Can't get it 100% clean

Unknown · May 2007

Ok,
I really really hope I have followed all the steps to post my first post the right way. I've cleaned off my IE and Firefox temps/cookies/history etc as directed. Installed Adaware, scanned and cleaned, updated spybot scanned and cleaned (continues to pick up toolbar 888 despite saying it is fixed each time). Installed and ran spywareblaster, updated, protected and took it's advice on making the system more secure. Went to pandasoftware and ran that utility. AVG is installed updated and ran. Every single step along the way has "found" something, and been cleaned...which I guess is good and bad. This system has only been newly installed for a few weeks, however I was slow in setting up my spyware and virus protection (shame on me). So here is my hijack this file...I have the pandasoftware file too if it's needed later.

Logfile of HijackThis v1.99.1
Scan saved at 8:56:26 PM, on 5/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ICQLite\ICQLite.exe
C:\WINDOWS\System\CmFlywav.exe
C:\Program Files\Linksys Wireless-G Music Bridge\WMB54G.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [CmFlywaveName] C:\WINDOWS\System\CmFlywav.exe
O4 - HKLM\..\Run: [Linksys WMB54G Utility] C:\Program Files\Linksys Wireless-G Music Bridge\WMB54G.exe -R
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\rbpyebdb.dll",realset
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174879600093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174879574343
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://yme.music.yahoo.com/qos/cabs/DiagCollectionControl.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

peku006 · May 2007

Hi Repeal and welcome to Short-Media. I'm checking your log, so please be patient.

peku006 · May 2007

:smiles: Hi Repeal

What Firewall you use?

Lets start with this:

Rename HijackThis.exe to scanner.exe

Please download
VundoFix.exe to your desktop.
* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.

Important note -- It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Please download Deckard's System Scanner to your Desktop

* Close all applications and windows.
* Double-click on Dss.exe to run it, and follow the prompts.
* The scan may take a minute. When the scan is complete, a text file will open Main.txt and extra.txt

Please post the contents of C:\vundofix.txt, Main.txt , extra.txt and a new HiJackThis log

Repeal · May 2007

I'm at work right now, so I don't have access to the offending PC, however the night that I made my first post, I was using a database to check my HJT entries, and noticed one of them was associated with the vundo, so I downloaded vundofix that night, as well as running the online scanners that were recommended. So that part is done.

I am not currently running anything except the window's firewall, however that will change this afternoon when I get home and can download a recommended one.

The scanners and the vundofix seemed to fix the problem with the popups, but I still seem to find "critical threats" when I run AVG.

When I get home I will dl Deckards and run that, as well as getting you an updated hjk via the scanner.exe rename.

Repeal · May 2007

Ok...here is the renamed (scanner.exe) hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 9:38:16 AM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ICQLite\ICQLite.exe
C:\WINDOWS\System\CmFlywav.exe
C:\Program Files\Linksys Wireless-G Music Bridge\WMB54G.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://est1967.com/index.php?option=com_smf&Itemid=28
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9FBEBDFE-7A3C-4FFC-9088-BF0FBC8B89EA} - C:\WINDOWS\system32\jkhff.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [CmFlywaveName] C:\WINDOWS\System\CmFlywav.exe
O4 - HKLM\..\Run: [Linksys WMB54G Utility] C:\Program Files\Linksys Wireless-G Music Bridge\WMB54G.exe -R
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174879600093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174879574343
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://yme.music.yahoo.com/qos/cabs/DiagCollectionControl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

Here is the Extra File

Deckard's System Scanner v20070426.43
Extra logfile - please post this as an attachment with your post.

-- System Information

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: AMD Athlon(tm) 64 Processor 3000+
Percentage of Memory in Use: 34%
Physical Memory (total/avail): 1023.48 MiB / 666.76 MiB
Pagefile Memory (total/avail): 2460.58 MiB / 2188.13 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1975.64 MiB
A: is Removable (No Media)
C: is Fixed (NTFS) - 57.25 GiB total, 34.72 GiB free.
D: is Removable (No Media)
E: is CDROM (CDFS)
F: is Fixed (NTFS) - 57.25 GiB total, 54.9 GiB free.
G: is Fixed (NTFS) - 70.74 GiB total, 67.9 GiB free.

