[inactive]Need help removing Trojans Win32:Small-EK [Trj]

The_Dude

Hello there, I'm in desperate need of some help. My system caught some nasty virus/trojans and I can't seem to get rid of them.

My Avast keeps picking up these 3 trojans whenever I'm connected to the internet:

Win32:Small-EK [Trj]

Win32:Adan-094 [Adw]

Win32:Adan-078 [Adw]

I have tried to run some of the programs people recommended, but without success. I figured it'd be best to ask a pro and post a HJT log. So, if anyone could assist, I'd greatly apprieciate it.

Here's my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:03:29 AM, on 7/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Owner\My Documents\My Music\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.meloco.com/index.php?i=sm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {432D8C41-8586-11D8-997D-00C026232EB9} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVD Shrink 3.2.0.15] G:\\DVD Shrink 3.2.0.15.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\Owner\My Documents\My Music\iTunesHelper.exe"
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [eujrc.exe] C:\WINDOWS\System32\eujrc.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\KillAndClean\KillAndClean.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\KillAndClean\KillAndClean.exe (HKCU)
O15 - Trusted Zone: http://www.amazon.com
O15 - Trusted Zone: http://www.ateaseweb.com
O15 - Trusted Zone: http://regnyouth.blogspot.com
O15 - Trusted Zone: http://www.coolmyspace.com
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: http://*.empornium.us
O15 - Trusted Zone: http://www.imageshack.us
O15 - Trusted Zone: http://spaces.msn.com
O15 - Trusted Zone: www.msn.com
O15 - Trusted Zone: www.multiply.com
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: www.passesforthemasse.com
O15 - Trusted Zone: http://forum.phun.org
O15 - Trusted Zone: http://www.putfile.com
O15 - Trusted Zone: http://www.sexotorrent.com
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://webmail2.ncci.com/iNotes.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\mma.chm::/alien.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - file://C:\Documents and Settings\Owner\Desktop\abwi0 Ulead.VideoStudio.10.Plus-DVT - d-baav01 - 01 of 28 (0 Part File)\Program\UVS10\setup.exe
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{46EDD560-0AC8-440D-B1A3-B56FEA7F72DF}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{53FA966B-4235-415B-A2FC-1A622461F9ED}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D674A31-1A0F-48E0-93A3-1ECEFB70BEFA}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C2AD54-60DC-46B0-AA7E-36E7DA162782}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.70 85.255.112.138
O17 - HKLM\System\CS1\Services\Tcpip\..\{46EDD560-0AC8-440D-B1A3-B56FEA7F72DF}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.70 85.255.112.138
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: inicfg32.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Trogan

jmoney3457, I've deleted your post as the computer needs a special fix.

Hi The_Dude, welcome to Short-Media! You have the latest version of the Wareout infection.

Can you do the following...

Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:

KillAndClean

=====

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites and save it to your desktop:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

• Double click Fixwareout.exe to run it.
• Click Next, then Install.
• Make sure Run fixit is checked and click Finish.
• The fix will begin; follow the prompts.
• You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.
• At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt. The log maybe too large to fit into a single post, so please use separate posts.

Now lets check some settings on your system.

(2000/XP) Only

• Click Start > Connect to > Show all connections.
• Right click on your default connection, usually local area connection for cable and dsl.
• Left click on Properties.
• Click the Networking tab.
• Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically.
• Press OK twice to get out of the properties screen and reboot if it asks. (That option might not be avaiable on some systems).

Next!

• Click Start > Run type cmd and hit OK.
• Type ipconfig /flushdns then hit enter, (Note: there is a space between ipconfig and /flushdns).
• Type exit hit enter.

The_Dude

Ok, here's the new HJT log & Fixwareout. Thanks for your help! This thing is driving me nuts. Also, if it's any help the filename of the virus is

http://85.255.117.124/users/rainy/web/images/logo.jpg

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:38:34 PM, on 7/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Owner\My Documents\My Music\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.meloco.com/index.php?i=sm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {432D8C41-8586-11D8-997D-00C026232EB9} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVD Shrink 3.2.0.15] G:\\DVD Shrink 3.2.0.15.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\Owner\My Documents\My Music\iTunesHelper.exe"
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [pcywo.exe] C:\WINDOWS\System32\pcywo.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://www.amazon.com
O15 - Trusted Zone: http://www.ateaseweb.com
O15 - Trusted Zone: http://regnyouth.blogspot.com
O15 - Trusted Zone: http://www.coolmyspace.com
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: http://*.empornium.us
O15 - Trusted Zone: http://www.imageshack.us
O15 - Trusted Zone: http://spaces.msn.com
O15 - Trusted Zone: www.msn.com
O15 - Trusted Zone: www.multiply.com
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: www.passesforthemasse.com
O15 - Trusted Zone: http://forum.phun.org
O15 - Trusted Zone: http://www.putfile.com
O15 - Trusted Zone: http://www.sexotorrent.com
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://webmail2.ncci.com/iNotes.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\mma.chm::/alien.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - file://C:\Documents and Settings\Owner\Desktop\abwi0 Ulead.VideoStudio.10.Plus-DVT - d-baav01 - 01 of 28 (0 Part File)\Program\UVS10\setup.exe
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{46EDD560-0AC8-440D-B1A3-B56FEA7F72DF}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{53FA966B-4235-415B-A2FC-1A622461F9ED}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D674A31-1A0F-48E0-93A3-1ECEFB70BEFA}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C2AD54-60DC-46B0-AA7E-36E7DA162782}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.70 85.255.112.138
O17 - HKLM\System\CS1\Services\Tcpip\..\{46EDD560-0AC8-440D-B1A3-B56FEA7F72DF}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.70 85.255.112.138
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: inicfg32.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

The_Dude

And here's the Fixwareout report, thanks again!


Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0CFCD07984FE-CA3B-A554-87EA-DF2F8F71{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}68F8ED9B6A0D-D7A8-4134-5B01-5AE5CA9A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CECD84BC062F-85AB-05F4-4BF3-75F749B6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C639604907D7-63D9-C644-B0A7-1C4A9370{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}27C36702A8C5-C26A-4B14-0E12-4C2707F3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}00CA81148CEF-821A-5714-0AC0-9FE7D053{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E287C4AD1EAE-E298-9A34-6EA2-A0AAD5E5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DBF5F79EB3C4-43BB-D1F4-D022-3ECE6F57{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6A2B28AF9B9A-5738-3014-8A50-CC0C97D7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1C9779C6F1EE-91D8-3F24-1A2F-1B4D0B8B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSBYW.EXE
* csr.exe C:\WINDOWS\System32\CSGXS.EXE
* csr.exe C:\WINDOWS\System32\CSRBU.EXE
* csr.exe C:\WINDOWS\System32\CSTLQ.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSBYW.EXE 51,297 2006-07-11
C:\WINDOWS\SYSTEM32\CSGXS.EXE 51,297 2006-07-10
C:\WINDOWS\SYSTEM32\CSRBU.EXE 51,297 2006-07-09
C:\WINDOWS\SYSTEM32\CSTLQ.EXE 51,297 2006-07-10
Other suspects
Directory of C:\WINDOWS\system32
{B8B0D4B1-F2A1-42F3-8D19-EE1F6C9779C1}.exe
{7D79C0CC-05A8-4103-8375-A9B9FA82B2A6}.exe
{75F6ECE3-220D-4F1D-BB34-4C3BE97F5FBD}.exe
{5E5DAA0A-2AE6-43A9-892E-EAE1DA4C782E}.exe
{350D7EF9-0CA0-4175-A128-FEC84118AC00}.exe
{3F7072C4-21E0-41B4-A62C-5C8A20763C72}.exe
{0739A4C1-7A0B-446C-9D36-7D709406936C}.exe
{6B947F57-3FB4-4F50-BA58-F260CB48DCEC}.exe
{A9AC5EA5-10B5-4314-8A7D-D0A6B9DE8F86}.exe
{ED251C24-7214-4339-9CB4-DC789BBFE5DF}.exe
{F224C3BC-E15A-47EF-AF86-F967DD9AB29A}.exe
{5822B02A-45BF-4DEC-AF03-22B8E572EFBD}.exe
{37FF9987-7628-4430-BA8F-15B31E0500AF}.exe
{77DB5767-9FA8-4073-AAE4-A8FC6062D72A}.exe
{20D7CF8A-1B53-4870-A169-F55412300870}.exe
{075D56D4-F75C-41AB-92F7-1EA1BE7606A0}.exe
{CB08A029-77E5-4BBE-BC4B-08E0960F8EB6}.exe
{9C85AD96-2DA6-48E1-9C1C-5B8B82682DA2}.exe
{275822E9-9B61-4794-AB3D-9F8C421E19B2}.exe
{06A868A2-EC0F-454C-8623-AA3A316CF105}.exe
{807210E9-005A-4C44-8EB6-DA3F581C173A}.exe
{916F527E-250E-493E-BC70-B04C65902FE7}.exe
{1C52DCB4-E295-4986-BA84-F3C2B72087FC}.exe
{62841B35-F28D-42A2-9C16-1209A24FCEE2}.exe
{5653E194-8E2E-4572-80F5-029F4FD5A89A}.exe
{4F31F071-835B-43F8-B34A-025BC4E0E9E2}.exe
{2DEC8032-81E9-4F23-B541-0123789AB885}.exe
{5425DFD0-1718-46AE-B91B-3D24EA6BF8E1}.exe
{D1CA8CEC-2F23-4EEA-AD8C-01A993922A38}.exe
{80F39838-67F2-472B-8CFD-0C30F014FA15}.exe
{03BDA64D-ECDE-4440-8407-16A9E0A58D90}.exe
{0808CD0A-F701-4F85-8DD1-0F250BA6ED06}.exe
{690713E1-EDE9-4B8C-B5DE-E34ADF162F5C}.exe
{5970D2E4-1CF8-461C-B2CA-DF7C7846C2FA}.exe
{32198F04-10B8-4FB1-8992-154D0012A885}.exe
{4910DB0E-F20E-4DED-B52C-A7A72329917F}.exe
{026717A8-3439-473F-850B-6F8C2CE3EAFF}.exe
{BA4E7D62-C0EF-4727-9633-5CE4F9A78AD5}.exe
{6EF3C275-69B5-44F7-8229-8FAA9D23A76E}.exe
{30E33AD8-FB47-4661-B11B-4A5A3627FAAF}.exe
{78821143-90B3-4AC7-9203-329153129013}.exe
{BD24103C-55AF-4D12-A7FD-4031DB3A15BF}.exe
{465DFDB5-5300-44E3-89EE-17F2DE687E0E}.exe
{0DCFD724-BFAA-4F45-87B7-A2599AAE3AC9}.exe
{564D7457-71EC-4EDC-A093-02BE0CD65FF2}.exe
{0E7B51D7-D8BD-4066-9A26-1B649853E9F7}.exe
{7EB296B9-B4E6-4812-985E-82A8182FE462}.exe
{460F00A1-D042-4E06-BFBB-BDAD129BCB11}.exe
{2F8D9CD1-4CF0-4EAF-9363-FB3D5213F9FF}.exe
{240D0C78-5DC3-49B2-AAC1-71AD171475AE}.exe
{4408CEAC-58A2-4CF1-B7DB-670280F61B4B}.exe
{1CCA69E4-E002-47CC-B1EC-CDDD045BFBF7}.exe
{CB561A1F-5789-494C-A795-AD746813D784}.exe
{F0B56FC7-DD16-43C3-A866-5459517D7794}.exe
{42EF31F4-71C1-4117-8759-25F16A5D760B}.exe
{C012D57F-82A2-406A-956B-63A27B1756E9}.exe
{847D3240-A9B0-40D1-8546-42FD3183CB75}.exe
{CE982C00-6B34-412D-9F8C-A409F9282D25}.exe
{ACE4B9A8-0562-46D9-A897-C5CA2DEAE47A}.exe
{3FC060F0-6240-453C-B5B3-E8FC6A4D6332}.exe
{70EDAFC7-4C71-40CD-8948-25A3C2F84E4E}.exe
{287D27E8-8448-4BD2-998C-01DC2A470C07}.exe
{5D37DC23-2EE8-4A0A-9160-C2537828F62C}.exe
{9F9C1904-30E0-414C-ADC9-77A8BE82BE7B}.exe
{77EF2134-DBC2-4CFD-9678-C58172C37966}.exe
{6870A572-9884-4833-A9E2-19235969981F}.exe
{8BD04EAF-F034-452B-B3D3-2492CEFFB67E}.exe
{AFDAA4F0-125B-4D35-B033-452D549F1FA1}.exe
{BE1580D5-D431-4C0C-935B-F793F5996A51}.exe
{48C700C6-B956-4BE6-8572-F59CD019697D}.exe
{E5B42663-7D9B-485A-85A0-178D89A8EAEA}.exe
{2D0104EF-3F03-49B0-8C26-1E01EDB1EDF9}.exe
{1DEEC013-009E-4485-A3FA-85AD6AC5B5DD}.exe
{A43BC425-6430-49F6-A5FE-DC0A9E1AA461}.exe
{181F67B0-9087-41F1-84BF-45C6578B2DE7}.exe
{EB3EFB50-33D4-45B0-9F2C-D6179F6B8D44}.exe
{7067C55A-75FC-41CB-B49B-ADA721B38BE6}.exe
{D4C17743-098A-40C2-AE30-428CABDB5824}.exe
{C0691322-E470-4A5E-8F78-7949FC5A9817}.exe
{11E8DF09-970A-4D50-A567-516A75D49EEA}.exe
{AB61887C-5CB7-4850-8FD6-AF1743F2E49D}.exe
{DD018FC1-2663-4C87-84AF-73AD98258C1E}.exe
{ED9D74FD-E802-4DAD-A52F-65BF301A3AA5}.exe
{827E8083-95F7-47B1-8241-F475D1C1A860}.exe
{D2508C46-BEDA-4F52-B411-BD1F7BCE386A}.exe

