Trojan problems and BHO files need removal help.

4Nmissile · October 2007

Everytime I run HijackThis though the same two BHO's are back. Also, whenever I click on internet explorer, my computer or any file, program etc. I get 4 popups from AVG saying that it has found an infection. Two popups for the comctl32l.dll BHO and two for the eventclsj.dll BHO. I can't delete them manually by going into my computer and into the system32 folder. What are these two BHO's and how do I get rid of them? Thanks for any help.

Here is my HJT log.

Logfile of HijackThis v1.99.0
Scan saved at 8:20:08 PM, on 10/26/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
D:\Programs\Hijackthis\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sony.com/vaiopeople
O2 - BHO: (no name) - {66F0BEA7-8BA9-4092-B438-0A2EE0A89068} - C:\WINDOWS\System32\eventclsj.dll
O2 - BHO: (no name) - {F5D55887-A7DF-41E2-B3C7-547440406FDF} - c:\windows\system32\comctl32l.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: VirtuaGirl2.lnk = D:\Program Files\Vg\VirtuaGirl2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Real-time Monitor.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
O20 - AppInit_DLLs: C:\WINDOWS\System32\sulimo.dat
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Baabiouz · October 2007

Hi 4Nmissile!

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

4Nmissile · October 2007

Thanks for responding Baabiouz. Here is the log file.

SmitFraudFix v2.242

Scan done at 19:52:09.13, Sun 10/28/2007
Run from C:\Documents and Settings\Brian\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Brian

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Brian\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Brian\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\System32\\sulimo.dat"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 65.24.7.3
DNS Server Search Order: 65.24.7.6

HKLM\SYSTEM\CCS\Services\Tcpip\..\{193DC039-0B58-43D7-A78D-B86F11AE0A7D}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS1\Services\Tcpip\..\{193DC039-0B58-43D7-A78D-B86F11AE0A7D}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS2\Services\Tcpip\..\{193DC039-0B58-43D7-A78D-B86F11AE0A7D}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Baabiouz · October 2007

Hi!
You have two antivirus running at the same time.
Trend Micro and AVG free.
It would be best to remove another.
_____________________________

Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

O2 - BHO: (no name) - {66F0BEA7-8BA9-4092-B438-0A2EE0A89068} - C:\WINDOWS\System32\eventclsj.dll
O2 - BHO: (no name) - {F5D55887-A7DF-41E2-B3C7-547440406FDF} - c:\windows\system32\comctl32l.dll
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx

This item is optional: O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
Read about it here:
http://www.bleepingcomputer.com/startups/ZtgServerSwitch-7085.html
If you don't use, you can also checkmark it.

Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
_____________________________

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

_____________________________

In safe mode:

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\System32\eventclsj.dll
C:\windows\system32\comctl32l.dll
_____________________________

Still in safe mode:

Double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
_____________________________

In normal mode:

Let's scan with AVG Anti-Spyware:

Please do the following...

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
This program is for XP and Windows 2000 only!

Double-click ATF Cleaner.exe to open it.

Under Main select the following:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Click Exit on the Main menu to close the program.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

Once in Safe Mode:

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot back into Normal Mode, and post a new HJT log, along with the AVG Anti-Spyware log.

_______________________________

Please download Deckard's System Scanner to your Desktop

* Close all applications and windows.
* Double-click on Dss.exe to run it, and follow the prompts.
* The scan may take a minute. When the scan is complete, a text file will open Main.txt and extra.txt

Please post Main.txt and Extra.txt
_________________________

Please, post Deckard's system scanner's logs (main.txt and extra.txt) and AVG Anti-Spyware's results.

4Nmissile · October 2007

I did as you said. I was not able to delete the comctl32l.dll or the eventclsj.dll from the Explore menu though. Also, I did the scan with AVG Anti-Syware, but wasn't able to save the log. The button didn't highlight. It only found one infected file and it was a ScannerCookie. I did set it to quarantine though.