-- Security Center

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.
AV: AVG 7.5.467 v7.5.467 (GRISOFT)

-- Environment Variables

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Dave\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BEANCREE-5KJ5BI
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Dave
LOGONSERVER=\\BEANCREE-5KJ5BI
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 12 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0c00
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Dave\LOCALS~1\Temp
TMP=C:\DOCUME~1\Dave\LOCALS~1\Temp
USERDOMAIN=BEANCREE-5KJ5BI
USERNAME=Dave
USERPROFILE=C:\Documents and Settings\Dave
windir=C:\WINDOWS

-- User Profiles

Dave (admin)
Administrator (new local, admin)

-- Add/Remove Programs

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uninstall.exe"
ABBYY FineReader 5.0 Sprint Plus --> MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
C-Media Wi-Sonic Wireless Audio Driver --> C:\WINDOWS\system32\cmrmdrvw.exe
Enable S3 for USB Device --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Gigabyte\Enable S3 for USB Device\Uninst.isu"
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
GPGNet --> MsiExec.exe /I{C194D333-B84A-4BB7-B35E-060732D98DC4}
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
ICQ 5.1 --> C:\Program Files\ICQLite\ICQLiteUninstall.EXE
Lexmark 4200 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBMUN5C.EXE -dLexmark 4200 Series
Lexmark 4200 Series Fax Solutions --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /M{C439D065-5B64-4563-A6B9-1AA202633E13} /l1033 /z/U
Linksys Wireless-G Music Bridge --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1CCDF8BE-8BE8-45F1-BDAD-1195131E5AC5}\setup.exe" -l0x9
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Drivers --> C:\WINDOWS\System32\nvudisp.exe UninstallGUI
oggcodecs 0.71.0946 --> C:\Program Files\illiminable\oggcodecs\uninst.exe
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Supreme Commander --> C:\Program Files\InstallShield Installation Information\{25A1E6A4-2DBD-4AC0-8650-8EA9A45B183D}\setup.exe -runfromtemp -l0x0009 -removeonly
The Sims 2 --> C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
The Sims 2 Nightlife --> C:\Program Files\EA GAMES\The Sims 2 Nightlife\EAUninstall.exe
The Sims 2 Open For Business --> C:\Program Files\EA GAMES\The Sims 2 Open For Business\EAUninstall.exe
VIA Integrated Setup Wizard --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{9497EBAA-87AD-41E6-8ED6-E1E52995A76C}
WinAce Archiver --> "C:\Program Files\WinAce\SXUNINST.EXE" "C:\Program Files\WinAce\SXUNINST.INI"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Yahoo! Music Jukebox --> MsiExec.exe /X{EC3B8CA2-49B8-4D38-BE9C-ABD0F6029168}

-- End of Deckard's System Scanner: finished at 2007-05-09 at 09:34:44

Here is the Main

Deckard's System Scanner v20070426.43
Run by Dave on 2007-05-09 at 09:33:50
Computer is in Normal Mode.

-- System Restore

System Restore is disabled; attempting to re-enable...success.

-- Last 1 Restore Point(s) --
1: 2007-05-09 15:33:55 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Dave.exe)

Logfile of HijackThis v1.99.1
Scan saved at 9:34:19 AM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ICQLite\ICQLite.exe
C:\WINDOWS\System\CmFlywav.exe
C:\Program Files\Linksys Wireless-G Music Bridge\WMB54G.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dave\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Dave.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://est1967.com/index.php?option=com_smf&Itemid=28
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9FBEBDFE-7A3C-4FFC-9088-BF0FBC8B89EA} - C:\WINDOWS\system32\jkhff.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [CmFlywaveName] C:\WINDOWS\System\CmFlywav.exe
O4 - HKLM\..\Run: [Linksys WMB54G Utility] C:\Program Files\Linksys Wireless-G Music Bridge\WMB54G.exe -R
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174879600093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174879574343
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://yme.music.yahoo.com/qos/cabs/DiagCollectionControl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\)

backup-20070503-222214-237 O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\rbpyebdb.dll",realset
backup-20070503-222214-319 O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
-- File Associations

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

R3 rtl8180 (IEEE 802.11b Wireless Cardbus/PCI Adapter) - c:\windows\system32\drivers\rtl8180.sys <Not Verified; Realtek Semiconductor Corporation; WLAN Cardbus/PCI Adapter>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

All services whitelisted.