Trogan

Thanks for the logs! Before we begin, can you do the following...

• Please go to Jotti's malware scan
• Copy and paste the following file path into the "File to upload & scan" box on the top of the page:
• C:\WINDOWS\System32\pcywo.exe
• Click on the submit button
• Please post the results in your next reply.

Do the same for these files:
C:\WINDOWS\System32\CSBYW.EXE
C:\WINDOWS\System32\CSGXS.EXE
C:\WINDOWS\System32\CSRBU.EXE
C:\WINDOWS\System32\CSTLQ.EXE
G:\DVD Shrink 3.2.0.15.exe

The_Dude

OK Trogan, here are the results. Thanks.

C:\WINDOWS\System32\pcywo.exe
Result:
The file you uploaded is 0 bytes. It is very likely a firewall or a
piece of malware is prohibiting you from uploading this file

C:\WINDOWS\System32\CSBYW.EXE
Result:
Service load: 0% 100%

File: CSBYW.EXE
Status: INFECTED/MALWARE
MD5 f90c882c01284e32da547402c44e245d
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Small.BM
ClamAV Found nothing
Dr.Web Found Trojan.DownLoader.10747
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Small.den
NOD32 Found a variant of Win32/Small.FB
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Downloader.Win32.Agent.uj


C:\WINDOWS\System32\CSGXS.EXE
Result:
Service load: 0% 100%

File: CSGXS.EXE
Status: INFECTED/MALWARE (Note: this file has been scanned before.

Therefore, this file's scan results will not be stored in the

database)
MD5 f90c882c01284e32da547402c44e245d
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Small.BM
ClamAV Found nothing
Dr.Web Found Trojan.DownLoader.10747
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Small.den
NOD32 Found a variant of Win32/Small.FB
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Downloader.Win32.Agent.uj


C:\WINDOWS\System32\CSRBU.EXE
Results:
Service load: 0% 100%

File: CSRBU.EXE
Status: INFECTED/MALWARE (Note: this file has been scanned before.

Therefore, this file's scan results will not be stored in the

database)
MD5 f90c882c01284e32da547402c44e245d
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Small.BM
ClamAV Found nothing
Dr.Web Found Trojan.DownLoader.10747
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Small.den
NOD32 Found a variant of Win32/Small.FB
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Downloader.Win32.Agent.uj


C:\WINDOWS\System32\CSTLQ.EXE
Results:
Service load: 0% 100%

File: CSTLQ.EXE
Status: INFECTED/MALWARE (Note: this file has been scanned before.

Therefore, this file's scan results will not be stored in the

database)
MD5 f90c882c01284e32da547402c44e245d
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Small.BM
ClamAV Found nothing
Dr.Web Found Trojan.DownLoader.10747
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Small.den
NOD32 Found a variant of Win32/Small.FB
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Downloader.Win32.Agent.uj


G:\DVD Shrink 3.2.0.15.exe
Results:
The file you uploaded is 0 bytes. It is very likely a firewall or a
piece of malware is prohibiting you from uploading this file

Trogan

Thanks for the doing that!

Before we begin, I see you have HijackThis on your desktop. Could you create a folder for it, and then move HijackThis into it. Do this before continuing.

Can you do the following...

Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {432D8C41-8586-11D8-997D-00C026232EB9} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [DVD Shrink 3.2.0.15] G:\\DVD Shrink 3.2.0.15.exe
O4 - HKLM\..\Run: [pcywo.exe] C:\WINDOWS\System32\pcywo.exe

O15 - Trusted Zone: http://www.amazon.com
O15 - Trusted Zone: http://www.ateaseweb.com
O15 - Trusted Zone: http://regnyouth.blogspot.com
O15 - Trusted Zone: http://www.coolmyspace.com
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: http://*.empornium.us
O15 - Trusted Zone: http://www.imageshack.us
O15 - Trusted Zone: http://spaces.msn.com
O15 - Trusted Zone: www.msn.com
O15 - Trusted Zone: www.multiply.com
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: www.passesforthemasse.com
O15 - Trusted Zone: http://forum.phun.org
O15 - Trusted Zone: http://www.putfile.com
O15 - Trusted Zone: http://www.sexotorrent.com

O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\mma. chm::/alien.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{46EDD560-0AC8-440D-B1A3-B56FEA7F72DF}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{53FA966B-4235-415B-A2FC-1A622461F9ED}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D674A31-1A0F-48E0-93A3-1ECEFB70BEFA}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C2AD54-60DC-46B0-AA7E-36E7DA162782}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.70 85.255.112.138
O17 - HKLM\System\CS1\Services\Tcpip\..\{46EDD560-0AC8-440D-B1A3-B56FEA7F72DF}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.70 85.255.112.138

- Close ALL open windows (especially Internet Explorer!)
Click Fix Checked

=====

We need to view hidden files and folders:

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.

=====

Find and delete the following - Don't worry if they don't exist!

C:\WINDOWS\System32\pcywo.exe << this file
C:\WINDOWS\System32\CSBYW.EXE << this file
C:\WINDOWS\System32\CSGXS.EXE << this file
C:\WINDOWS\System32\CSRBU.EXE << this file
C:\WINDOWS\System32\CSTLQ.EXE << this file
G:\DVD Shrink 3.2.0.15.exe << this file

=====

Reboot and then post a new HijackThis, please.

The_Dude

Ok dude, here's the latest HJT scan (fingers crossed)

Logfile of HijackThis v1.99.1
Scan saved at 11:45:50 PM, on 7/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Owner\My Documents\My Music\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\RunDLL32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Hi Jack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.meloco.com/index.php?i=sm
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\Owner\My Documents\My Music\iTunesHelper.exe"
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [smwoo.exe] C:\WINDOWS\System32\smwoo.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://webmail2.ncci.com/iNotes.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - file://C:\Documents and Settings\Owner\Desktop\abwi0 Ulead.VideoStudio.10.Plus-DVT - d-baav01 - 01 of 28 (0 Part File)\Program\UVS10\setup.exe
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{46EDD560-0AC8-440D-B1A3-B56FEA7F72DF}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{53FA966B-4235-415B-A2FC-1A622461F9ED}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D674A31-1A0F-48E0-93A3-1ECEFB70BEFA}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C2AD54-60DC-46B0-AA7E-36E7DA162782}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.70 85.255.112.138
O17 - HKLM\System\CS1\Services\Tcpip\..\{46EDD560-0AC8-440D-B1A3-B56FEA7F72DF}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.70 85.255.112.138
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: inicfg32.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Trogan

Not yet done! The infection is being a pain.

Can you do the following...

Please download E2TakeOut by Rubber Ducky from here:
http://www.malwarebytes.org/E2TakeOut.zip

• Extract the file to your Desktop
• Double click E2TakeOut.exe
• Click the Begin Removal button
• Wait until the program is finished scanning
• Once done, it will produce a popup stating that the infection has been found and you need to reboot you computer to complete the removal
• Reboot your computer
• Once your computer has rebooted E2TakeOut will open and produce a report
• Please copy/paste that report into your next reply

=====

Could you rescan with FixWareout, please. Make sure you have ALL windows closed first.

=====

Please print out this instructions as you should have all open windows and programs closed when running the scan.

Step 1.
==========
- Please download F-Secure's trial Blacklight from here
- Print out the help page for guidance. It will be found here
- Click the "I Accept" button at the the license agreement
- Click the "Download" button to start the download
- Save it to your Desktop

Step 2.
==========
- Double-click the blbeta.exe file on your Desktop
- Select the "I Accept the agreement" at the license agreement, then click "Next"
- Make sure all open programs and windows are closed (including this IE window) before clicking the "Scan" button
- Click "Scan
- When the animated graphics, in the bottom right-hand corner, disappears, click "Next"
- A text log file will appear on your Desktop when the scan is complete. It will start with fsbl-xxxxxx.txt (ie: fsbl-20051017165931.log)
- Paste the contents of that log back here.

=====

Please post the following:

E2TakeOut report
New Wareout log
Blacklight log
New HijackThis log

The_Dude

I'll get started, but the links to the F-Secure's blacklight tool is taking me to a 404 page.

This virus must die :necro:

Thanks for the help.

Trogan

Looks like they changed the address. Here's the new link: https://europe.f-secure.com/blacklight/try.shtml

The_Dude

I tried to run the E2TakeOut and restarted, but it never came up with a file to save? I don't see it anywhere on my system either. I tried to run it again and it came up with red circle with a white x - it said that the fix was already completed.

And also my Avast is randomely picking up these now:
Win32:Trojan-gen. {Other}
Win32:Small-TG [Trj]

This is one relentless bug.

