319B4EF4B065} - C:\WINNT\system32\atlca.dll (file missing)
O2 - BHO: Class - {E8D24001-B7AD-B035-877A-B914CF19AD59} - C:\WINNT\addat32.dll (file missing)
O2 - BHO: Class - {F15C2353-EE47-0DA4-3A48-92FD11BC5959} - C:\WINNT\winva32.dll (file missing)
O2 - BHO: Class - {F2529D81-E3AD-492D-C89C-FEDCDCEC1551} - C:\WINNT\system32\winbh.dll (file missing)
O2 - BHO: Class - {F2F8DD4A-9FFB-EABC-D625-4E2A75A166B2} - C:\WINNT\sysnn.dll (file missing)
O2 - BHO: Class - {F3E5AB9F-4002-F8ED-E625-FA38BE180B29} - C:\WINNT\javaea32.dll (file missing)
O2 - BHO: Class - {FBFFB061-1E0D-0C13-72CB-E938C5B7DE0C} - C:\WINNT\system32\msgp32.dll (file missing)
O2 - BHO: Class - {FF6C683B-4AB2-9CF1-5F23-8EC1A2F97B5A} - C:\WINNT\system32\msue32.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ntxw.exe] C:\WINNT\ntxw.exe
O4 - HKLM\..\Run: [msdr.exe] C:\WINNT\system32\msdr.exe
O4 - HKLM\..\Run: [mfcgs.exe] C:\WINNT\mfcgs.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [mfcsp32.exe] C:\WINNT\system32\mfcsp32.exe
O4 - HKCU\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe /scan
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comne...iveSekurity.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

Check and fix ALL those O18 entries related to Logitech below, except for the first line (see below). Leave that entry unchecked:

O18 - Protocol: bw+0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: mljji - C:\WINNT\system32\mljji.dll

* After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
* Pressing any key will cause a 'Blue Screen of Death' this is normal, do not worry!
* Once your machine reboots please continue with the instructions below.

Download and install CleanUp! http://www.greyknigh...spy/CleanUp.exe

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click 'Options...'
Move the arrow down to 'Custom CleanUp!'
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK. Press the CleanUp! button to start the program.
It may ask you to reboot at the end, click NO.

Make sure that these files/folders are deleted by now (if they still exist, delete them yourself):

C:\WINNT\ntxw.exe
C:\WINNT\system32\msdr.exe
C:\WINNT\mfcgs.exe
C:\Program Files\XoftSpy\
C:\WINNT\system32\mfcsp32.exe
C:\Program Files\WinFixer 2005\

Then, please run an online virus scan at ActiveScan http://www.pandasoft.../activescan.htm

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.

#3
ehall

Posted 18 October 2005 - 12:09 AM

Member

Topic Starter
Member
10 posts

Okay. I got to the step where I run a virus scan using activescan.
It begins its scan as normal. the scan then freezes and feezes my whole comuter once it hits the following item. C:\WINNT\system32\ntdll.dll I've attempted to run this scan five or more times, always with the exact same result. It freezes the machine and requires that I actually unplug it to reboot. Where do we go from here? TIA.

#4
greyknight17

Posted 18 October 2005 - 03:47 PM

Malware Expert

Visiting Consultant
16,560 posts

Panda has been having problems with their servers lately and I think it may be related. Do this instead:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net...wnload/updates/ to update manually.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode (if you don't know how, go to http://www.bleepingc...showtutorial=61 ).

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner.
* Click on 'Complete System Scan' and the scan will begin.
* While the scan is in progress you will be prompted to clean the first infected file it finds. Choose 'Remove', then put a check next to 'Perform action on all infections' in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.
* Once the scan has completed, there will be a button located on the bottom of the screen named 'Save report'.
* Click 'Save report'.
* Save the report to your desktop.

Restart your computer. Post the logs for HijackThis, Ewido and the vundofix.txt file.

#5
ehall

Posted 18 October 2005 - 04:50 PM

Member

Topic Starter
Member
10 posts

A quick question. I currently have Ewido installed on my computer. I also have Cleanup. I have been using them both for a while. Would you like me to remove them both and download them agin to ensure it's done specifically the way you asked?

#6
greyknight17

Posted 18 October 2005 - 05:52 PM

Malware Expert

Visiting Consultant
16,560 posts

You may just check for any updates for Ewido...then run it in Safe Mode and save the report. Boot back to Normal Mode and post the Ewido report here along with a new HijackThis log and the vundofix.txt log.

#7
ehall

Posted 18 October 2005 - 07:28 PM

Member

Topic Starter
Member
10 posts

logs as requested

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:16:12 PM, 10/18/2005
+ Report-Checksum: A3DB7A17

+ Scan result:

C:\WINNT\Downloaded Program Files\UWFX5RS_0001_0808NetInstaller.exe -> Not-A-Virus.Downloader.Agent.c : Cleaned with backup
C:\WINNT\system32:vpaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\WINNT\system32\drivers\df_kmd.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup

::Report End

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINNT\system32\ijjlm.*

The second filepath entered was C:\WINNT\sytem32\mljji.dll

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------

Killing PID 160 'smss.exe'

Killing PID 804 'explorer.exe'

Killing PID 240 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINNT\system32\ijjlm.* Deleted sucessfully.
C:\WINNT\sytem32\mljji.dll Deleted sucessfully.

Fixing Registry
------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:20:54 PM, on 10/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\netdde.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\system32\clipsrv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\svchost.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINNT\system32\msiexec.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\sessmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\wbem\wmiapsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dmadmin.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Common Files\AOL\1097525485\ee\AOLHostManager.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\AOL\1097525485\ee\AOLServiceHost.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\common files\aol\1097525485\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fccj.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.se1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.se1.attbb.net

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AudioHQU] C:\Program Files\Creative\SBAudigy\AudioHQ\AHQTBU.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1097525485\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [waol.exe] C:\Program Files\America Online 9.0e\waol.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [MPFEXE] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [UltimateBuddy] C:\Program Files\UltimateBuddy\UltimateBuddy.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.co...GenXInstall.cab
O16 - DPF: {405BBF5B-2FD8-4614-AC51-D8566F635B94} (SafeWallet Class) - http://idsm.citadelp...s/WalletCab.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...99/mcinsctl.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.co...InstallAsst.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...tzip/RdxIE6.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.na...pdatePortal.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {7160FB1B-3DE0-4C42-81F0-41B4269990B0} (MSN Money Ticker) - http://fdl.msn.com/p.../v12/ticker.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.146.72.210...sCamControl.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.co...ts/DeltaCVX.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.co...oaderSigned.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...534/mcfscan.cab
O18 - Protocol: bw+0 - {496304C5-7AB1-4614-B468-F503A427C7FB} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

There you go. Again, Thanks. E

#8
greyknight17

Posted 18 October 2005 - 10:16 PM

Malware Expert

Visiting Consultant
16,560 posts

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

#9
ehall

Posted 19 October 2005 - 01:43 AM

Member

Topic Starter
Member
10 posts

Looks like you've got it. The only issue I have left is a fragment problem in system32. Who can I talk to here that might help me straighten that out? Otherwise, I'm good to go. Thank you very much. E.

#10
greyknight17

Posted 19 October 2005 - 04:03 PM

Malware Expert

Visiting Consultant
16,560 posts

Fragment? Try asking this in the Windows Forum.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.