-- Files created between 2007-04-09 and 2007-05-09

2007-05-09 06:01:47 0 d

C:\WINDOWS\LastGood
2007-05-03 22:08:51 0 d

C:\VundoFix Backups
2007-05-03 20:25:32 0 d

C:\WINDOWS\system32\ActiveScan
2007-05-03 20:20:18 118784 --a

C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2007-05-03 20:20:18 0 d

C:\Program Files\SpywareBlaster
2007-05-03 19:56:28 0 d

C:\Documents and Settings\Dave\Application Data\Lavasoft
2007-05-03 19:56:12 0 d

C:\Program Files\Lavasoft
2007-05-03 19:55:43 0 d

C:\Program Files\Common Files\Wise Installation Wizard
2007-05-03 19:18:27 0 d

C:\Documents and Settings\Dave\Application Data\4200Series
2007-05-03 16:28:48 20480 --a

C:\WINDOWS\system32\LXBRPMUI.DLL
2007-05-03 16:28:48 32768 --a

C:\WINDOWS\system32\LXBRPMON.DLL
2007-05-03 16:28:28 12288 --a

C:\WINDOWS\system32\LXBRPMRC.DLL <Not Verified; Lexmark International, Inc.; Lexmark Fax Solutions Software Print Monitor>
2007-05-03 16:28:28 98345 -ra

C:\WINDOWS\system32\IMHOST32.DLL <Not Verified; Data Techniques, Inc.; ImageMan Image Processing Toolkit>
2007-05-03 16:28:28 339968 -ra

C:\WINDOWS\system32\IMGMAN32.DLL <Not Verified; Data Techniques, Inc.; ImageMan Image Processing Toolkit>
2007-05-03 16:28:09 0 d

C:\Documents and Settings\All Users\Application Data\4200Series
2007-05-03 16:26:55 0 d

C:\Program Files\ABBYY FineReader 6.0
2007-05-03 16:26:55 0 d

C:\Program Files\ABBYY FineReader 5.0 Sprint
2007-05-03 16:25:29 0 d

C:\Program Files\Lexmark 4200 Series
2007-05-01 11:06:43 0 d

C:\Program Files\WinAce
2007-04-26 10:28:28 0 dr-h

C:\$VAULT$.AVG
2007-04-24 10:47:54 281172 ---hs---- C:\WINDOWS\system32\mlljg.dll
2007-04-24 10:47:53 281172 ---hs---- C:\WINDOWS\system32\jkkll.dll
2007-04-24 10:40:00 0 d

C:\Program Files\Common Files\S?mantec
2007-04-24 08:02:19 0 d

C:\Documents and Settings\Dave\Application Data\Adobe
2007-04-24 08:01:38 0 d

C:\Documents and Settings\All Users\Application Data\Adobe
2007-04-24 07:46:30 0 d

C:\Program Files\Common Files\Adobe
2007-04-23 12:55:14 0 d

C:\Documents and Settings\Dave\Application Data\uTorrent
2007-04-23 12:55:12 0 d

C:\Program Files\uTorrent

-- Find3M Report

2007-05-04 04:43:36 0 d

C:\Documents and Settings\Dave\Application Data\AVG7
2007-05-03 20:43:47 0 d

C:\Program Files\Linksys Wireless-G Music Bridge
2007-05-03 20:43:23 0 d

C:\Program Files\ICQLite
2007-05-03 19:05:54 1940 --a

C:\WINDOWS\system32\tmp.reg
2007-05-03 16:28:58 0 d--h

C:\Program Files\InstallShield Installation Information
2007-05-01 12:23:46 0 d

C:\Program Files\EA GAMES
2007-04-05 08:11:34 0 d

C:\Program Files\Messenger
2007-04-02 16:31:58 0 --a

C:\WINDOWS\system32\kernel32.exe
2007-03-29 11:13:08 0 d

C:\Program Files\EPSON
2007-03-28 22:22:15 0 --a

C:\WINDOWS\nsreg.dat
2007-03-28 22:22:13 0 d

C:\Documents and Settings\Dave\Application Data\Mozilla
2007-03-26 07:39:49 0 d

C:\Documents and Settings\Dave\Application Data\ICQLite
2007-03-26 07:26:24 0 d

C:\Program Files\Movie Maker
2007-03-26 07:24:38 0 d

C:\Program Files\Windows NT
2007-03-25 22:20:05 0 d

C:\Program Files\THQ
2007-03-25 22:14:29 0 d

C:\Documents and Settings\Dave\Application Data\InstallShield
2007-03-25 21:27:54 0 d--h

