[grudz4prez]

Logfile of HijackThis v1.99.1
Scan saved at 11:01:38 AM, on 7/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\AOL\1102131130\ee\AOLSoftware.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
c:\program files\common files\aol\1102131130\ee\aolsoftware.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Hijackthis\fluffybunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Charles\Application Data\Mozilla\Profiles\default\euyuxbf0.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: C:\WINDOWS\lbbho.dll - {E2EED4CE-4723-44E7-8778-D6D2077B05BE} - C:\WINDOWS\lbbho.dll (file missing)
O2 - BHO: (no name) - {E446CA55-3492-4015-844D-645955F72951} - C:\WINDOWS\system32\mljjj.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102131130\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Registry Toolkit] C:\Program Files\Registry Toolkit\RegToolkit.exe /scan
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Qgevq] C:\WINDOWS\SYSTEM32\?icrosoft.NET\wuauboot.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://www.imgag.com...tall/AxCtp2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DED4415-9792-4E32-A720-1B988D69DB7A}: NameServer = 71.250.0.12 68.237.161.12
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[Advertisements]

Hello grudz4prez, and sorry for the little delay. Good job so far!

I uploaded the file....the first one could not be found and the the second f-fix program said it couldn't find anything. [...]

OK. No worries.

How do I check if I have admin rights? [...]

Are you an administrator of the computer? Your computer’s default Administrator account gives full control over all of its settings. To make sure that you have admin rights on your machine:
1. Go to Start > Control Panel > User Accounts.
2. Below your username, you should either see Limited account or Computer administrator.
3. Make sure that your account is classed as "Computer administrator".
NOTE: If your account is limited, you cannot install software or change certain settings!

[...]
Also, how do I proceed with downloading the fixes for this computer if it's offline?

If possible, it's best to download the required tools and instructions using another computer. Then copy/paste the required tools to the infected computer using e.g. a floppy disk or a USB device...

Question: Have you had BearShare installed previously? Or did you install it during our fix? Please do not install any programs whilst we fix your computer from now on: even the smallest of programs can wreak havoc.

In this post, I want you to try getting into Safe Mode again and run SDFix. If you still cannot get into Safe Mode, skip the SDFix part (Step #1) and continue with the rest of the instructions. Let me know if you were able to get into Safe Mode again, please.
______________________________________________________________________________

Please print out or copy this page to Notepad. This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is NOT available. A print out of the instructions would be a good reference to make sure you don't get lost. You may also like to save these instructions in Word/Notepad to the Desktop where they can be easily found for the same reasons as above.
Also make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.

Step #1: Download and run SDFix
Download SDFix by clicking the download link below and save it to your Desktop.
Download SDFix (SDFix.exe)

Once downloaded, double-click SDFix.exe and it will extract the files to %systemdrive%, the drive that contains the Windows directory (typically C:\SDFix). Do NOT use SDFix yet.

Reboot your computer into SAFE MODE. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.

When in Safe Mode, please follow these steps:
1. Open the SDFix folder and double-click RunThis.bat to start the script.
2. Type Y to begin the cleanup process.
SDFix will remove any trojan services or registry entries that it finds and prompt you to press any key to reboot.
3. Press any key and it will restart the PC.
When the PC restarts, the fixtool will run again and complete the removal process.
4. When it then displays "Finished!", press any key to end the script and load your Desktop icons.
Once the Desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt. (Report.txt will also be copied to the clipboard ready for posting back on the forum.)
5. Please copy and paste the entire contents of the results file (Report.txt) in your next reply.

Step #2: Fix HijackThis entries
Scan again with HijackThis. Put a checkmark by these entries if they are present, double-checking to be sure that only these entries are checked:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: C:\WINDOWS\lbbho.dll - {E2EED4CE-4723-44E7-8778-D6D2077B05BE} - C:\WINDOWS\lbbho.dll (file missing)
O2 - BHO: (no name) - {E446CA55-3492-4015-844D-645955F72951} - C:\WINDOWS\system32\mljjj.dll (file missing)
O4 - HKCU\..\Run: [Qgevq] C:\WINDOWS\SYSTEM32\?icrosoft.NET\wuauboot.exe

The O6 entry in your HijackThis log corresponds to restricted access to the Internet Options from within Internet Explorer or the Control Panel. If you or an administrator did NOT set this option on purpose, and you have NOT used certain features in the Immunize section of Spybot - Search & Destroy, you can safely put a checkmark by this entry as well if it is present:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Now close all other windows - you should only see HijackThis on your Desktop - and then click the Fix checked button.

Step #3: Delete certain folders
If not already enabled, please follow these steps to enable the viewing of hidden files in Windows XP:
1. Close all programs so that you are at your Desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and then click on the menu option labelled "Folder Options".
4. After the new window appears select the View tab.
5. Remove the checkmark from the checkbox labelled "Hide file extensions for known file types".
6. Remove the checkmark from the checkbox labelled "Hide protected operating system files".
7. Select the radio button labelled "Show hidden files and folders".
8. Press the Apply button and then press the OK button and shutdown My Computer.

Your computer is now configured to show all hidden system files and folders.

Only if you uninstalled Viewpoint as recommended, please delete these folders if they are present using Windows Explorer (to get there, right-click your Start button and go to Explore):
C:\Program Files\Viewpoint <-- this folder
C:\Documents and Settings\Charles\Application Data\Viewpoint <-- this folder

Step #4: Remove files/folders/registry entries with ComboFix
Download the most recent version of ComboFix to your Desktop. Remove any old copies of ComboFix you may have saved. It is important to have the most recent version as ComboFix is updated almost daily.
Download ComboFix (ComboFix.exe)

When the file has finished downloading, copy the entire contents inside the CODE box below into Notepad. Then click File > Save and save as ComboFix-Do.txt to the Desktop.