Trogan

Leave the E2TakeOut report for now, and just carry on with the rest of my previous instructions.

Regarding Avast, do you know the location of the infected files? If so, please post them here.

The_Dude

Hello again, I just wanted to make sure I'm running this Blacklight thing correctley. There's a few different options to run expert or normal mode, how exactly do I get the report log for this program. I just don't want to make things worse.

Thanks again.

Trogan

There should be a file called blbeta on your desktop (if thats where you saved it) if you download Blacklight correctly. Do you have that file downloaded?

The_Dude

Yes, I have that on my desktop.

Trogan

Now follow Step 2 from my previous post for running Blacklight.

The_Dude

Ok, to start off here's the name of each virus that is now popping up every 5 minutes on avast - with the loaction of the file. All the reports will follow.

Win32:Trojano-1269 [Trj]
C:\WINDOWS\System32\{7886BC2A-3CEB-47D5-B49C-07AEAEF3B3C2}.dll

Win32:Adan-094 [Adw]
http://85.255.117.124/users/rainy/web/images/two.jpg

Win32:Adan-094 [Adw]
http://85.255.117.124/users/rainy/web/images/two.jpg

Win32:Adan-094 [Adw]
http://85.255.117.124/users/rainy/web/images/two.jpg

Win32:Adan-078 [Adw]
http://85.255.117.124/users/rainy/web/images/three.jpg

Win32:Adan-078 [Adw]
http://85.255.117.124/users/rainy/web/images/three.jpg

Win32:Adan-078 [Adw]
http://85.255.117.124/users/rainy/web/images/three.jpg

And here's the new Fixwareout report.