C:\Program Files\WindowsUpdate
2007-03-25 20:40:36 0 d

C:\Program Files\Yahoo!
2007-03-25 20:40:21 0 d

C:\Program Files\Common Files\SureThing Shared
2007-03-25 20:40:18 0 d

C:\Program Files\illiminable
2007-03-25 19:26:37 0 d

C:\Documents and Settings\Dave\Application Data\Macromedia
2007-03-25 19:16:20 0 d

C:\Program Files\Common Files\InstallShield
2007-03-25 18:31:28 0 d

C:\Documents and Settings\Dave\Application Data\ICQ
2007-03-25 18:18:53 0 d

C:\Program Files\VIA
2007-03-25 18:12:59 0 d

C:\Program Files\Gigabyte
2007-03-25 18:11:08 0 d

C:\Program Files\Realtek Sound Manager
2007-03-25 18:11:08 0 d

C:\Program Files\AvRack
2007-03-25 17:47:18 0 d

C:\Documents and Settings\Dave\Application Data\Identities
2007-03-25 17:43:17 0 d

C:\Program Files\microsoft frontpage
2007-03-25 17:42:56 0 -rahs---- C:\MSDOS.SYS
2007-03-25 17:42:56 0 -rahs---- C:\IO.SYS
2007-03-25 17:42:56 0 --a

C:\CONFIG.SYS
2007-03-25 17:42:56 0 --a

C:\AUTOEXEC.BAT
2007-03-25 17:41:57 0 d

C:\Program Files\Online Services
2007-03-25 17:40:51 0 d

C:\Program Files\Common Files\MSSoap
2007-03-25 17:40:23 21640 --a

C:\WINDOWS\system32\emptyregdb.dat
2007-03-25 17:39:49 0 d

C:\Program Files\MSN Gaming Zone
2007-03-25 12:34:12 0 d

C:\Program Files\Common Files\ODBC
2007-03-25 12:34:10 0 d

C:\Program Files\Common Files\SpeechEngines
2007-03-25 12:33:46 62 --ahs---- C:\Documents and Settings\Dave\Application Data\desktop.ini

-- Registry Dump

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{9FBEBDFE-7A3C-4FFC-9088-BF0FBC8B89EA} C:\WINDOWS\system32\jkhff.dll [x]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"ICQ Lite"="\"C:\\Program Files\\ICQLite\\ICQLite.exe\" -minimize"
"CmFlywaveName"="C:\\WINDOWS\\System\\CmFlywav.exe"
"Linksys WMB54G Utility"="C:\\Program Files\\Linksys Wireless-G Music Bridge\\WMB54G.exe -R"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"Lexmark 4200 Series"="\"C:\\Program Files\\Lexmark 4200 Series\\lxbmbmgr.exe\""
"FaxCenterServer4_in_1"="\"C:\\Program Files\\Lexmark 4200 Series\\Fax\\fm3032.exe\" /s"
@=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{3F9D0C61-737D-44D1-BD80-91AF857061CC}"=""
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command E:\Setup.EXE

-- End of Deckard's System Scanner: finished at 2007-05-09 at 09:34:44

What firewall do you recommend?

Repeal · May 2007

Oh, and since I had ran the vundofix earlier in the night that I posted this, after it found and removed vundo, I deleted it...do you still want a vundofix text, as I can run it again but it doesn't find anything....?

peku006 · May 2007

Hi Repeal

Comodo Free Firewall

step #1

Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O2 - BHO: (no name) - {9FBEBDFE-7A3C-4FFC-9088-BF0FBC8B89EA} - C:\WINDOWS\system32\jkhff.dll (file missing)

Close ALL open windows
Click Fix Checked
Close HiajckThis

step #2

Please download PurityScan uninstaller
Double click on the OiUninstaller.exe icon on your desktop
Click on Run
Enter the four digit code that is displayed and click on Uninstall
Click on Ok and reboot your computer

step #3

Please download killbox to your desktop
Unzip it to your desktop.
Run Killbox.exe
-> Choose Delete on Reboot
-> Click All Files option.
Copy the following lines to your clipboard (choose text with your mouse, press CTRL+C or copy)

C:\WINDOWS\system32\mlljg.dll
C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\kernel32.exe