File::
C:\WINDOWS\system32\jjjlm.tmp
C:\WINDOWS\lbbho.dll
C:\WINDOWS\system32\mljjj.dll
C:\WINDOWS\system32\tmp.reg
C:\Documents and Settings\Charles\Start Menu\Programs\Startup\PowerReg SchedulerV2.exe
C:\WINDOWS\avserve.exe
C:\WINDOWS\system32\msblast.exe

Folder::
C:\Program Files\Mirar Toolbar
C:\WINDOWS\Q2hhcmxlcw
C:\WINDOWS\system32\G4
C:\WINDOWS\system32\G3
C:\WINDOWS\system32\G2
C:\WINDOWS\system32\G1
C:\Temp
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TFTP1072
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TFTP3920

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TFTP1072]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TFTP3920]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Charles^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avserve.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows auto update]

WARNING: The above script was created specifically for this user. If you are not this user, do NOT use this script as it could damage the workings of your system.

Go to the Desktop and drag ComboFix-Do.txt into ComboFix.exe--see screenshot below.

This will start ComboFix again. After reboot--in case it asks to reboot--, post the contents of ComboFix.txt in your next reply.

Step #5: Create and execute a .bat file to provide folder contents information
Copy the entire contents inside the CODE box below into Notepad. Then click File > Save and save as findfoldercontents.bat (save as type: All files) to the Desktop.

@echo off
dir \1ef70a76a66d3c174fc6e04400c886 /a h /s /x > list1.txt
dir "\Program Files\NFSL" /a h /s /x > list2.txt
dir \WINDOWS\pss /a h /s /x > list3.txt
dir "\WINDOWS\system32\*icrosoft.NET" /a h /s /x > list4.txt
copy list1.txt+list2.txt+list3.txt+list4.txt = FoundFiles.txt
del list1.txt
del list2.txt
del list3.txt
del list4.txt
Notepad FoundFiles.txt

Go to the Desktop and double-click findfoldercontents.bat. Notepad will now open up with the results (some text and numbers). Copy the entire contents of that file and post them here as a reply to this post.

Step #6: Re-scan with HijackThis
Scan with HijackThis again and post a new HijackThis log.
______________________________________________________________________________

So in your next reply, please post the entire contents of:
- ComboFix.txt
- FoundFiles.txt (the findfoldercontents.bat execution results)
- a new HijackThis log
NOTE: Use several posts if necessary to include everything in the requested logs.

[htv8]

Hello grudz4prez, and sorry for the little delay. Good job so far!

I uploaded the file....the first one could not be found and the the second f-fix program said it couldn't find anything. [...]

OK. No worries.

How do I check if I have admin rights? [...]

Are you an administrator of the computer? Your computer’s default Administrator account gives full control over all of its settings. To make sure that you have admin rights on your machine:
1. Go to Start > Control Panel > User Accounts.
2. Below your username, you should either see Limited account or Computer administrator.
3. Make sure that your account is classed as "Computer administrator".
NOTE: If your account is limited, you cannot install software or change certain settings!

[...]
Also, how do I proceed with downloading the fixes for this computer if it's offline?

If possible, it's best to download the required tools and instructions using another computer. Then copy/paste the required tools to the infected computer using e.g. a floppy disk or a USB device...

Question: Have you had BearShare installed previously? Or did you install it during our fix? Please do not install any programs whilst we fix your computer from now on: even the smallest of programs can wreak havoc.

In this post, I want you to try getting into Safe Mode again and run SDFix. If you still cannot get into Safe Mode, skip the SDFix part (Step #1) and continue with the rest of the instructions. Let me know if you were able to get into Safe Mode again, please.
______________________________________________________________________________

Please print out or copy this page to Notepad. This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is NOT available. A print out of the instructions would be a good reference to make sure you don't get lost. You may also like to save these instructions in Word/Notepad to the Desktop where they can be easily found for the same reasons as above.
Also make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.

Step #1: Download and run SDFix
Download SDFix by clicking the download link below and save it to your Desktop.
Download SDFix (SDFix.exe)

Once downloaded, double-click SDFix.exe and it will extract the files to %systemdrive%, the drive that contains the Windows directory (typically C:\SDFix). Do NOT use SDFix yet.

Reboot your computer into SAFE MODE. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.

When in Safe Mode, please follow these steps:
1. Open the SDFix folder and double-click RunThis.bat to start the script.
2. Type Y to begin the cleanup process.
SDFix will remove any trojan services or registry entries that it finds and prompt you to press any key to reboot.
3. Press any key and it will restart the PC.
When the PC restarts, the fixtool will run again and complete the removal process.
4. When it then displays "Finished!", press any key to end the script and load your Desktop icons.
Once the Desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt. (Report.txt will also be copied to the clipboard ready for posting back on the forum.)
5. Please copy and paste the entire contents of the results file (Report.txt) in your next reply.

Step #2: Fix HijackThis entries
Scan again with HijackThis. Put a checkmark by these entries if they are present, double-checking to be sure that only these entries are checked:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: C:\WINDOWS\lbbho.dll - {E2EED4CE-4723-44E7-8778-D6D2077B05BE} - C:\WINDOWS\lbbho.dll (file missing)
O2 - BHO: (no name) - {E446CA55-3492-4015-844D-645955F72951} - C:\WINDOWS\system32\mljjj.dll (file missing)
O4 - HKCU\..\Run: [Qgevq] C:\WINDOWS\SYSTEM32\?icrosoft.NET\wuauboot.exe

The O6 entry in your HijackThis log corresponds to restricted access to the Internet Options from within Internet Explorer or the Control Panel. If you or an administrator did NOT set this option on purpose, and you have NOT used certain features in the Immunize section of Spybot - Search & Destroy, you can safely put a checkmark by this entry as well if it is present:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Now close all other windows - you should only see HijackThis on your Desktop - and then click the Fix checked button.