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1433482EC48B-D15A-8A84-8D5A-A06B6AAA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EBB719B61AED-AD49-3064-ABA3-58E8728E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}35FFC2204643-BF3A-FD64-3C07-0CFAABFF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BC19B836E4B6-0BF8-33A4-0A22-E8871CD4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AC458E4F75D8-1449-1464-9F8A-7B7D9405{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5D89EAA94BE8-580B-9974-5511-8A3D994A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}66F4F3EFBF1B-A2F9-9204-0A82-9F6BFEEB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F6583C3E5B6A-8ACA-7DE4-7656-C44425D2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D3A7EDDB9DFB-0B98-0514-749F-CEFFCB95{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}052875DA15EF-E839-2A64-9E28-18EF0A7D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D9ECF485C444-2549-C164-A52A-0B27AE3D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F6A86404FC3F-8FE8-DCB4-6081-D761EA05{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3272BD4D05D2-046B-9F84-6CFD-8C088C7E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}480AA06F2C69-A2D8-A394-9FD6-42B7CFB8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EF571A5EE43A-FCD8-A214-B6D9-FE1D7D27{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F6A00D6F8CA3-F348-8484-003E-8BB8D091{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}040C8B9DFE7C-62F8-F1C4-3281-6209036E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BEC3FD0CF378-9649-7124-F1C3-AA6884BE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}09828D50BC9C-671B-1D74-41C4-9C0F98DC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9E79C11D63B3-551B-D714-8EBD-5A0CCB6A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C683BBF1E484-2F99-1C94-F7C0-A4F61C49{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7DE514A6A4FB-F72B-7B34-6679-99B0FDD0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D02CD3FF9BA3-D428-B5B4-4752-2DD76325{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}63CB71D8D2F7-64CB-CD64-3AC7-B9B3096E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}933046BEB1B7-B62B-2354-CD3C-7112621E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}07FEDD635997-9DFA-1394-3EBC-0BD577E7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BA270A4746F7-C419-BBC4-55BD-E9A3BC15{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A6BED4523355-17EB-DFE4-1ACB-B1EB2AA7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9A0B3472BCC5-308A-C244-624E-EE830A69{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}46D8743B4CF0-7038-D7D4-E9F5-C67E6CE9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}42F2F4F4C4C5-7B3A-5ED4-1A6E-3D58D714{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C992AAEDC04C-FE2A-8FE4-9E4D-1EED3675{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9845E0D1030F-36CB-9654-AA5C-8B34DB8E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FE02B2ECF170-BCBA-A484-23D1-8BFD9A1B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7E80E3F32158-6C08-73A4-7FE1-E8CDB966{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9D08B2DB4F65-ED3B-E4A4-61A3-028B37AE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8AFA1C1BA3FC-F739-3154-A469-0B43936C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6EB1FA9D58E3-A8F9-5CD4-F85B-2F054232{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B3CFA2A216B9-5CE9-9804-BCC2-5BF8A91E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}210EE603378A-CF48-5A24-BC99-27C4DF43{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D439C006FF77-C9F8-E964-4175-6E2A8E29{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ED0706EB9170-56D9-4BA4-9728-B42CE4B3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}768BE15AB413-DF6A-57A4-485E-544D5BB5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}615290864E3D-7A98-CF94-FF38-101B629B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}96F7B9BF69E7-FD98-3404-5C28-A570F0AD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}66ED5EE2BB72-EAB8-6224-EAD1-4050A015{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6217462064F2-01AB-F0E4-0467-1569F58A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}26AE62EB2534-5B79-50A4-D19F-C788C397{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7900D0D7C16A-2C5B-0CA4-5FA5-BDECD6B8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D6321265E593-5AEA-D8F4-7316-708A8A8B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C8D3CC1BA9D8-F709-DC04-B6CC-32088D96{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7F21246970E4-D838-CE74-CD50-49F1BACF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A4B0030AC67A-819B-8384-8F5D-B4CFD857{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}54B40C71CBF3-FA2A-6B14-874C-3838F555{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5F10760C01C9-788B-F214-97E3-8B206088{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}55F17D688624-A9BA-61A4-1594-633AB975{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}698CA389DB0C-8C1B-7E24-97D7-70B69AC7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}181A6F9341B9-865A-2704-D039-AB2057B9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6A4FD874284A-1BEA-F864-403B-68D833AF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6B44FAC14324-08B8-68B4-E59D-C8C5A9C6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D405F3B7CCBA-2949-A8F4-8E0F-F5FAD3E1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B3248602EF23-B2AA-65B4-AE32-E059126B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D4F13AE87974-00DB-B0B4-D559-70C02053{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}119AA94394E6-8D2A-7CD4-7AAD-ACA644C3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5960ACD9105B-1699-8294-5E57-A1449824{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D806B6F376F6-7DDB-D0F4-6F7C-F3E43002{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0E635656A7DD-DCF9-8BC4-0683-9671BA6D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6CC324467420-6E0B-88F4-06BF-1247CF49{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AC9302407E10-EE3A-8244-CEE2-197EC849{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3E26E2A76875-BD38-3A24-60A0-2B5F6650{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4F076D185DC7-A548-BE14-2143-0A483921{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}58FE0BB24C87-7C19-B4B4-648F-F6269448{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FB968E7E62FE-D15A-2064-A400-89D2B413{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FA956AF7404E-F509-3CD4-FBA5-20088B7F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DD018D0A9331-1E39-15F4-9346-31E32977{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C442BA50CC16-970B-9734-B974-733ED3E5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3966FF052359-4BB8-9984-489C-1B710CC0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}82BFBE1E5CBF-45A8-1944-D071-958D1BE5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3D29959473BF-40FA-30B4-7353-6A581327{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F9B8458842A7-FE29-1E84-F520-0526AFD5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}321BA2150F5D-B248-AC14-6E4A-D010B67F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9DFEB29F9BCB-66C8-7704-38CF-B51C32CF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}54889F2C2EC6-66EA-9034-ACDD-FBB4C6DD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}300DF741FC5F-5ED9-45C4-EF9C-02581686{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\lavinraCputeS
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSNCY.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSNCY.EXE 51,297 2006-07-11
Other suspects
Directory of C:\WINDOWS\system32
{68618520-C9FE-4C54-9DE5-F5CF147FD003}.exe
{DD6C4BBF-DDCA-4309-AE66-6CE2C2F98845}.exe
{FC23C15B-FC83-4077-8C66-BCB9F92BEFD9}.exe
{97486465-723D-4D94-BF42-E0F3A6433BF8}.exe
{5DFA6250-025F-48E1-92EF-7A2488548B9F}.exe
{723185A6-3537-4B03-AF04-FB37495992D3}.exe
{5EB1D859-170D-4491-8A54-FBC5E1EBFB28}.exe
{0CC017B1-C984-4899-8BB4-953250FF6693}.exe
{5E3DE337-479B-4379-B079-61CC05AB244C}.exe
{77923E13-6439-4F51-93E1-1339A0D810DD}.exe
{8449626F-F846-4B4B-91C7-78C42BB0EF85}.exe
{251414D1-E725-472E-B689-5EBF55FF750E}.exe
{94FC7421-FB60-4F88-B0E6-024764423CC6}.exe
{D6AB1769-3860-4CB8-9FCD-DD7A656536E0}.exe
{20034E3F-C7F6-4F0D-BDD7-6F673F6B608D}.exe
{4289441A-75E5-4928-9961-B5019DCA0695}.exe
{3C446ACA-DAA7-4DC7-A2D8-6E49349AA911}.exe
{35020C07-955D-4B0B-BD00-47978EA31F4D}.exe
{B621950E-23EA-4B56-AA2B-32FE2068423B}.exe
{1E3DAF5F-F0E8-4F8A-9492-ABCC7B3F504D}.exe
{6C9A5C8C-D95E-4B86-8B80-42341CAF44B6}.exe
{FA338D86-B304-468F-AEB1-A482478DF4A6}.exe
{9B7502BA-930D-4072-A568-9B1439F6A181}.exe
{7CA96B07-7D79-42E7-B1C8-C0BD983AC896}.exe
{579BA336-4951-4A16-AB9A-426886D71F55}.exe
{880602B8-3E79-412F-B887-9C10C06701F5}.exe
{555F8383-C478-41B6-A2AF-3FBC17C04B45}.exe
{758DFC4B-D5F8-4838-B918-A76CA0300B4A}.exe
{FCAB1F94-05DC-47EC-838D-4E07964212F7}.exe
{69D88023-CC6B-40CD-907F-8D9AB1CC3D8C}.exe
{B8A8A807-6137-4F8D-AEA5-395E5621236D}.exe
{8B6DCEDB-5AF5-4AC0-B5C2-A61C7D0D0097}.exe
{793C887C-F91D-4A05-97B5-4352BE26EA62}.exe
{A85F9651-7640-4E0F-BA10-2F4602647126}.exe
{510A0504-1DAE-4226-8BAE-27BB2EE5DE66}.exe
{DA0F075A-82C5-4043-89DF-7E96FB9B7F69}.exe
{B926B101-83FF-49FC-89A7-D3E468092516}.exe
{5BB5D445-E584-4A75-A6FD-314BA51EB867}.exe
{3B4EC24B-8279-4AB4-9D65-0719BE6070DE}.exe
{92E8A2E6-5714-469E-8F9C-77FF600C934D}.exe
{34FD4C72-99CB-42A5-84FC-A873306EE012}.exe
{E19A8FB5-2CCB-4089-9EC5-9B612A2AFC3B}.exe
{232450F2-B58F-4DC5-9F8A-3E85D9AF1BE6}.exe
{C63934B0-964A-4513-937F-CF3AB1C1AFA8}.exe
{EA73B820-3A16-4A4E-B3DE-56F4BD2B80D9}.exe
{669BDC8E-1EF7-4A37-80C6-85123F3E08E7}.exe
{B1A9DFB8-1D32-484A-ABCB-071FCE2B20EF}.exe
{E8BD43B8-C5AA-4569-BC63-F0301D0E5489}.exe
{5763DEE1-D4E9-4EF8-A2EF-C40CDEAA299C}.exe
{417D85D3-E6A1-4DE5-A3B7-5C4C4F4F2F24}.exe
{9EC6E76C-5F9E-4D7D-8307-0FC4B3478D64}.exe
{96A038EE-E426-442C-A803-5CCB2743B0A9}.exe
{7AA2BE1B-BCA1-4EFD-BE71-5533254DEB6A}.exe
{51CB3A9E-DB55-4CBB-914C-7F6474A072AB}.exe
{7E775DB0-CBE3-4931-AFD9-799536DDEF70}.exe
{E1262117-C3DC-4532-B26B-7B1BEB640339}.exe
{E6903B9B-7CA3-46DC-BC46-7F2D8D17BC36}.exe
{52367DD2-2574-4B5B-824D-3AB9FF3DC20D}.exe
{0DDF0B99-9766-43B7-B27F-BF4A6A415ED7}.exe
{94C16F4A-0C7F-49C1-99F2-484E1FBB386C}.exe
{A6BCC0A5-DBE8-417D-B155-3B36D11C97E9}.exe
{CD89F0C9-4C14-47D1-B176-C9CB05D82890}.exe
{EB4886AA-3C1F-4217-9469-873FC0DF3CEB}.exe
{E6309026-1823-4C1F-8F26-C7EFD9B8C040}.exe
{190D8BB8-E300-4848-843F-3AC8F6D00A6F}.exe
{72D7D1EF-9D6B-412A-8DCF-A34EE5A175FE}.exe
{8BFC7B24-6DF9-493A-8D2A-96C2F60AA084}.exe
{D3EA72B0-A25A-461C-9452-444C584FCE9D}.exe
{D7A0FE81-82E9-46A2-938E-FE51AD578250}.exe
{59BCFFEC-F947-4150-89B0-BFD9BDDE7A3D}.exe
{2D52444C-6567-4ED7-ACA8-A6B5E3C3856F}.exe
{BEEFB6F9-28A0-4029-9F2A-B1FBFE3F4F66}.exe
{A499D3A8-1155-4799-B085-8EB49AAE98D5}.exe
{5049D7B7-A8F9-4641-9441-8D57F4E854CA}.exe
{4DC1788E-22A0-4A33-8FB0-6B4E638B91CB}.exe
{FFBAAFC0-70C3-46DF-A3FB-3464022CFF53}.exe
{E8278E85-3ABA-4603-94DA-DEA16B917BBE}.exe
{B8B0D4B1-F2A1-42F3-8D19-EE1F6C9779C1}.exe
{7D79C0CC-05A8-4103-8375-A9B9FA82B2A6}.exe
{75F6ECE3-220D-4F1D-BB34-4C3BE97F5FBD}.exe
{5E5DAA0A-2AE6-43A9-892E-EAE1DA4C782E}.exe
{350D7EF9-0CA0-4175-A128-FEC84118AC00}.exe
{3F7072C4-21E0-41B4-A62C-5C8A20763C72}.exe
{0739A4C1-7A0B-446C-9D36-7D709406936C}.exe
{6B947F57-3FB4-4F50-BA58-F260CB48DCEC}.exe
{A9AC5EA5-10B5-4314-8A7D-D0A6B9DE8F86}.exe
{ED251C24-7214-4339-9CB4-DC789BBFE5DF}.exe
{F224C3BC-E15A-47EF-AF86-F967DD9AB29A}.exe
{5822B02A-45BF-4DEC-AF03-22B8E572EFBD}.exe
{37FF9987-7628-4430-BA8F-15B31E0500AF}.exe
{77DB5767-9FA8-4073-AAE4-A8FC6062D72A}.exe
{20D7CF8A-1B53-4870-A169-F55412300870}.exe
{075D56D4-F75C-41AB-92F7-1EA1BE7606A0}.exe
{CB08A029-77E5-4BBE-BC4B-08E0960F8EB6}.exe
{9C85AD96-2DA6-48E1-9C1C-5B8B82682DA2}.exe
{275822E9-9B61-4794-AB3D-9F8C421E19B2}.exe
{06A868A2-EC0F-454C-8623-AA3A316CF105}.exe
{807210E9-005A-4C44-8EB6-DA3F581C173A}.exe
{916F527E-250E-493E-BC70-B04C65902FE7}.exe
{1C52DCB4-E295-4986-BA84-F3C2B72087FC}.exe
{62841B35-F28D-42A2-9C16-1209A24FCEE2}.exe
{5653E194-8E2E-4572-80F5-029F4FD5A89A}.exe
{4F31F071-835B-43F8-B34A-025BC4E0E9E2}.exe
{2DEC8032-81E9-4F23-B541-0123789AB885}.exe
{5425DFD0-1718-46AE-B91B-3D24EA6BF8E1}.exe
{D1CA8CEC-2F23-4EEA-AD8C-01A993922A38}.exe
{80F39838-67F2-472B-8CFD-0C30F014FA15}.exe
{03BDA64D-ECDE-4440-8407-16A9E0A58D90}.exe
{0808CD0A-F701-4F85-8DD1-0F250BA6ED06}.exe
{690713E1-EDE9-4B8C-B5DE-E34ADF162F5C}.exe
{5970D2E4-1CF8-461C-B2CA-DF7C7846C2FA}.exe
{32198F04-10B8-4FB1-8992-154D0012A885}.exe
{4910DB0E-F20E-4DED-B52C-A7A72329917F}.exe
{026717A8-3439-473F-850B-6F8C2CE3EAFF}.exe
{BA4E7D62-C0EF-4727-9633-5CE4F9A78AD5}.exe
{6EF3C275-69B5-44F7-8229-8FAA9D23A76E}.exe
{30E33AD8-FB47-4661-B11B-4A5A3627FAAF}.exe
{78821143-90B3-4AC7-9203-329153129013}.exe
{BD24103C-55AF-4D12-A7FD-4031DB3A15BF}.exe
{465DFDB5-5300-44E3-89EE-17F2DE687E0E}.exe
{0DCFD724-BFAA-4F45-87B7-A2599AAE3AC9}.exe
{564D7457-71EC-4EDC-A093-02BE0CD65FF2}.exe
{0E7B51D7-D8BD-4066-9A26-1B649853E9F7}.exe
{7EB296B9-B4E6-4812-985E-82A8182FE462}.exe
{460F00A1-D042-4E06-BFBB-BDAD129BCB11}.exe
{2F8D9CD1-4CF0-4EAF-9363-FB3D5213F9FF}.exe
{240D0C78-5DC3-49B2-AAC1-71AD171475AE}.exe
{4408CEAC-58A2-4CF1-B7DB-670280F61B4B}.exe
{1CCA69E4-E002-47CC-B1EC-CDDD045BFBF7}.exe
{CB561A1F-5789-494C-A795-AD746813D784}.exe
{F0B56FC7-DD16-43C3-A866-5459517D7794}.exe
{42EF31F4-71C1-4117-8759-25F16A5D760B}.exe
{C012D57F-82A2-406A-956B-63A27B1756E9}.exe
{847D3240-A9B0-40D1-8546-42FD3183CB75}.exe
{CE982C00-6B34-412D-9F8C-A409F9282D25}.exe
{ACE4B9A8-0562-46D9-A897-C5CA2DEAE47A}.exe
{3FC060F0-6240-453C-B5B3-E8FC6A4D6332}.exe
{70EDAFC7-4C71-40CD-8948-25A3C2F84E4E}.exe
{287D27E8-8448-4BD2-998C-01DC2A470C07}.exe
{5D37DC23-2EE8-4A0A-9160-C2537828F62C}.exe
{9F9C1904-30E0-414C-ADC9-77A8BE82BE7B}.exe
{77EF2134-DBC2-4CFD-9678-C58172C37966}.exe
{6870A572-9884-4833-A9E2-19235969981F}.exe
{8BD04EAF-F034-452B-B3D3-2492CEFFB67E}.exe
{AFDAA4F0-125B-4D35-B033-452D549F1FA1}.exe
{BE1580D5-D431-4C0C-935B-F793F5996A51}.exe
{48C700C6-B956-4BE6-8572-F59CD019697D}.exe
{E5B42663-7D9B-485A-85A0-178D89A8EAEA}.exe
{2D0104EF-3F03-49B0-8C26-1E01EDB1EDF9}.exe
{1DEEC013-009E-4485-A3FA-85AD6AC5B5DD}.exe
{A43BC425-6430-49F6-A5FE-DC0A9E1AA461}.exe
{181F67B0-9087-41F1-84BF-45C6578B2DE7}.exe
{EB3EFB50-33D4-45B0-9F2C-D6179F6B8D44}.exe
{7067C55A-75FC-41CB-B49B-ADA721B38BE6}.exe
{D4C17743-098A-40C2-AE30-428CABDB5824}.exe
{C0691322-E470-4A5E-8F78-7949FC5A9817}.exe
{11E8DF09-970A-4D50-A567-516A75D49EEA}.exe
{AB61887C-5CB7-4850-8FD6-AF1743F2E49D}.exe
{DD018FC1-2663-4C87-84AF-73AD98258C1E}.exe
{ED9D74FD-E802-4DAD-A52F-65BF301A3AA5}.exe
{827E8083-95F7-47B1-8241-F475D1C1A860}.exe
{D2508C46-BEDA-4F52-B411-BD1F7BCE386A}.exe

The_Dude

Here's the Blacklight log:

07/12/06 13:36:18 [Info]: BlackLight Engine 1.0.42 initialized
07/12/06 13:36:18 [Info]: OS: 5.1 build 2600 (Service Pack 1)
07/12/06 13:36:18 [Note]: 7019 4
07/12/06 13:36:18 [Note]: 7005 0
07/12/06 13:36:21 [Note]: 7006 0
07/12/06 13:36:21 [Note]: 7011 1388
07/12/06 13:36:22 [Note]: 7026 0
07/12/06 13:36:22 [Note]: 7026 0
07/12/06 13:36:30 [Note]: FSRAW library version 1.7.1019
07/12/06 13:38:45 [Info]: Hidden file: c:\WINDOWS\system32\cstgq.exe
07/12/06 13:38:45 [Note]: 7002 32
07/12/06 13:38:45 [Note]: 7003 1
07/12/06 13:38:45 [Note]: 10002 1
07/12/06 13:38:45 [Info]: Hidden file: c:\WINDOWS\system32\dmyxd.exe
07/12/06 13:38:45 [Note]: 7002 32
07/12/06 13:38:45 [Note]: 7003 1
07/12/06 13:38:45 [Note]: 10002 1
07/12/06 13:38:58 [Info]: Hidden file: c:\WINDOWS\system32\{078D9359-104D-4305-9BBD-B79F1F6EE0D0}.exe
07/12/06 13:38:58 [Note]: 10002 1
07/12/06 13:38:58 [Info]: Hidden file: c:\WINDOWS\system32\{0A11B091-A3C6-4768-9504-05A55FD15A46}.exe
07/12/06 13:38:58 [Note]: 10002 1
07/12/06 13:38:58 [Info]: Hidden file: c:\WINDOWS\system32\{8D78FC94-3967-4C46-A317-FDD9C96F22F5}.exe
07/12/06 13:38:58 [Note]: 10002 1
07/12/06 13:38:59 [Info]: Hidden file: c:\WINDOWS\system32\{4B4AA6A8-026F-4C21-A776-5C8F8FC053BE}.exe
07/12/06 13:38:59 [Note]: 10002 1
07/12/06 13:39:00 [Info]: Hidden file: c:\WINDOWS\system32\{7F33BBD5-17E2-4D01-A031-CAF4B24D662C}.exe
07/12/06 13:39:00 [Note]: 10002 1
07/12/06 13:43:02 [Note]: 7007 0