Then go back to Killbox
-> go to File
-> choose Paste from Clipboard
-> Click the red-white Delete File option.
-> Click Yes to Delete on Reboot question
-> Click OK to any PendingFileRenameOperations requests (and tell me if you get any of these!)
-> Restart your computer if Killbox won't do it.
(If you get this error when running Killbox: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.", download Missingfilessetup.exe form here to your desktop and run the file, then try running killbox

step #4

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
This program is for XP and Windows 2000 only!
Double-click ATF Cleaner.exe to open it.
Under Main select the following:
* Windows Temp
* Current User Temp
* All Users Temp
* Temporary Internet Files
* Prefetch
* Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Click Exit on the Main menu to close the program.

step #5

Please run Panda's ActiveScanYou will need to use Internet Explorer to run it.
* Once you are on the Panda site click the Scan your PC button
* A new window will open...click the Check Now button
* Enter your Country
* Enter your State/Province
* Enter your e-mail address and click send
* Select either Home User or Company
* Click the big Scan Now button
* If it wants to install an ActiveX component allow it
* It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
* When download is complete, click on My Computer to start the scan
* When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post fresh HijackThis log and, the Panda's ActiveScan Report
to your next reply.;)

Repeal · May 2007

Activescan.txt below

Incident Status Location
Adware:adware/outerinfo Not disinfected Windows Registry
Adware:Adware/Spylocked Not disinfected C:\RECYCLER\S-1-5-21-1844237615-926492609-725345543-500\Dc2.exe
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\hgghedd.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ikntkssj.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\jkkkjkk.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\rbpyebdb.dll.bad
Adware:Adware/Sqwire Not disinfected C:\WINDOWS\b103.exe
Adware:Adware/WebHancer Not disinfected C:\WINDOWS\b129.exe
Potentially unwanted tool:Application/Processor Not disinfected G:\SmitfraudFix\Process.exe

New Hijackthis file as follows

Logfile of HijackThis v1.99.1
Scan saved at 3:26:40 PM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ICQLite\ICQLite.exe
C:\WINDOWS\System\CmFlywav.exe
C:\Program Files\Linksys Wireless-G Music Bridge\WMB54G.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://est1967.com/index.php?option=com_smf&Itemid=28
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [CmFlywaveName] C:\WINDOWS\System\CmFlywav.exe
O4 - HKLM\..\Run: [Linksys WMB54G Utility] C:\Program Files\Linksys Wireless-G Music Bridge\WMB54G.exe -R
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174879600093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174879574343
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://yme.music.yahoo.com/qos/cabs/DiagCollectionControl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

Repeal · May 2007

BTW, I didn't get any warnings when rebooting after running Killbox...just an fyi.

Thanks for all your help thus far...

peku006 · May 2007

:smiles: Hi Repeal
Good Work, your log looks clean, Everything is good now
we have four things to do

step#1
Please, delete this folder folder using WindowsExplorer
C:\VundoFix\Backups

step#2
Clean your System Restore:
Turn off System Restore.
On the Desktop, right-click My Computer
Click Properties
Click the System Restore tab
Check Turn off System Restore
Click Apply, and then click OK

step#3
Run Killbox.exe
-> Choose Delete on Reboot
-> Click All Files option.
Copy the following lines to your clipboard (choose text with your mouse, press CTRL+C or copy)

C:\WINDOWS\b129.exe
C:\WINDOWS\b103.exe

Then go back to Killbox
-> go to File
-> choose Paste from Clipboard
-> Click the red-white Delete File option.
-> Click Yes to Delete on Reboot question
-> Click OK to any PendingFileRenameOperations requests (and tell me if you get any of these!)
-> Restart your computer if Killbox won't do it.
(If you get this error when running Killbox: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.", download Missingfilessetup.exe form here to your desktop and run the file, then try running killbox

step#4
Turn on System Restore.
On the Desktop, right-click My Computer
Click Properties
Click the System Restore tab
Uncheck Turn off System Restore
Click Apply, and then click OK

You can fix these lines with HijackThis, if you want. This could to speed up to your computer starting.
Open HijackThis

- Click the Do a system scan only button
- Check the following entries (below)

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [CmFlywaveName] C:\WINDOWS\System\CmFlywav.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

Close ALL open windows
Click Fix Checked
Close HiajckThis

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klei
Watch what you download!
Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself. If you insist on using a P2P program, please read This Article written by Mike Healan of Spywareinfo.com fame. It is an updated and comprehensive article that gives in-depth detail about which P2P programs are "safe" to use.

Happy surfing and stay clean!

Repeal · May 2007

Thanks for everything. The malware seems to be gone, the reboots are quicker, and I feel a little more secure. You've been a big help.

Can't get it 100% clean

Comments