Step #3: Delete certain folders
If not already enabled, please follow these steps to enable the viewing of hidden files in Windows XP:
1. Close all programs so that you are at your Desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and then click on the menu option labelled "Folder Options".
4. After the new window appears select the View tab.
5. Remove the checkmark from the checkbox labelled "Hide file extensions for known file types".
6. Remove the checkmark from the checkbox labelled "Hide protected operating system files".
7. Select the radio button labelled "Show hidden files and folders".
8. Press the Apply button and then press the OK button and shutdown My Computer.

Your computer is now configured to show all hidden system files and folders.

Only if you uninstalled Viewpoint as recommended, please delete these folders if they are present using Windows Explorer (to get there, right-click your Start button and go to Explore):
C:\Program Files\Viewpoint <-- this folder
C:\Documents and Settings\Charles\Application Data\Viewpoint <-- this folder

Step #4: Remove files/folders/registry entries with ComboFix
Download the most recent version of ComboFix to your Desktop. Remove any old copies of ComboFix you may have saved. It is important to have the most recent version as ComboFix is updated almost daily.
Download ComboFix (ComboFix.exe)

When the file has finished downloading, copy the entire contents inside the CODE box below into Notepad. Then click File > Save and save as ComboFix-Do.txt to the Desktop.

File::
C:\WINDOWS\system32\jjjlm.tmp
C:\WINDOWS\lbbho.dll
C:\WINDOWS\system32\mljjj.dll
C:\WINDOWS\system32\tmp.reg
C:\Documents and Settings\Charles\Start Menu\Programs\Startup\PowerReg SchedulerV2.exe
C:\WINDOWS\avserve.exe
C:\WINDOWS\system32\msblast.exe

Folder::
C:\Program Files\Mirar Toolbar
C:\WINDOWS\Q2hhcmxlcw
C:\WINDOWS\system32\G4
C:\WINDOWS\system32\G3
C:\WINDOWS\system32\G2
C:\WINDOWS\system32\G1
C:\Temp
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TFTP1072
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TFTP3920

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TFTP1072]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TFTP3920]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Charles^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avserve.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows auto update]

WARNING: The above script was created specifically for this user. If you are not this user, do NOT use this script as it could damage the workings of your system.

Go to the Desktop and drag ComboFix-Do.txt into ComboFix.exe--see screenshot below.

This will start ComboFix again. After reboot--in case it asks to reboot--, post the contents of ComboFix.txt in your next reply.

Step #5: Create and execute a .bat file to provide folder contents information
Copy the entire contents inside the CODE box below into Notepad. Then click File > Save and save as findfoldercontents.bat (save as type: All files) to the Desktop.

@echo off
dir \1ef70a76a66d3c174fc6e04400c886 /a h /s /x > list1.txt
dir "\Program Files\NFSL" /a h /s /x > list2.txt
dir \WINDOWS\pss /a h /s /x > list3.txt
dir "\WINDOWS\system32\*icrosoft.NET" /a h /s /x > list4.txt
copy list1.txt+list2.txt+list3.txt+list4.txt = FoundFiles.txt
del list1.txt
del list2.txt
del list3.txt
del list4.txt
Notepad FoundFiles.txt

Go to the Desktop and double-click findfoldercontents.bat. Notepad will now open up with the results (some text and numbers). Copy the entire contents of that file and post them here as a reply to this post.

Step #6: Re-scan with HijackThis
Scan with HijackThis again and post a new HijackThis log.
______________________________________________________________________________

So in your next reply, please post the entire contents of:
- ComboFix.txt
- FoundFiles.txt (the findfoldercontents.bat execution results)
- a new HijackThis log
NOTE: Use several posts if necessary to include everything in the requested logs.

[grudz4prez]

Hi...checked the admin...and I'm the admin..oddly enough, there was one that says ASP.Net account as well. What's that?

As for Bear Share...it was on my pc a long time ago because my job requested that we use it for some reason. I hated it and I thought I got rid of it. Trust me...not trying to install anything at this point.

And no safe mode still. Still get the BSOD and I didn't check that O6...I have used Spybot...

Edited by grudz4prez, 19 July 2007 - 09:10 PM.

[grudz4prez]

"Charles" - 2007-07-19 23:17:31 - ComboFix 07-07-14.6 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Charles\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Temp
C:\WINDOWS\Q2hhcmxlcw
C:\WINDOWS\Q2hhcmxlcw\asappsrv.dll
C:\WINDOWS\Q2hhcmxlcw\command.exe
C:\WINDOWS\Q2hhcmxlcw\kZ11wAU5wT.vbs
C:\WINDOWS\system32\G1
C:\WINDOWS\system32\G1\wbb22.exe
C:\WINDOWS\system32\G2
C:\WINDOWS\system32\G2\wen2.exe
C:\WINDOWS\system32\G3
C:\WINDOWS\system32\G3\wr620.exe
C:\WINDOWS\system32\G4
C:\WINDOWS\system32\G4\mwspasrt83122.exe
C:\WINDOWS\system32\tmp.reg


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((( Files Created from 2007-06-20 to 2007-07-20 )))))))))))))))))))))))))))))))


2007-07-10 09:16 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-10 00:20 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2007-07-08 00:07 <DIR> d-------- C:\VundoFix Backups
2007-07-04 22:38 <DIR> d-------- C:\DOCUME~1\Charles\APPLIC~1\ListInstalls
2007-07-03 14:13 <DIR> d-------- C:\Deckard
2007-07-02 09:54 <DIR> d-------- C:\Program Files\Dynamic Toolbar
2007-06-26 11:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-06-23 20:13 <DIR> d-------- C:\DOCUME~1\Charles\APPLIC~1\acccore
2007-06-23 20:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-06-23 20:10 <DIR> d-------- C:\Program Files\AIM6
2007-06-21 23:08 <DIR> d-------- C:\Program Files\QuickTime