And The new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:44:25 PM, on 7/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Owner\My Documents\My Music\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Hi Jack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.meloco.com/index.php?i=sm
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\Owner\My Documents\My Music\iTunesHelper.exe"
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [lyhpd.exe] C:\WINDOWS\System32\lyhpd.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [E2TakeOut] C:\Documents and Settings\Owner\Desktop\E2TakeOut\E2TakeOut.exe /finishremoval
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://webmail2.ncci.com/iNotes.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - file://C:\Documents and Settings\Owner\Desktop\abwi0 Ulead.VideoStudio.10.Plus-DVT - d-baav01 - 01 of 28 (0 Part File)\Program\UVS10\setup.exe
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{53FA966B-4235-415B-A2FC-1A622461F9ED}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D674A31-1A0F-48E0-93A3-1ECEFB70BEFA}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C2AD54-60DC-46B0-AA7E-36E7DA162782}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.70 85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.70 85.255.112.138
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: inicfg32.dll[Disabled by E2TakeOut, Please Reboot]
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

The_Dude

Also wanted to let you know, it seems like my network settings for IP keep changing back from Obtain DNS servers automatically. Should I make sure it's showing Obtain DNS servers automatically or leave it how the computer changes it back.

And also should I still have my folder view to view all hidden files and folders?

Does my internet connection need to be disabled for any of this?

Just want to make sure there isn't anything I'm missing.

Hopefully something will work, I really apprieciate all the assistance.

Trogan

Before we begin, can you uninstall either AVG or Avast. Having two anti-viruses can conflict eith each other and cause more problems...it does NOT help protect you further.

Leave everything the way it is for now please. Can you do the following...

Please download Killbox and save it to your desktop.