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-20 03:33:18 1,132 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-07-10 04:38:15 264,428 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT
2007-07-10 04:08:48 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-08 03:54:54 -------- d-----w C:\Program Files\AIM95
2007-07-08 03:54:20 -------- d-----w C:\DOCUME~1\Charles\APPLIC~1\Aim
2007-07-08 03:52:43 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-08 03:52:43 -------- d-----w C:\Program Files\EACOM
2007-07-06 15:17:57 -------- d-----w C:\Program Files\NFSL
2007-07-06 03:16:19 18,144 -c--a-w C:\WINDOWS\mozver.dat
2007-07-04 00:04:02 -------- d-----w C:\Program Files\Ares
2007-06-26 17:03:10 -------- d-----w C:\Program Files\Winamp
2007-06-26 16:56:29 -------- d-----w C:\Program Files\Netropa
2007-06-26 16:52:26 -------- d-----w C:\Program Files\iTunes
2007-06-26 16:50:14 -------- d-----w C:\Program Files\DIGStream
2007-06-24 16:21:47 181,112 -c--a-w C:\DOCUME~1\Charles\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-06-09 15:33:19 -------- d-----w C:\Program Files\Common Files\Scanner
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2004-01-25 17:39:46 560 -c--a-w C:\Program Files\Global.sw


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-01-12 20:38 63128 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D}]
2003-12-01 22:56 784384 --a------ C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-06-14 18:32 509592 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]
2001-07-25 12:00 143420 --a------ C:\Program Files\Microsoft Money\System\mnyviewer.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-05-18 14:49]
"HostManager"="C:\Program Files\Common Files\AOL\1102131130\ee\AOLSoftware.exe" [2006-09-25 20:52]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-06-05 23:26]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-20 14:41]
"Registry Toolkit"="C:\Program Files\Registry Toolkit\RegToolkit.exe" []
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2005-06-03 08:16]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-06-14 18:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Camio Viewer 2000.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Camio Viewer 2000.lnk
backup=C:\WINDOWS\pss\Camio Viewer 2000.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Charles^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=C:\Documents and Settings\Charles\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=C:\WINDOWS\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM95\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTouch]
C:\WINDOWS\MMKeybd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Weather 3]
C:\PROGRA~1\THEWEA~1\The Weather Channel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\Kazaa\kazaa.exe /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mozilla Quick Launch]
"C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\POINTER]
point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\Winampa.exe"


Contents of the 'Scheduled Tasks' folder
2007-07-20 02:45:03 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2002-03-13 06:21:20 C:\WINDOWS\tasks\ISP signup reminder 2.job
2002-03-13 06:21:21 C:\WINDOWS\tasks\ISP signup reminder 3.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-19 23:47:32
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-20 6:36:33 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-20 06:29
C:\ComboFix2.txt ... 2007-07-10 09:50

--- E O F ---

[grudz4prez]

Volume in drive C has no label.
Volume Serial Number is 005E-05FC

Directory of C:\1ef70a76a66d3c174fc6e04400c886

06/26/2007 12:03 PM <DIR> .
06/26/2007 12:03 PM <DIR> ..
06/05/2007 11:38 PM 96,216 mrtstub.exe
1 File(s) 96,216 bytes
Volume in drive C has no label.
Volume Serial Number is 005E-05FC

Directory of C:\Program Files\NFSL

07/06/2007 11:17 AM <DIR> .
07/06/2007 11:17 AM <DIR> ..
03/08/2007 10:51 PM 27,520 BBD020.RTF
09/10/2005 08:58 PM 27,314 BBD046.RTF
03/19/2005 10:47 PM 2,244 BBFA04~1.HTM BBFA046.HTML
06/30/2007 02:56 PM 87 BBLAST~1.102 BBLast.1020
07/18/2007 09:55 AM 109 BBLAST~2.104 BBLast.1044
07/12/2007 09:08 AM 117 BBLAST~1.104 BBLast.1046
10/20/2005 08:01 PM 143 BBLAST~1.120 BBLast.1202
07/10/2007 06:47 PM 2 BBNotes
07/13/2006 01:30 AM 58,758 BBR044~1.HTM BBR04414.HTML
07/13/2006 01:31 AM 57,962 BBR046~1.HTM BBR04614.HTML
10/02/2005 03:34 PM 12,099 BBRUL046.RTF
08/14/2006 09:51 PM 3,438 BBT020~1.HTM BBT020.HTML
08/14/2006 09:49 PM 3,404 BBT044~1.HTM BBT044.HTML
08/14/2006 09:52 PM 3,393 BBT046~1.HTM BBT046.HTML
07/06/2007 11:17 AM 154 CUSTOM~1.DAT CustomMsg.Dat
03/19/2005 10:48 PM 5,587 DRAFTG~1.RTF DraftGuidelines.rtf
04/09/2002 10:51 PM 20 EMAILA~1 emailaddress
07/19/2007 10:13 PM 7 MsgLast
03/06/2003 05:53 PM 2,682 Myprefs.BB
02/14/2007 02:07 PM 2,277,376 NFSL.exe
06/18/2006 10:14 PM 37,601 nfsl.jpg
02/14/2007 02:07 PM 20,480 nfslinst.exe
12/25/2006 12:31 PM 2,277,376 NFSLOLD.exe
04/16/2006 07:09 PM 586,240 nfslupdt.exe
07/19/2007 10:47 PM 13,088 TEAMSALE.HTM
03/24/2007 05:11 PM 69,383 Temp.RTF
26 File(s) 5,486,584 bytes
Volume in drive C has no label.
Volume Serial Number is 005E-05FC

Directory of C:\WINDOWS\pss

07/16/2006 01:18 PM <DIR> .
07/16/2006 01:18 PM <DIR> ..
03/05/2002 09:39 AM 831 AMERIC~1.LNK America Online 7.0 Tray Icon.lnkCommon Startup
02/14/2007 07:54 PM 211 BOOTIN~1.BAC boot.ini.backup
03/05/2002 09:37 AM 916 CAMIOV~1.LNK Camio Viewer 2000.lnkCommon Startup
04/07/2002 06:56 PM 893 EPSONS~1.LNK EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup
05/06/2002 09:48 AM 1,725 MICROS~2.LNK Microsoft Office.lnkCommon Startup
11/15/2001 10:18 AM 875 MICROS~1.LNK Microsoft Works Calendar Reminders.lnkCommon Startup
02/27/2005 07:22 PM 1,486 ROLLER~1.LNK RollerCoaster Tycoon 3 Registration.lnkStartup
11/15/2001 09:23 AM 231 SYSTEM~1.BAC system.ini.backup
08/01/2003 12:00 PM 0 TFTP10~1 TFTP1072Common Startup
08/08/2003 07:33 AM 0 TFTP39~1 TFTP3920Common Startup
06/19/2003 10:09 AM 754 WININI~1.BAC win.ini.backup
11 File(s) 7,922 bytes
Volume in drive C has no label.
Volume Serial Number is 005E-05FC


[grudz4prez]

Re NFSL:
Nfsl is a fantasy baseball company based in Hartselle, Alabama...the NFSL software is the operating program for all of their different leagues

[htv8]

Thanks for the logs. Can you also please post a new HijackThis log?

[grudz4prez]

Don't know how I forgot that...so sorry!

Logfile of HijackThis v1.99.1
Scan saved at 7:15:09 PM, on 7/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\AOL\1102131130\ee\AOLSoftware.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
c:\program files\common files\aol\1102131130\ee\aolsoftware.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
C:\Program Files\Hijackthis\fluffybunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Charles\Application Data\Mozilla\Profiles\default\euyuxbf0.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102131130\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Registry Toolkit] C:\Program Files\Registry Toolkit\RegToolkit.exe /scan
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://www.imgag.com...tall/AxCtp2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DED4415-9792-4E32-A720-1B988D69DB7A}: NameServer = 71.250.0.12 68.237.161.12
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Are we making progress?

[htv8]

Hello again, and thanks for bearing with me!

[...] oddly enough, there was one that says ASP.Net account as well. What's that?

The ASP.NET account is created automatically during the installation of Microsoft .Net Framework 1.1. No need to worry about this account's presence: it was not created in any malicious way. The ASP.NET account only has limited permissions and it doesn't allow any remote/interactive login, thus it can't be used by other individuals or by Microsoft itself.

[...]

As for Bear Share...it was on my pc a long time ago because my job requested that we use it for some reason. I hated it and I thought I got rid of it. Trust me...not trying to install anything at this point.

And no safe mode still. Still get the BSOD and I didn't check that O6...I have used Spybot...

OK. Thanks for letting me know.

[...]

Are we making progress?

We are making good progress! Can you tell me how your computer is running please? Is it running better already?
______________________________________________________________________________

Please print out or copy this page to Notepad.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.

Step #1: Remove files/folders/registry entries with ComboFix
Please download the most recent version of ComboFix to your Desktop. Remove any old copies of ComboFix you may have saved. It is important to have the most recent version as ComboFix is updated almost daily.
Download ComboFix (ComboFix.exe)

When the file has finished downloading, copy the entire contents inside the CODE box below into Notepad. Then click File > Save and save as ComboFix-Do.txt to the Desktop.

Folder::
C:\VundoFix Backups
C:\Program Files\BearShare
C:\Program Files\Kazaa
C:\1ef70a76a66d3c174fc6e04400c886
C:\WINDOWS\pss\TFTP1072Common Startup
C:\WINDOWS\pss\TFTP3920Common Startup

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]

WARNING: The above script was created specifically for this user. If you are not this user, do NOT use this script as it could damage the workings of your system.

Go to the Desktop and drag ComboFix-Do.txt into ComboFix.exe--see screenshot in my previous post.
This will start ComboFix again. After reboot--in case it asks to reboot--, post the contents of ComboFix.txt in your next reply.

Step #2: Create & execute exportservice.bat
Copy the entire contents inside the CODE box below into Notepad. Then click File > Save and save as exportservice.bat (save as type: All files) to the Desktop.

@echo off
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nm /s > c:\nm.txt
Notepad c:\nm.txt

Go to the Desktop and double-click exportservice.bat. Notepad will now open up with the results (some text and numbers). Copy the entire contents of that file and post them here as a reply to this post.

Step #3: Scan with AVG Anti-Spyware
Please download AVG Anti-Spyware v7.5 from the link below and save it to your Desktop.
Download AVG Anti-Spyware 7.5

After download, follow these steps to install AVG Anti-Spyware:
1. Double-click on the file to launch the install process.
2. Choose a language, click OK and then click Next.
3. Read the License Agreement and click I Agree.
4. Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5. Click Next, then click Install.
5. After setup completes, click Finish to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your Desktop or in the system tray.

Before running AVG Anti-Spyware, it is mandatory that you update its definition files. Please follow these steps to update AVG Anti-Spyware 7.5:
1. Start AVG Anti-Spyware.
2. Click the Update icon at the top of the screen.
3. On the newly presented screen, click the Start Update button. The update process will start. Wait until you see the "Update successful" message.
NOTE: If you are experiencing problems with the updater, manually update with the AVG Anti-Spyware Full database installer from http://www.ewido.net...wnload/updates/.
4. Exit AVG Anti-Spyware.