Next, copy everything in the Quote box below by pressing Ctrl+C

C:\WINDOWS\SYSTEM32\CSNCY.EXE
c:\WINDOWS\system32\cstgq.exe
c:\WINDOWS\system32\dmyxd.exe
C:\WINDOWS\System32\{7886BC2A-3CEB-47D5-B49C-07AEAEF3B3C2}.dll
c:\WINDOWS\system32\{0A11B091-A3C6-4768-9504-05A55FD15A46}.exe
c:\WINDOWS\system32\{078D9359-104D-4305-9BBD-B79F1F6EE0D0}.exe
c:\WINDOWS\system32\{8D78FC94-3967-4C46-A317-FDD9C96F22F5}.exe
c:\WINDOWS\system32\{4B4AA6A8-026F-4C21-A776-5C8F8FC053BE}.exe
c:\WINDOWS\system32\{7F33BBD5-17E2-4D01-A031-CAF4B24D662C}.exe
C:\WINDOWS\system32\{68618520-C9FE-4C54-9DE5-F5CF147FD003}.exe
C:\WINDOWS\system32\{DD6C4BBF-DDCA-4309-AE66-6CE2C2F98845}.exe
C:\WINDOWS\system32\{FC23C15B-FC83-4077-8C66-BCB9F92BEFD9}.exe
C:\WINDOWS\system32\{97486465-723D-4D94-BF42-E0F3A6433BF8}.exe
C:\WINDOWS\system32\{5DFA6250-025F-48E1-92EF-7A2488548B9F}.exe
C:\WINDOWS\system32\{723185A6-3537-4B03-AF04-FB37495992D3}.exe
C:\WINDOWS\system32\{5EB1D859-170D-4491-8A54-FBC5E1EBFB28}.exe
C:\WINDOWS\system32\{0CC017B1-C984-4899-8BB4-953250FF6693}.exe
C:\WINDOWS\system32\{5E3DE337-479B-4379-B079-61CC05AB244C}.exe
C:\WINDOWS\system32\{77923E13-6439-4F51-93E1-1339A0D810DD}.exe
C:\WINDOWS\system32\{8449626F-F846-4B4B-91C7-78C42BB0EF85}.exe
C:\WINDOWS\system32\{251414D1-E725-472E-B689-5EBF55FF750E}.exe
C:\WINDOWS\system32\{94FC7421-FB60-4F88-B0E6-024764423CC6}.exe
C:\WINDOWS\system32\{D6AB1769-3860-4CB8-9FCD-DD7A656536E0}.exe
C:\WINDOWS\system32\{20034E3F-C7F6-4F0D-BDD7-6F673F6B608D}.exe
C:\WINDOWS\system32\{4289441A-75E5-4928-9961-B5019DCA0695}.exe
C:\WINDOWS\system32\{3C446ACA-DAA7-4DC7-A2D8-6E49349AA911}.exe
C:\WINDOWS\system32\{35020C07-955D-4B0B-BD00-47978EA31F4D}.exe
C:\WINDOWS\system32\{B621950E-23EA-4B56-AA2B-32FE2068423B}.exe
C:\WINDOWS\system32\{1E3DAF5F-F0E8-4F8A-9492-ABCC7B3F504D}.exe
C:\WINDOWS\system32\{6C9A5C8C-D95E-4B86-8B80-42341CAF44B6}.exe
C:\WINDOWS\system32\{FA338D86-B304-468F-AEB1-A482478DF4A6}.exe
C:\WINDOWS\system32\{9B7502BA-930D-4072-A568-9B1439F6A181}.exe
C:\WINDOWS\system32\{7CA96B07-7D79-42E7-B1C8-C0BD983AC896}.exe
C:\WINDOWS\system32\{579BA336-4951-4A16-AB9A-426886D71F55}.exe
C:\WINDOWS\system32\{880602B8-3E79-412F-B887-9C10C06701F5}.exe
C:\WINDOWS\system32\{555F8383-C478-41B6-A2AF-3FBC17C04B45}.exe
C:\WINDOWS\system32\{758DFC4B-D5F8-4838-B918-A76CA0300B4A}.exe
C:\WINDOWS\system32\{FCAB1F94-05DC-47EC-838D-4E07964212F7}.exe
C:\WINDOWS\system32\{69D88023-CC6B-40CD-907F-8D9AB1CC3D8C}.exe
C:\WINDOWS\system32\{B8A8A807-6137-4F8D-AEA5-395E5621236D}.exe
C:\WINDOWS\system32\{8B6DCEDB-5AF5-4AC0-B5C2-A61C7D0D0097}.exe
C:\WINDOWS\system32\{793C887C-F91D-4A05-97B5-4352BE26EA62}.exe
C:\WINDOWS\system32\{A85F9651-7640-4E0F-BA10-2F4602647126}.exe
C:\WINDOWS\system32\{510A0504-1DAE-4226-8BAE-27BB2EE5DE66}.exe
C:\WINDOWS\system32\{DA0F075A-82C5-4043-89DF-7E96FB9B7F69}.exe
C:\WINDOWS\system32\{B926B101-83FF-49FC-89A7-D3E468092516}.exe
C:\WINDOWS\system32\{5BB5D445-E584-4A75-A6FD-314BA51EB867}.exe
C:\WINDOWS\system32\{3B4EC24B-8279-4AB4-9D65-0719BE6070DE}.exe
C:\WINDOWS\system32\{92E8A2E6-5714-469E-8F9C-77FF600C934D}.exe
C:\WINDOWS\system32\{34FD4C72-99CB-42A5-84FC-A873306EE012}.exe
C:\WINDOWS\system32\{E19A8FB5-2CCB-4089-9EC5-9B612A2AFC3B}.exe
C:\WINDOWS\system32\{232450F2-B58F-4DC5-9F8A-3E85D9AF1BE6}.exe
C:\WINDOWS\system32\{C63934B0-964A-4513-937F-CF3AB1C1AFA8}.exe
C:\WINDOWS\system32\{EA73B820-3A16-4A4E-B3DE-56F4BD2B80D9}.exe
C:\WINDOWS\system32\{669BDC8E-1EF7-4A37-80C6-85123F3E08E7}.exe
C:\WINDOWS\system32\{B1A9DFB8-1D32-484A-ABCB-071FCE2B20EF}.exe
C:\WINDOWS\system32\{E8BD43B8-C5AA-4569-BC63-F0301D0E5489}.exe
C:\WINDOWS\system32\{5763DEE1-D4E9-4EF8-A2EF-C40CDEAA299C}.exe
C:\WINDOWS\system32\{417D85D3-E6A1-4DE5-A3B7-5C4C4F4F2F24}.exe
C:\WINDOWS\system32\{9EC6E76C-5F9E-4D7D-8307-0FC4B3478D64}.exe
C:\WINDOWS\system32\{96A038EE-E426-442C-A803-5CCB2743B0A9}.exe
C:\WINDOWS\system32\{7AA2BE1B-BCA1-4EFD-BE71-5533254DEB6A}.exe
C:\WINDOWS\system32\{51CB3A9E-DB55-4CBB-914C-7F6474A072AB}.exe
C:\WINDOWS\system32\{7E775DB0-CBE3-4931-AFD9-799536DDEF70}.exe
C:\WINDOWS\system32\{E1262117-C3DC-4532-B26B-7B1BEB640339}.exe
C:\WINDOWS\system32\{E6903B9B-7CA3-46DC-BC46-7F2D8D17BC36}.exe
C:\WINDOWS\system32\{52367DD2-2574-4B5B-824D-3AB9FF3DC20D}.exe
C:\WINDOWS\system32\{0DDF0B99-9766-43B7-B27F-BF4A6A415ED7}.exe
C:\WINDOWS\system32\{94C16F4A-0C7F-49C1-99F2-484E1FBB386C}.exe
C:\WINDOWS\system32\{A6BCC0A5-DBE8-417D-B155-3B36D11C97E9}.exe
C:\WINDOWS\system32\{CD89F0C9-4C14-47D1-B176-C9CB05D82890}.exe
C:\WINDOWS\system32\{EB4886AA-3C1F-4217-9469-873FC0DF3CEB}.exe
C:\WINDOWS\system32\{E6309026-1823-4C1F-8F26-C7EFD9B8C040}.exe
C:\WINDOWS\system32\{190D8BB8-E300-4848-843F-3AC8F6D00A6F}.exe
C:\WINDOWS\system32\{72D7D1EF-9D6B-412A-8DCF-A34EE5A175FE}.exe
C:\WINDOWS\system32\{8BFC7B24-6DF9-493A-8D2A-96C2F60AA084}.exe
C:\WINDOWS\system32\{D3EA72B0-A25A-461C-9452-444C584FCE9D}.exe
C:\WINDOWS\system32\{D7A0FE81-82E9-46A2-938E-FE51AD578250}.exe
C:\WINDOWS\system32\{59BCFFEC-F947-4150-89B0-BFD9BDDE7A3D}.exe
C:\WINDOWS\system32\{2D52444C-6567-4ED7-ACA8-A6B5E3C3856F}.exe
C:\WINDOWS\system32\{BEEFB6F9-28A0-4029-9F2A-B1FBFE3F4F66}.exe
C:\WINDOWS\system32\{A499D3A8-1155-4799-B085-8EB49AAE98D5}.exe
C:\WINDOWS\system32\{5049D7B7-A8F9-4641-9441-8D57F4E854CA}.exe
C:\WINDOWS\system32\{4DC1788E-22A0-4A33-8FB0-6B4E638B91CB}.exe
C:\WINDOWS\system32\{FFBAAFC0-70C3-46DF-A3FB-3464022CFF53}.exe
C:\WINDOWS\system32\{E8278E85-3ABA-4603-94DA-DEA16B917BBE}.exe
C:\WINDOWS\system32\{B8B0D4B1-F2A1-42F3-8D19-EE1F6C9779C1}.exe
C:\WINDOWS\system32\{7D79C0CC-05A8-4103-8375-A9B9FA82B2A6}.exe
C:\WINDOWS\system32\{75F6ECE3-220D-4F1D-BB34-4C3BE97F5FBD}.exe
C:\WINDOWS\system32\{5E5DAA0A-2AE6-43A9-892E-EAE1DA4C782E}.exe
C:\WINDOWS\system32\{350D7EF9-0CA0-4175-A128-FEC84118AC00}.exe
C:\WINDOWS\system32\{3F7072C4-21E0-41B4-A62C-5C8A20763C72}.exe
C:\WINDOWS\system32\{0739A4C1-7A0B-446C-9D36-7D709406936C}.exe
C:\WINDOWS\system32\{6B947F57-3FB4-4F50-BA58-F260CB48DCEC}.exe
C:\WINDOWS\system32\{A9AC5EA5-10B5-4314-8A7D-D0A6B9DE8F86}.exe
C:\WINDOWS\system32\{ED251C24-7214-4339-9CB4-DC789BBFE5DF}.exe
C:\WINDOWS\system32\{F224C3BC-E15A-47EF-AF86-F967DD9AB29A}.exe
C:\WINDOWS\system32\{5822B02A-45BF-4DEC-AF03-22B8E572EFBD}.exe
C:\WINDOWS\system32\{37FF9987-7628-4430-BA8F-15B31E0500AF}.exe
C:\WINDOWS\system32\{77DB5767-9FA8-4073-AAE4-A8FC6062D72A}.exe
C:\WINDOWS\system32\{20D7CF8A-1B53-4870-A169-F55412300870}.exe
C:\WINDOWS\system32\{075D56D4-F75C-41AB-92F7-1EA1BE7606A0}.exe
C:\WINDOWS\system32\{CB08A029-77E5-4BBE-BC4B-08E0960F8EB6}.exe
C:\WINDOWS\system32\{9C85AD96-2DA6-48E1-9C1C-5B8B82682DA2}.exe
C:\WINDOWS\system32\{275822E9-9B61-4794-AB3D-9F8C421E19B2}.exe
C:\WINDOWS\system32\{06A868A2-EC0F-454C-8623-AA3A316CF105}.exe
C:\WINDOWS\system32\{807210E9-005A-4C44-8EB6-DA3F581C173A}.exe
C:\WINDOWS\system32\{916F527E-250E-493E-BC70-B04C65902FE7}.exe
C:\WINDOWS\system32\{1C52DCB4-E295-4986-BA84-F3C2B72087FC}.exe
C:\WINDOWS\system32\{62841B35-F28D-42A2-9C16-1209A24FCEE2}.exe
C:\WINDOWS\system32\{5653E194-8E2E-4572-80F5-029F4FD5A89A}.exe
C:\WINDOWS\system32\{4F31F071-835B-43F8-B34A-025BC4E0E9E2}.exe
C:\WINDOWS\system32\{2DEC8032-81E9-4F23-B541-0123789AB885}.exe
C:\WINDOWS\system32\{5425DFD0-1718-46AE-B91B-3D24EA6BF8E1}.exe
C:\WINDOWS\system32\{D1CA8CEC-2F23-4EEA-AD8C-01A993922A38}.exe
C:\WINDOWS\system32\{80F39838-67F2-472B-8CFD-0C30F014FA15}.exe
C:\WINDOWS\system32\{03BDA64D-ECDE-4440-8407-16A9E0A58D90}.exe
C:\WINDOWS\system32\{0808CD0A-F701-4F85-8DD1-0F250BA6ED06}.exe
C:\WINDOWS\system32\{690713E1-EDE9-4B8C-B5DE-E34ADF162F5C}.exe
C:\WINDOWS\system32\{5970D2E4-1CF8-461C-B2CA-DF7C7846C2FA}.exe
C:\WINDOWS\system32\{32198F04-10B8-4FB1-8992-154D0012A885}.exe
C:\WINDOWS\system32\{4910DB0E-F20E-4DED-B52C-A7A72329917F}.exe
C:\WINDOWS\system32\{026717A8-3439-473F-850B-6F8C2CE3EAFF}.exe
C:\WINDOWS\system32\{BA4E7D62-C0EF-4727-9633-5CE4F9A78AD5}.exe
C:\WINDOWS\system32\{6EF3C275-69B5-44F7-8229-8FAA9D23A76E}.exe
C:\WINDOWS\system32\{30E33AD8-FB47-4661-B11B-4A5A3627FAAF}.exe
C:\WINDOWS\system32\{78821143-90B3-4AC7-9203-329153129013}.exe
C:\WINDOWS\system32\{BD24103C-55AF-4D12-A7FD-4031DB3A15BF}.exe
C:\WINDOWS\system32\{465DFDB5-5300-44E3-89EE-17F2DE687E0E}.exe
C:\WINDOWS\system32\{0DCFD724-BFAA-4F45-87B7-A2599AAE3AC9}.exe
C:\WINDOWS\system32\{564D7457-71EC-4EDC-A093-02BE0CD65FF2}.exe
C:\WINDOWS\system32\{0E7B51D7-D8BD-4066-9A26-1B649853E9F7}.exe
C:\WINDOWS\system32\{7EB296B9-B4E6-4812-985E-82A8182FE462}.exe
C:\WINDOWS\system32\{460F00A1-D042-4E06-BFBB-BDAD129BCB11}.exe
C:\WINDOWS\system32\{2F8D9CD1-4CF0-4EAF-9363-FB3D5213F9FF}.exe
C:\WINDOWS\system32\{240D0C78-5DC3-49B2-AAC1-71AD171475AE}.exe
C:\WINDOWS\system32\{4408CEAC-58A2-4CF1-B7DB-670280F61B4B}.exe
C:\WINDOWS\system32\{1CCA69E4-E002-47CC-B1EC-CDDD045BFBF7}.exe
C:\WINDOWS\system32\{CB561A1F-5789-494C-A795-AD746813D784}.exe
C:\WINDOWS\system32\{F0B56FC7-DD16-43C3-A866-5459517D7794}.exe
C:\WINDOWS\system32\{42EF31F4-71C1-4117-8759-25F16A5D760B}.exe
C:\WINDOWS\system32\{C012D57F-82A2-406A-956B-63A27B1756E9}.exe
C:\WINDOWS\system32\{847D3240-A9B0-40D1-8546-42FD3183CB75}.exe
C:\WINDOWS\system32\{CE982C00-6B34-412D-9F8C-A409F9282D25}.exe
C:\WINDOWS\system32\{ACE4B9A8-0562-46D9-A897-C5CA2DEAE47A}.exe
C:\WINDOWS\system32\{3FC060F0-6240-453C-B5B3-E8FC6A4D6332}.exe
C:\WINDOWS\system32\{70EDAFC7-4C71-40CD-8948-25A3C2F84E4E}.exe
C:\WINDOWS\system32\{287D27E8-8448-4BD2-998C-01DC2A470C07}.exe
C:\WINDOWS\system32\{5D37DC23-2EE8-4A0A-9160-C2537828F62C}.exe
C:\WINDOWS\system32\{9F9C1904-30E0-414C-ADC9-77A8BE82BE7B}.exe
C:\WINDOWS\system32\{77EF2134-DBC2-4CFD-9678-C58172C37966}.exe
C:\WINDOWS\system32\{6870A572-9884-4833-A9E2-19235969981F}.exe
C:\WINDOWS\system32\{8BD04EAF-F034-452B-B3D3-2492CEFFB67E}.exe
C:\WINDOWS\system32\{AFDAA4F0-125B-4D35-B033-452D549F1FA1}.exe
C:\WINDOWS\system32\{BE1580D5-D431-4C0C-935B-F793F5996A51}.exe
C:\WINDOWS\system32\{48C700C6-B956-4BE6-8572-F59CD019697D}.exe
C:\WINDOWS\system32\{E5B42663-7D9B-485A-85A0-178D89A8EAEA}.exe
C:\WINDOWS\system32\{2D0104EF-3F03-49B0-8C26-1E01EDB1EDF9}.exe
C:\WINDOWS\system32\{1DEEC013-009E-4485-A3FA-85AD6AC5B5DD}.exe
C:\WINDOWS\system32\{A43BC425-6430-49F6-A5FE-DC0A9E1AA461}.exe
C:\WINDOWS\system32\{181F67B0-9087-41F1-84BF-45C6578B2DE7}.exe
C:\WINDOWS\system32\{EB3EFB50-33D4-45B0-9F2C-D6179F6B8D44}.exe
C:\WINDOWS\system32\{7067C55A-75FC-41CB-B49B-ADA721B38BE6}.exe
C:\WINDOWS\system32\{D4C17743-098A-40C2-AE30-428CABDB5824}.exe
C:\WINDOWS\system32\{C0691322-E470-4A5E-8F78-7949FC5A9817}.exe
C:\WINDOWS\system32\{11E8DF09-970A-4D50-A567-516A75D49EEA}.exe
C:\WINDOWS\system32\{AB61887C-5CB7-4850-8FD6-AF1743F2E49D}.exe
C:\WINDOWS\system32\{DD018FC1-2663-4C87-84AF-73AD98258C1E}.exe
C:\WINDOWS\system32\{ED9D74FD-E802-4DAD-A52F-65BF301A3AA5}.exe
C:\WINDOWS\system32\{827E8083-95F7-47B1-8241-F475D1C1A860}.exe
C:\WINDOWS\system32\{D2508C46-BEDA-4F52-B411-BD1F7BCE386A}.exe

Next, open Killbox
Go to File tab and select Paste from Clipboard
Select the Delete on Reboot option
Select All Files
Now click on the Red Circle with the White X
Press Yes to reboot your computer.