Now scan with AVG Anti-Spyware as follows:
1. Close all windows so that you have nothing open and launch AVG Anti-Spyware by double-clicking the icon on your Desktop.
2. Click the Scanner icon at the top of the screen and choose the Settings tab.
3. Under "How to act?", click on the link named "Recommended actions" and choose Quarantine to set default action for detected malware.
4. Under "How to scan?", "Possibly unwanted software:", and "What to scan?" leave all default settings.
5. Under "Reports:", select the radio button labelled "Automatically generate report after every scan" and UNcheck the checkbox labelled "Only if threats were found".
6. Click the Scan tab to return to scanning options.
7. Click the Complete System Scan and AVG Anti-Spyware will begin the scanning process. NOTE: Be patient as this may take some time.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.
When the scan has finished, AVG Anti-Spyware will list any infections found on the left-hand side. It should automatically set the recommended action to Quarantine--if not, click on Recommended Action and set it there.
8. Click the Apply all actions button to place the files in Quarantine.

IMPORTANT: Do NOT save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the Apply all actions button.
Generate a report for review as follows:
1. Click on the Save Report button to view all completed scans. Click on the most recent scan you just performed and click Save Report As. Save to your Desktop.
NOTE: The default filename will be in date/time format as follows: Report-Scan-yyyymmdd-hhmmss.txt. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\.
2. Exit AVG Anti-Spyware.
3. Submit the log report in your next response.

NOTE: AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30-day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can continue to use as an on-demand scanner or you may purchase a license to use the full version.

Step #4: Download and run F-Secure Blacklight to scan for rootkits
Please download F-Secure Blacklight from the download link below and save it to your C:\ drive.
Download F-Secure Blacklight (fsbl.exe)

Now please perform these instructions to run F-Secure Blacklight:
1. Go to Start > Run.
2. In the Open: field type cmd and press the OK button.
3. Type or copy/paste the entire contents inside the QUOTE box below in the Command Prompt window:

C:\fsbl.exe /expert

4. Hit Enter to start the program and then close the cmd box.
5. Review and then accept the user agreement by selecting the radio button labelled "I accept the agreement".
6. Click Next.
7. Click Scan.
8. After the scan is complete, click Next, then Exit.
F-Secure BlackLight will create a log on the C:\ drive named fsbl-xxxxxxx.log. (The xxxxxxx will be the date and time of the scan.)
The log will have a list of all items found. Do NOT choose to rename any yet! I want to see the log first as files found may be legitimate.
9. Exit F-Secure Blacklight and post the contents of the log in your next reply.

Step #5: Rescan with HijackThis
Scan with HijackThis again and post a new HijackThis log.
______________________________________________________________________________

So in your next reply, please post the entire contents of:
- ComboFix.txt
- the exportservice.bat execution results
- the AVG Anti-Spyware scan report
- the F-Secure Blacklight report
- a new HijackThis log
NOTE: Use several posts if necessary to include everything in the requested logs.

[grudz4prez]

The computer is def. running better. Couple of questions though...what is Command Services? Why does AOL-spyware thing keep blocking it? Also...how do I get rid of the AOL spyware??

When I ran the combofix...Panda kept blocking the regedit...no matter how many times I would allow the connection. Is there a way I can not have Panda run on startup on only when I open the program? I looked around for it but was unable to find it.

Here's the combofix log:

"Charles" - 2007-07-22 10:44:56 - ComboFix 07-07-14.6 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Charles\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\1ef70a76a66d3c174fc6e04400c886
C:\1ef70a76a66d3c174fc6e04400c886\mrtstub.exe
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\ajpkorpe.dll.bad
C:\VundoFix Backups\akmnanga.exe.bad
C:\VundoFix Backups\avldr.dll.bad
C:\VundoFix Backups\bcaohjbu.dll.bad
C:\VundoFix Backups\bflnogjy.dll.bad
C:\VundoFix Backups\caritscm.ini.bad
C:\VundoFix Backups\cgwfdldh.ini.bad
C:\VundoFix Backups\ddcccyx.dll.bad
C:\VundoFix Backups\ddcyxur.dll.bad
C:\VundoFix Backups\eprokpja.ini.bad
C:\VundoFix Backups\fcccdbc.dll.bad
C:\VundoFix Backups\fyfkcppq.ini.bad
C:\VundoFix Backups\hdldfwgc.dll.bad
C:\VundoFix Backups\hufddcom.dll.bad
C:\VundoFix Backups\husqwrlt.dll.bad
C:\VundoFix Backups\iwnidjhg.exe.bad
C:\VundoFix Backups\jjjlm.bak1.bad
C:\VundoFix Backups\jjjlm.bak2.bad
C:\VundoFix Backups\jjjlm.ini.bad
C:\VundoFix Backups\jnjsswpm.dll.bad
C:\VundoFix Backups\jvcvnciu.dll.bad
C:\VundoFix Backups\khsqycvl.dll.bad
C:\VundoFix Backups\kmwybtkl.ini.bad
C:\VundoFix Backups\lfdsogxy.exe.bad
C:\VundoFix Backups\lktbywmk.dll.bad
C:\VundoFix Backups\lqgybmmr.exe.bad
C:\VundoFix Backups\lrimwftq.ini.bad
C:\VundoFix Backups\lshvntwf.exe.bad
C:\VundoFix Backups\ltjeyovu.dll.bad
C:\VundoFix Backups\lvcyqshk.ini.bad
C:\VundoFix Backups\mcstirac.dll.bad
C:\VundoFix Backups\mjwutuss.exe.bad
C:\VundoFix Backups\mljjj.dll.bad
C:\VundoFix Backups\mpwssjnj.ini.bad
C:\VundoFix Backups\nnnooml.dll.bad
C:\VundoFix Backups\pqdnlsvm.dll.bad
C:\VundoFix Backups\qafbfdeu.exe.bad
C:\VundoFix Backups\qomklki.dll.bad
C:\VundoFix Backups\qppckfyf.dll.bad
C:\VundoFix Backups\qtfwmirl.dll.bad
C:\VundoFix Backups\qttwfcxh.exe.bad
C:\VundoFix Backups\rhnkcckx.ini.bad
C:\VundoFix Backups\riouevuy.dll.bad
C:\VundoFix Backups\sdukbxgp.exe.bad
C:\VundoFix Backups\sgglisqw.ini.bad
C:\VundoFix Backups\sifgudrm.exe.bad
C:\VundoFix Backups\slbqhins.dll.bad
C:\VundoFix Backups\snihqbls.ini.bad
C:\VundoFix Backups\tlrwqsuh.ini.bad
C:\VundoFix Backups\ubjhoacb.ini.bad
C:\VundoFix Backups\uicnvcvj.ini.bad
C:\VundoFix Backups\uvoyejtl.ini.bad
C:\VundoFix Backups\winkejsy.exe.bad
C:\VundoFix Backups\wlxsphmh.exe.bad
C:\VundoFix Backups\wqsilggs.dll.bad
C:\VundoFix Backups\wvuvtqr.dll.bad
C:\VundoFix Backups\xkccknhr.dll.bad
C:\VundoFix Backups\xvsnfokk.exe.bad
C:\VundoFix Backups\yjgonlfb.ini.bad
C:\VundoFix Backups\yuveuoir.ini.bad


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((( Files Created from 2007-06-22 to 2007-07-22 )))))))))))))))))))))))))))))))


2007-07-10 09:16 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-10 00:20 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2007-07-04 22:38 <DIR> d-------- C:\DOCUME~1\Charles\APPLIC~1\ListInstalls
2007-07-03 14:13 <DIR> d-------- C:\Deckard
2007-07-02 09:54 <DIR> d-------- C:\Program Files\Dynamic Toolbar
2007-06-26 11:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-06-23 20:13 <DIR> d-------- C:\DOCUME~1\Charles\APPLIC~1\acccore
2007-06-23 20:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-06-23 20:10 <DIR> d-------- C:\Program Files\AIM6


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-22 15:02:20 264,428 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT
2007-07-22 15:02:20 1,132 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-07-21 17:20:07 18,144 -c--a-w C:\WINDOWS\mozver.dat
2007-07-10 04:08:48 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-08 03:54:54 -------- d-----w C:\Program Files\AIM95
2007-07-08 03:54:20 -------- d-----w C:\DOCUME~1\Charles\APPLIC~1\Aim
2007-07-08 03:52:43 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-08 03:52:43 -------- d-----w C:\Program Files\EACOM
2007-07-06 15:17:57 -------- d-----w C:\Program Files\NFSL
2007-07-04 00:04:02 -------- d-----w C:\Program Files\Ares
2007-06-26 17:03:10 -------- d-----w C:\Program Files\Winamp
2007-06-26 17:01:40 -------- d-----w C:\Program Files\QuickTime
2007-06-26 16:56:29 -------- d-----w C:\Program Files\Netropa
2007-06-26 16:52:26 -------- d-----w C:\Program Files\iTunes
2007-06-26 16:50:14 -------- d-----w C:\Program Files\DIGStream
2007-06-24 16:21:47 181,112 -c--a-w C:\DOCUME~1\Charles\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-06-09 15:33:19 -------- d-----w C:\Program Files\Common Files\Scanner
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2004-01-25 17:39:46 560 -c--a-w C:\Program Files\Global.sw


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-01-12 20:38 63128 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D}]
2003-12-01 22:56 784384 --a------ C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-06-14 18:32 509592 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]
2001-07-25 12:00 143420 --a------ C:\Program Files\Microsoft Money\System\mnyviewer.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-05-18 14:49]
"HostManager"="C:\Program Files\Common Files\AOL\1102131130\ee\AOLSoftware.exe" [2006-09-25 20:52]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-06-05 23:26]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-20 14:41]
"Registry Toolkit"="C:\Program Files\Registry Toolkit\RegToolkit.exe" []
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2005-06-03 08:16]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-06-14 18:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Camio Viewer 2000.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Camio Viewer 2000.lnk
backup=C:\WINDOWS\pss\Camio Viewer 2000.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Charles^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=C:\Documents and Settings\Charles\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=C:\WINDOWS\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM95\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTouch]
C:\WINDOWS\MMKeybd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Weather 3]
C:\PROGRA~1\THEWEA~1\The Weather Channel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mozilla Quick Launch]
"C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\POINTER]
point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\Winampa.exe"


Contents of the 'Scheduled Tasks' folder
2007-07-20 02:45:03 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2002-03-13 06:21:20 C:\WINDOWS\tasks\ISP signup reminder 2.job
2002-03-13 06:21:21 C:\WINDOWS\tasks\ISP signup reminder 3.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-22 11:00:09
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-22 11:14:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-22 11:14
C:\ComboFix2.txt ... 2007-07-20 06:37
C:\ComboFix3.txt ... 2007-07-10 09:50

--- E O F ---

[grudz4prez]

The export services didn't work. Got this error in the command promp: "The system was unable to find the specified registry key or value" and gave a blank notepad box.

[grudz4prez]

Ran the AVG....wasn't easy...took a while....after applying the action of quarrantine...it said it needed to reboot to finish the actions and then on the restart, I can't get a report. The list of quarrantined items is there though....