Continue below

Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O1 - Hosts: localhost 127.0.0.1

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O4 - HKLM\..\Run: [lyhpd.exe] C:\WINDOWS\System32\lyhpd.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{53FA966B-4235-415B-A2FC-1A622461F9ED}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D674A31-1A0F-48E0-93A3-1ECEFB70BEFA}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C2AD54-60DC-46B0-AA7E-36E7DA162782}: NameServer = 85.255.115.70,85.255.112.138
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.70 85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.70 85.255.112.138

- Close ALL open windows (especially Internet Explorer!)
Click Fix Checked

=====

Make sure you can view hidden files and folders, and then delete the following:

C:\WINDOWS\System32\lyhpd.exe << this file

=====

Go to Start > Control Panel > Internet Options.
Under the General tab click the Delete Files... button; check the Delete all offline content box and press OK. Next, click the Delete Cookies... button and press OK

Go to "Start" -> "Run" and type in the box: "cleanmgr" press OK. Select the drive where your Operating System is installed (Default is C:) and press OK. Let Disk Cleanup scan your system for files to remove (it takes a few minutes!). On the next screen make sure these 3 options are checked and then press "OK" to remove:

• Temporary Files
• Temporary Internet Files
• Recycle Bin

=====

I see you already have the latest version of Ewido. Please could you update it so it has the latest defintion files. Then do the following:

Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.
• Login on your usual account.

Once in Safe Mode:

Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.

• Click on Scanner on the toolbar.
• Click on the Settings tab.
  • Under How to act?
    • Click on Recommended Action and choose Quarantine from the popup menu.
  • Under How to scan?
    • All checkboxes should be ticked.
  • Under Possibly unwanted software:
    • All checkboxes should be ticked.
  • Under Reports:
    • Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan?
    • Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.
• When the scan has finished, follow the instructions below.
  IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)
    
• When done, click the Save Scan Report button.
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode, and post a new HJT log, along with the Ewido log.

Rescan with Blacklight, and post a new log.

The_Dude

I downloaded Killbox and followed the instructions, but when I click on the red circle with a white x and click Yes on the box that says Files will be removed on reboot - I keep getting another red circle that pops up saying PendingFile Rename Operation Registry Data has been Removed by External Process! I hit OK on it, and try again, but same thing?

Trogan

I'm trying to find out what that error message means. For now, could you try in Safe Mode please.

The_Dude

I tried it in Safe Mode, same thing came up. :banghead:

Trogan

I'm just looking at what that error message means. If you could, you can start by deleting those files manually. Your choice or you can wait until I found out some info.

The_Dude

I tried to do it manually, but I've hit yet another wall. When I try to get into my c:\WINDOWS\system32, the folder freezes up or just doens't come up at all.

I don't know what is going on. :bawling:

Trogan

Reboot your PC and try Killbox again please. Let me know if that does or doesn't work.

The_Dude

Yes, I tried that, even tried in Safe mode. Keeps freezing up.

Trogan

Please do the following and then continue with my previous instructions in post #21.

1. Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\SYSTEM32\CSNCY.EXE
c:\WINDOWS\system32\cstgq.exe
c:\WINDOWS\system32\dmyxd.exe
C:\WINDOWS\System32\{7886BC2A-3CEB-47D5-B49C-07AEAEF3B3C2}.dll
c:\WINDOWS\system32\{0A11B091-A3C6-4768-9504-05A55FD15A46}.exe
c:\WINDOWS\system32\{078D9359-104D-4305-9BBD-B79F1F6EE0D0}.exe
c:\WINDOWS\system32\{8D78FC94-3967-4C46-A317-FDD9C96F22F5}.exe
c:\WINDOWS\system32\{4B4AA6A8-026F-4C21-A776-5C8F8FC053BE}.exe
c:\WINDOWS\system32\{7F33BBD5-17E2-4D01-A031-CAF4B24D662C}.exe
C:\WINDOWS\system32\{68618520-C9FE-4C54-9DE5-F5CF147FD003}.exe
C:\WINDOWS\system32\{DD6C4BBF-DDCA-4309-AE66-6CE2C2F98845}.exe
C:\WINDOWS\system32\{FC23C15B-FC83-4077-8C66-BCB9F92BEFD9}.exe
C:\WINDOWS\system32\{97486465-723D-4D94-BF42-E0F3A6433BF8}.exe
C:\WINDOWS\system32\{5DFA6250-025F-48E1-92EF-7A2488548B9F}.exe
C:\WINDOWS\system32\{723185A6-3537-4B03-AF04-FB37495992D3}.exe
C:\WINDOWS\system32\{5EB1D859-170D-4491-8A54-FBC5E1EBFB28}.exe
C:\WINDOWS\system32\{0CC017B1-C984-4899-8BB4-953250FF6693}.exe
C:\WINDOWS\system32\{5E3DE337-479B-4379-B079-61CC05AB244C}.exe
C:\WINDOWS\system32\{77923E13-6439-4F51-93E1-1339A0D810DD}.exe
C:\WINDOWS\system32\{8449626F-F846-4B4B-91C7-78C42BB0EF85}.exe
C:\WINDOWS\system32\{251414D1-E725-472E-B689-5EBF55FF750E}.exe
C:\WINDOWS\system32\{94FC7421-FB60-4F88-B0E6-024764423CC6}.exe
C:\WINDOWS\system32\{D6AB1769-3860-4CB8-9FCD-DD7A656536E0}.exe
C:\WINDOWS\system32\{20034E3F-C7F6-4F0D-BDD7-6F673F6B608D}.exe
C:\WINDOWS\system32\{4289441A-75E5-4928-9961-B5019DCA0695}.exe
C:\WINDOWS\system32\{3C446ACA-DAA7-4DC7-A2D8-6E49349AA911}.exe
C:\WINDOWS\system32\{35020C07-955D-4B0B-BD00-47978EA31F4D}.exe
C:\WINDOWS\system32\{B621950E-23EA-4B56-AA2B-32FE2068423B}.exe
C:\WINDOWS\system32\{1E3DAF5F-F0E8-4F8A-9492-ABCC7B3F504D}.exe
C:\WINDOWS\system32\{6C9A5C8C-D95E-4B86-8B80-42341CAF44B6}.exe
C:\WINDOWS\system32\{FA338D86-B304-468F-AEB1-A482478DF4A6}.exe
C:\WINDOWS\system32\{9B7502BA-930D-4072-A568-9B1439F6A181}.exe
C:\WINDOWS\system32\{7CA96B07-7D79-42E7-B1C8-C0BD983AC896}.exe
C:\WINDOWS\system32\{579BA336-4951-4A16-AB9A-426886D71F55}.exe
C:\WINDOWS\system32\{880602B8-3E79-412F-B887-9C10C06701F5}.exe
C:\WINDOWS\system32\{555F8383-C478-41B6-A2AF-3FBC17C04B45}.exe
C:\WINDOWS\system32\{758DFC4B-D5F8-4838-B918-A76CA0300B4A}.exe
C:\WINDOWS\system32\{FCAB1F94-05DC-47EC-838D-4E07964212F7}.exe
C:\WINDOWS\system32\{69D88023-CC6B-40CD-907F-8D9AB1CC3D8C}.exe
C:\WINDOWS\system32\{B8A8A807-6137-4F8D-AEA5-395E5621236D}.exe
C:\WINDOWS\system32\{8B6DCEDB-5AF5-4AC0-B5C2-A61C7D0D0097}.exe
C:\WINDOWS\system32\{793C887C-F91D-4A05-97B5-4352BE26EA62}.exe
C:\WINDOWS\system32\{A85F9651-7640-4E0F-BA10-2F4602647126}.exe
C:\WINDOWS\system32\{510A0504-1DAE-4226-8BAE-27BB2EE5DE66}.exe
C:\WINDOWS\system32\{DA0F075A-82C5-4043-89DF-7E96FB9B7F69}.exe
C:\WINDOWS\system32\{B926B101-83FF-49FC-89A7-D3E468092516}.exe
C:\WINDOWS\system32\{5BB5D445-E584-4A75-A6FD-314BA51EB867}.exe
C:\WINDOWS\system32\{3B4EC24B-8279-4AB4-9D65-0719BE6070DE}.exe
C:\WINDOWS\system32\{92E8A2E6-5714-469E-8F9C-77FF600C934D}.exe
C:\WINDOWS\system32\{34FD4C72-99CB-42A5-84FC-A873306EE012}.exe
C:\WINDOWS\system32\{E19A8FB5-2CCB-4089-9EC5-9B612A2AFC3B}.exe
C:\WINDOWS\system32\{232450F2-B58F-4DC5-9F8A-3E85D9AF1BE6}.exe
C:\WINDOWS\system32\{C63934B0-964A-4513-937F-CF3AB1C1AFA8}.exe
C:\WINDOWS\system32\{EA73B820-3A16-4A4E-B3DE-56F4BD2B80D9}.exe
C:\WINDOWS\system32\{669BDC8E-1EF7-4A37-80C6-85123F3E08E7}.exe
C:\WINDOWS\system32\{B1A9DFB8-1D32-484A-ABCB-071FCE2B20EF}.exe
C:\WINDOWS\system32\{E8BD43B8-C5AA-4569-BC63-F0301D0E5489}.exe
C:\WINDOWS\system32\{5763DEE1-D4E9-4EF8-A2EF-C40CDEAA299C}.exe
C:\WINDOWS\system32\{417D85D3-E6A1-4DE5-A3B7-5C4C4F4F2F24}.exe
C:\WINDOWS\system32\{9EC6E76C-5F9E-4D7D-8307-0FC4B3478D64}.exe
C:\WINDOWS\system32\{96A038EE-E426-442C-A803-5CCB2743B0A9}.exe
C:\WINDOWS\system32\{7AA2BE1B-BCA1-4EFD-BE71-5533254DEB6A}.exe
C:\WINDOWS\system32\{51CB3A9E-DB55-4CBB-914C-7F6474A072AB}.exe
C:\WINDOWS\system32\{7E775DB0-CBE3-4931-AFD9-799536DDEF70}.exe
C:\WINDOWS\system32\{E1262117-C3DC-4532-B26B-7B1BEB640339}.exe
C:\WINDOWS\system32\{E6903B9B-7CA3-46DC-BC46-7F2D8D17BC36}.exe
C:\WINDOWS\system32\{52367DD2-2574-4B5B-824D-3AB9FF3DC20D}.exe
C:\WINDOWS\system32\{0DDF0B99-9766-43B7-B27F-BF4A6A415ED7}.exe
C:\WINDOWS\system32\{94C16F4A-0C7F-49C1-99F2-484E1FBB386C}.exe
C:\WINDOWS\system32\{A6BCC0A5-DBE8-417D-B155-3B36D11C97E9}.exe
C:\WINDOWS\system32\{CD89F0C9-4C14-47D1-B176-C9CB05D82890}.exe
C:\WINDOWS\system32\{EB4886AA-3C1F-4217-9469-873FC0DF3CEB}.exe
C:\WINDOWS\system32\{E6309026-1823-4C1F-8F26-C7EFD9B8C040}.exe
C:\WINDOWS\system32\{190D8BB8-E300-4848-843F-3AC8F6D00A6F}.exe
C:\WINDOWS\system32\{72D7D1EF-9D6B-412A-8DCF-A34EE5A175FE}.exe
C:\WINDOWS\system32\{8BFC7B24-6DF9-493A-8D2A-96C2F60AA084}.exe
C:\WINDOWS\system32\{D3EA72B0-A25A-461C-9452-444C584FCE9D}.exe
C:\WINDOWS\system32\{D7A0FE81-82E9-46A2-938E-FE51AD578250}.exe
C:\WINDOWS\system32\{59BCFFEC-F947-4150-89B0-BFD9BDDE7A3D}.exe
C:\WINDOWS\system32\{2D52444C-6567-4ED7-ACA8-A6B5E3C3856F}.exe
C:\WINDOWS\system32\{BEEFB6F9-28A0-4029-9F2A-B1FBFE3F4F66}.exe
C:\WINDOWS\system32\{A499D3A8-1155-4799-B085-8EB49AAE98D5}.exe
C:\WINDOWS\system32\{5049D7B7-A8F9-4641-9441-8D57F4E854CA}.exe
C:\WINDOWS\system32\{4DC1788E-22A0-4A33-8FB0-6B4E638B91CB}.exe
C:\WINDOWS\system32\{FFBAAFC0-70C3-46DF-A3FB-3464022CFF53}.exe
C:\WINDOWS\system32\{E8278E85-3ABA-4603-94DA-DEA16B917BBE}.exe
C:\WINDOWS\system32\{B8B0D4B1-F2A1-42F3-8D19-EE1F6C9779C1}.exe
C:\WINDOWS\system32\{7D79C0CC-05A8-4103-8375-A9B9FA82B2A6}.exe
C:\WINDOWS\system32\{75F6ECE3-220D-4F1D-BB34-4C3BE97F5FBD}.exe
C:\WINDOWS\system32\{5E5DAA0A-2AE6-43A9-892E-EAE1DA4C782E}.exe
C:\WINDOWS\system32\{350D7EF9-0CA0-4175-A128-FEC84118AC00}.exe
C:\WINDOWS\system32\{3F7072C4-21E0-41B4-A62C-5C8A20763C72}.exe
C:\WINDOWS\system32\{0739A4C1-7A0B-446C-9D36-7D709406936C}.exe
C:\WINDOWS\system32\{6B947F57-3FB4-4F50-BA58-F260CB48DCEC}.exe
C:\WINDOWS\system32\{A9AC5EA5-10B5-4314-8A7D-D0A6B9DE8F86}.exe
C:\WINDOWS\system32\{ED251C24-7214-4339-9CB4-DC789BBFE5DF}.exe
C:\WINDOWS\system32\{F224C3BC-E15A-47EF-AF86-F967DD9AB29A}.exe
C:\WINDOWS\system32\{5822B02A-45BF-4DEC-AF03-22B8E572EFBD}.exe
C:\WINDOWS\system32\{37FF9987-7628-4430-BA8F-15B31E0500AF}.exe
C:\WINDOWS\system32\{77DB5767-9FA8-4073-AAE4-A8FC6062D72A}.exe
C:\WINDOWS\system32\{20D7CF8A-1B53-4870-A169-F55412300870}.exe
C:\WINDOWS\system32\{075D56D4-F75C-41AB-92F7-1EA1BE7606A0}.exe
C:\WINDOWS\system32\{CB08A029-77E5-4BBE-BC4B-08E0960F8EB6}.exe
C:\WINDOWS\system32\{9C85AD96-2DA6-48E1-9C1C-5B8B82682DA2}.exe
C:\WINDOWS\system32\{275822E9-9B61-4794-AB3D-9F8C421E19B2}.exe
C:\WINDOWS\system32\{06A868A2-EC0F-454C-8623-AA3A316CF105}.exe
C:\WINDOWS\system32\{807210E9-005A-4C44-8EB6-DA3F581C173A}.exe
C:\WINDOWS\system32\{916F527E-250E-493E-BC70-B04C65902FE7}.exe
C:\WINDOWS\system32\{1C52DCB4-E295-4986-BA84-F3C2B72087FC}.exe
C:\WINDOWS\system32\{62841B35-F28D-42A2-9C16-1209A24FCEE2}.exe
C:\WINDOWS\system32\{5653E194-8E2E-4572-80F5-029F4FD5A89A}.exe
C:\WINDOWS\system32\{4F31F071-835B-43F8-B34A-025BC4E0E9E2}.exe
C:\WINDOWS\system32\{2DEC8032-81E9-4F23-B541-0123789AB885}.exe
C:\WINDOWS\system32\{5425DFD0-1718-46AE-B91B-3D24EA6BF8E1}.exe
C:\WINDOWS\system32\{D1CA8CEC-2F23-4EEA-AD8C-01A993922A38}.exe
C:\WINDOWS\system32\{80F39838-67F2-472B-8CFD-0C30F014FA15}.exe
C:\WINDOWS\system32\{03BDA64D-ECDE-4440-8407-16A9E0A58D90}.exe
C:\WINDOWS\system32\{0808CD0A-F701-4F85-8DD1-0F250BA6ED06}.exe
C:\WINDOWS\system32\{690713E1-EDE9-4B8C-B5DE-E34ADF162F5C}.exe
C:\WINDOWS\system32\{5970D2E4-1CF8-461C-B2CA-DF7C7846C2FA}.exe
C:\WINDOWS\system32\{32198F04-10B8-4FB1-8992-154D0012A885}.exe
C:\WINDOWS\system32\{4910DB0E-F20E-4DED-B52C-A7A72329917F}.exe
C:\WINDOWS\system32\{026717A8-3439-473F-850B-6F8C2CE3EAFF}.exe
C:\WINDOWS\system32\{BA4E7D62-C0EF-4727-9633-5CE4F9A78AD5}.exe
C:\WINDOWS\system32\{6EF3C275-69B5-44F7-8229-8FAA9D23A76E}.exe
C:\WINDOWS\system32\{30E33AD8-FB47-4661-B11B-4A5A3627FAAF}.exe
C:\WINDOWS\system32\{78821143-90B3-4AC7-9203-329153129013}.exe
C:\WINDOWS\system32\{BD24103C-55AF-4D12-A7FD-4031DB3A15BF}.exe
C:\WINDOWS\system32\{465DFDB5-5300-44E3-89EE-17F2DE687E0E}.exe
C:\WINDOWS\system32\{0DCFD724-BFAA-4F45-87B7-A2599AAE3AC9}.exe
C:\WINDOWS\system32\{564D7457-71EC-4EDC-A093-02BE0CD65FF2}.exe
C:\WINDOWS\system32\{0E7B51D7-D8BD-4066-9A26-1B649853E9F7}.exe
C:\WINDOWS\system32\{7EB296B9-B4E6-4812-985E-82A8182FE462}.exe
C:\WINDOWS\system32\{460F00A1-D042-4E06-BFBB-BDAD129BCB11}.exe
C:\WINDOWS\system32\{2F8D9CD1-4CF0-4EAF-9363-FB3D5213F9FF}.exe
C:\WINDOWS\system32\{240D0C78-5DC3-49B2-AAC1-71AD171475AE}.exe
C:\WINDOWS\system32\{4408CEAC-58A2-4CF1-B7DB-670280F61B4B}.exe
C:\WINDOWS\system32\{1CCA69E4-E002-47CC-B1EC-CDDD045BFBF7}.exe
C:\WINDOWS\system32\{CB561A1F-5789-494C-A795-AD746813D784}.exe
C:\WINDOWS\system32\{F0B56FC7-DD16-43C3-A866-5459517D7794}.exe
C:\WINDOWS\system32\{42EF31F4-71C1-4117-8759-25F16A5D760B}.exe
C:\WINDOWS\system32\{C012D57F-82A2-406A-956B-63A27B1756E9}.exe
C:\WINDOWS\system32\{847D3240-A9B0-40D1-8546-42FD3183CB75}.exe
C:\WINDOWS\system32\{CE982C00-6B34-412D-9F8C-A409F9282D25}.exe
C:\WINDOWS\system32\{ACE4B9A8-0562-46D9-A897-C5CA2DEAE47A}.exe
C:\WINDOWS\system32\{3FC060F0-6240-453C-B5B3-E8FC6A4D6332}.exe
C:\WINDOWS\system32\{70EDAFC7-4C71-40CD-8948-25A3C2F84E4E}.exe
C:\WINDOWS\system32\{287D27E8-8448-4BD2-998C-01DC2A470C07}.exe
C:\WINDOWS\system32\{5D37DC23-2EE8-4A0A-9160-C2537828F62C}.exe
C:\WINDOWS\system32\{9F9C1904-30E0-414C-ADC9-77A8BE82BE7B}.exe
C:\WINDOWS\system32\{77EF2134-DBC2-4CFD-9678-C58172C37966}.exe
C:\WINDOWS\system32\{6870A572-9884-4833-A9E2-19235969981F}.exe
C:\WINDOWS\system32\{8BD04EAF-F034-452B-B3D3-2492CEFFB67E}.exe
C:\WINDOWS\system32\{AFDAA4F0-125B-4D35-B033-452D549F1FA1}.exe
C:\WINDOWS\system32\{BE1580D5-D431-4C0C-935B-F793F5996A51}.exe
C:\WINDOWS\system32\{48C700C6-B956-4BE6-8572-F59CD019697D}.exe
C:\WINDOWS\system32\{E5B42663-7D9B-485A-85A0-178D89A8EAEA}.exe
C:\WINDOWS\system32\{2D0104EF-3F03-49B0-8C26-1E01EDB1EDF9}.exe
C:\WINDOWS\system32\{1DEEC013-009E-4485-A3FA-85AD6AC5B5DD}.exe
C:\WINDOWS\system32\{A43BC425-6430-49F6-A5FE-DC0A9E1AA461}.exe
C:\WINDOWS\system32\{181F67B0-9087-41F1-84BF-45C6578B2DE7}.exe
C:\WINDOWS\system32\{EB3EFB50-33D4-45B0-9F2C-D6179F6B8D44}.exe
C:\WINDOWS\system32\{7067C55A-75FC-41CB-B49B-ADA721B38BE6}.exe
C:\WINDOWS\system32\{D4C17743-098A-40C2-AE30-428CABDB5824}.exe
C:\WINDOWS\system32\{C0691322-E470-4A5E-8F78-7949FC5A9817}.exe
C:\WINDOWS\system32\{11E8DF09-970A-4D50-A567-516A75D49EEA}.exe
C:\WINDOWS\system32\{AB61887C-5CB7-4850-8FD6-AF1743F2E49D}.exe
C:\WINDOWS\system32\{DD018FC1-2663-4C87-84AF-73AD98258C1E}.exe
C:\WINDOWS\system32\{ED9D74FD-E802-4DAD-A52F-65BF301A3AA5}.exe
C:\WINDOWS\system32\{827E8083-95F7-47B1-8241-F475D1C1A860}.exe
C:\WINDOWS\system32\{D2508C46-BEDA-4F52-B411-BD1F7BCE386A}.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply by using Add/Reply

The_Dude

I tried the avenger, after clicking on the green light and hitting yes once, it gives me a red cicrle - white x pop up that says:
Error code: 1813
Error: selected file does not appear to be a valid script.

It gives me the option to:
Press Ok to log error and continue or cancel to abort.

Should I hit Ok? I wasn't sure if that would mess up my system.


Is the Avenger step replacing the Killbox step. Or after I do the Avenger step, should I try the Kill box step also or skip it and go to the next step?

Sorry for taking up so much of your time. This is really a big help.

Trogan

Yes, the Avenger step is replacing the Killbox step. After Avenger, continue with removing the HijackThis entries.

About Avenger, I'm not sure whats exactly causing the error. Unless you may have made a mistake - could you retry?

I've asked someone to see what they think. I'l have to see what they say.