And here is the Blacklight:
07/22/07 14:32:17 [Info]: BlackLight Engine 1.0.64 initialized
07/22/07 14:32:17 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/22/07 14:32:17 [Note]: 7019 4
07/22/07 14:32:17 [Note]: 7005 0
07/22/07 14:32:36 [Note]: 7006 0
07/22/07 14:32:36 [Note]: 7022 0
07/22/07 14:32:36 [Note]: 7011 2792
07/22/07 14:32:36 [Note]: 7026 0
07/22/07 14:32:37 [Note]: 7026 0
07/22/07 14:32:53 [Note]: FSRAW library version 1.7.1022

Edited by grudz4prez, 22 July 2007 - 01:31 PM.

[grudz4prez]

HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 3:31:32 PM, on 7/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\AOL\1102131130\ee\AOLSoftware.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\common files\aol\1102131130\ee\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Hijackthis\fluffybunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Charles\Application Data\Mozilla\Profiles\default\euyuxbf0.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102131130\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Registry Toolkit] C:\Program Files\Registry Toolkit\RegToolkit.exe /scan
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://www.imgag.com...tall/AxCtp2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DED4415-9792-4E32-A720-1B988D69DB7A}: NameServer = 71.250.0.12 68.237.161.12
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[htv8]

Hello again, grudz4prez.

[...] ...what is Command Services?

According to Spyware Remove (Command Service :: Command Service Removal Instructions):

CmdService, or Command Service, is an adware program that displays targeted popup advertisements. CmdService may or may not gather data about a user's surfing habits, which may then be sent to third parties including advertisers.

Why exactly are you asking me what it is?

[...] Why does AOL-spyware thing keep blocking it? Also...how do I get rid of the AOL spyware??

Hmm. I am afraid don't know what you are referring to. Are you talking about the AOL Spyware Protection program? What program are you referring to? I checked your posted uninstall list again, and no anti-spyware program by AOL is listed. Did you install it during the fix? Or are you referring to something else?

[...] Is there a way I can not have Panda run on startup on only when I open the program? I looked around for it but was unable to find it.

I do not recommend disabling Panda as Panda's real-time antivirus and firewall protection won't function anymore if you disable it...

Ran the AVG....wasn't easy...took a while....after applying the action of quarrantine...it said it needed to reboot to finish the actions and then on the restart, I can't get a report. The list of quarrantined items is there though....

[...]

A copy of each scan report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\. The default filename will be in date/time format as follows: Report-Scan-yyyymmdd-hhmmss.txt. Can you please check if it is present, and if it is, can you post it here for review?
______________________________________________________________________________

Please print out or copy this page to Notepad.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.

Step #1: Download and run Atribune's ATF Cleaner to remove temp files
Click the download link below to download ATF Cleaner by Atribune. (This program is for Windows XP and Windows 2000 only.)
Download ATF Cleaner

After download, please follow these instructions to run ATF Cleaner:
1. Double-click ATF-Cleaner.exe to run the program.
2. Click once on the Main tab at the top of the screen and put a checkmark in the radio button labelled "Select All".
3. Click on the Empty Selected button.

If you use the Mozilla Firefox browser, please follow these instructions as well:
1. Click once on the Firefox tab at the top of the screen and put a checkmark in the radio button labelled "Select All".
2. Click on the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser, please follow these instructions as well:
1. Click once on the Opera tab at the top of the screen and put a checkmark in the radio button labelled "Select All".
2. Click on the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click the Exit button on the Main tab to exit the program.
For technical support, double-click the e-mail address located at the bottom of each menu.

Step #2: Perform an online scan with the Kaspersky Online Scanner
Please perform an online scan with the Kaspersky Online Scanner. To do so:
1. Go to www.kaspersky.com/virusscanner.
2. Once you are on Kaspersky's site, click on the Kaspersky Online Scanner button.
3. You will be prompted to install an ActiveX component from Kaspersky. Install it.
The program will launch and then begin downloading the latest definition files.
4. Once the files have been downloaded, click on NEXT.
5. Now click on Scan Settings.
6. In the scan settings, make sure the following are selected:

• Scan using the following Anti-Virus database:
  Extended (if available, otherwise Standard)
• Scan Options:
  Scan Archives
  Scan Mail Bases

7. Click OK.
8. Now under "Select a target to scan", select My Computer.
The program will start and scan your system. NOTE: The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
9. Click on the Save as Text button and save a text file to your Desktop.
10. Copy/Paste the entire contents of that text file and post them as a reply to this topic.

Step #3: Download and run Silent Runners
Download Silent Runners by right-clicking on the download link below, and choosing the option labelled "Save Target As…". Save Silent Runners.vbs to your Desktop.
Download Silent Runners (Silent Runners.vbs)

To run Silent Runners:
1. Double-click the Silent Runners icon on your Desktop.
NOTE: If your antivirus has a script blocker, you will get a warning asking if you want to allow Silent Runners.vbs to run. This script is not malicious so please allow it.
2. Once launched, you will receive a prompt: "Skip supplementary searches?". Click the No button.
NOTE: If you receive an error, just click OK and double-click it to run it again--sometimes it won't run as it's supposed to the first time but will in subsequent runs.
3. Although a text file will appear on the Desktop, Silent Runners is NOT done yet, so please let it run! (It won't appear to be doing anything!)
4. Once you receive the "All Done!" prompt, open the text file and post the entire contents of that text file in your next reply.

Step #4: Rescan with HijackThis
Scan with HijackThis again and post a new HijackThis log.
______________________________________________________________________________

So in your next reply, please post the entire contents of:
- the AVG Anti-Spyware report (if it is present)
- the Kaspersky Online Scanner report
- the Silent Runners text file
- a new HijackThis log
NOTE: Use several posts if necessary to include everything in the requested logs.

[grudz4prez]

Hi,

Very quickly...apparently I have the AOL spyware protection program on the computer and it pops up all the time saying that it's blocking command services. Doesn't do anything else! I'd love to get rid of both, and they've been on the computer since we've started...as you had said, I haven't installed anything.

That logfile isn't there....I had looked for it before I posted. Do you want the quarrantine list?