Here is the HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 6:18:18 PM, on 10/30/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Programs\Hijackthis\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {66F0BEA7-8BA9-4092-B438-0A2EE0A89068} - C:\WINDOWS\System32\eventclsj.dll
O2 - BHO: (no name) - {F5D55887-A7DF-41E2-B3C7-547440406FDF} - c:\windows\system32\comctl32l.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: VirtuaGirl2.lnk = D:\Program Files\Vg\VirtuaGirl2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Real-time Monitor.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Here is the SmitFraudFix log:

SmitFraudFix v2.242

Scan done at 16:29:34.08, Tue 10/30/2007
Run from C:\Documents and Settings\Brian\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CS2\Services\Tcpip\..\{193DC039-0B58-43D7-A78D-B86F11AE0A7D}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Here is the main.txt:

Deckard's System Scanner v20071014.68
Run by Brian on 2007-10-30 18:13:01
Computer is in Normal Mode.

-- System Restore

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
7: 2007-10-30 23:13:05 UTC - RP23 - Deckard's System Scanner Restore Point
6: 2007-10-28 05:55:10 UTC - RP22 - System Checkpoint
5: 2007-10-26 03:15:17 UTC - RP21 - System Checkpoint
4: 2007-10-25 02:37:12 UTC - RP20 - System Checkpoint
3: 2007-10-22 03:40:59 UTC - RP19 - System Checkpoint

-- First Restore Point --
1: 2007-10-16 23:30:33 UTC - RP17 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 80% (more than 75%).
Total Physical Memory: 255 MiB (512 MiB recommended).

-- HijackThis Clone

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-10-30 18:15:07
Platform: Windows XP (5.01.2600)
MSIE: Internet Explorer (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Sony\HotKey Utility\HKServ.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\Program Files\Trend Micro\PC-cillin 2000\TMNTSRV.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Brian\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=runonce&pver=6.0&plcid=0x0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O2 - BHO: (no name) - {66F0BEA7-8BA9-4092-B438-0A2EE0A89068} - C:\WINDOWS\system32\eventclsj.dll
O2 - BHO: (no name) - {F5D55887-A7DF-41E2-B3C7-547440406FDF} - C:\WINDOWS\system32\comctl32l.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: VirtuaGirl2.lnk = D:\Program Files\Vg\VirtuaGirl2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Global Startup: Real-time Monitor.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O20 - Winlogon Notify: jatrbnen - C:\WINDOWS\System32\comctl32l.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\TMNTSRV.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6031 bytes

-- HijackThis Fixed Entries (D:\Programs\Hijackthis\hijackthis\backups\)

backup-20070614-172107-276 F2 - REG:system.ini: Shell=explorer.exe regchk.exe
backup-20070615-163359-154 F2 - REG:system.ini: Shell=explorer.exe regchk.exe
backup-20070620-203051-955 F2 - REG:system.ini: Shell=explorer.exe regchk.exe
backup-20070822-011901-469 O4 - HKCU\..\Run: [ISMModule] "C:\Program Files\ISM\ISMModule.exe"
backup-20071001-190808-185 O4 - HKCU\..\Run: [7a80w0] C:\WINDOWS\system32\7a80w0.exe
backup-20071001-190808-534 O4 - HKLM\..\Run: [7a80w0] C:\WINDOWS\system32\7a80w0.exe
backup-20071001-220616-858 O2 - BHO: (no name) - {66F0BEA7-8BA9-4092-B438-0A2EE0A89068} - C:\WINDOWS\System32\eventclsj.dll
backup-20071001-220617-692 O2 - BHO: (no name) - {F5D55887-A7DF-41E2-B3C7-547440406FDF} - c:\windows\system32\comctl32l.dll
backup-20071002-010333-214 O2 - BHO: (no name) - {66F0BEA7-8BA9-4092-B438-0A2EE0A89068} - C:\WINDOWS\System32\eventclsj.dll
backup-20071002-010333-950 O2 - BHO: (no name) - {F5D55887-A7DF-41E2-B3C7-547440406FDF} - c:\windows\system32\comctl32l.dll
backup-20071004-020752-226 O2 - BHO: (no name) - {66F0BEA7-8BA9-4092-B438-0A2EE0A89068} - C:\WINDOWS\System32\eventclsj.dll
backup-20071004-020752-786 O2 - BHO: (no name) - {F5D55887-A7DF-41E2-B3C7-547440406FDF} - c:\windows\system32\comctl32l.dll
backup-20071008-182703-270 O2 - BHO: (no name) - {F5D55887-A7DF-41E2-B3C7-547440406FDF} - c:\windows\system32\comctl32l.dll
backup-20071008-182703-697 O2 - BHO: (no name) - {66F0BEA7-8BA9-4092-B438-0A2EE0A89068} - C:\WINDOWS\System32\eventclsj.dll
backup-20071014-180632-199 O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
backup-20071014-180632-266 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20071014-180632-391 O2 - BHO: (no name) - {66F0BEA7-8BA9-4092-B438-0A2EE0A89068} - C:\WINDOWS\System32\eventclsj.dll
backup-20071014-180632-996 O2 - BHO: (no name) - {F5D55887-A7DF-41E2-B3C7-547440406FDF} - c:\windows\system32\comctl32l.dll
backup-20071016-171401-700 O2 - BHO: (no name) - {66F0BEA7-8BA9-4092-B438-0A2EE0A89068} - C:\WINDOWS\System32\eventclsj.dll
backup-20071016-171402-555 O2 - BHO: (no name) - {F5D55887-A7DF-41E2-B3C7-547440406FDF} - c:\windows\system32\comctl32l.dll
backup-20071026-202022-414 O2 - BHO: (no name) - {66F0BEA7-8BA9-4092-B438-0A2EE0A89068} - C:\WINDOWS\System32\eventclsj.dll
backup-20071026-202022-941 O2 - BHO: (no name) - {F5D55887-A7DF-41E2-B3C7-547440406FDF} - c:\windows\system32\comctl32l.dll
backup-20071030-162136-577 O2 - BHO: (no name) - {66F0BEA7-8BA9-4092-B438-0A2EE0A89068} - C:\WINDOWS\System32\eventclsj.dll
backup-20071030-162136-669 O2 - BHO: (no name) - {F5D55887-A7DF-41E2-B3C7-547440406FDF} - c:\windows\system32\comctl32l.dll
backup-20071030-162137-736 O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
backup-20071030-162137-921 O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs

-- File Associations

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

R0 ivupwvti - c:\windows\system32\drivers\aqmxfzjn.dat
R1 biosview - c:\windows\system32\drivers\biosview.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>

S0 kl1 - c:\windows\system32\drivers\kl1.sys (file missing)
S3 catchme - c:\docume~1\brian\locals~1\temp\catchme.sys (file missing)
S3 KLIF - c:\windows\system32\drivers\klif.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

R2 Tmntsrv (Trend NT Realtime Service) - "c:\program files\trend micro\pc-cillin 2000\tmntsrv.exe" <Not Verified; Trend Micro Inc.; Trend Pc-cillin 7.61>

-- Device Manager: Disabled

No disabled devices found.

-- Files created between 2007-09-30 and 2007-10-30

2007-10-28 19:52:20 2562 --a

C:\WINDOWS\System32\tmp.reg
2007-10-28 19:51:56 25600 --a

C:\WINDOWS\System32\WS2Fix.exe
2007-10-28 19:51:56 289144 --a

C:\WINDOWS\System32\VCCLSID.exe <Not Verified; S!Ri; >
2007-10-28 19:51:56 288417 --a

C:\WINDOWS\System32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-10-28 19:51:56 51200 --a

C:\WINDOWS\System32\dumphive.exe
2007-10-28 19:51:55 53248 --a

C:\WINDOWS\System32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-10-09 20:31:06 0 d

C:\WINDOWS\pss
2007-10-08 17:36:43 16384 --a

C:\WINDOWS\mraera.exe

-- Find3M Report

2007-10-30 18:11:06 0 --a

C:\AUTOEXEC.BAT
2007-10-30 18:10:48 4 --a

C:\WINDOWS\info147.sys
2007-10-30 17:31:36 0 d

C:\Documents and Settings\Brian\Application Data\AVG7
2007-10-06 11:51:20 81408 --a

C:\WINDOWS\System32\comctl32l.dll
2007-10-05 14:23:12 35584 --a

C:\WINDOWS\System32\yftoaira.dat
2007-10-05 14:23:11 741632 --a

C:\WINDOWS\System32\exdmwqmp.dat
2007-10-04 14:19:56 34560 --a

C:\WINDOWS\System32\rktjnrtd.dat
2007-10-03 14:14:18 118528 --a

C:\WINDOWS\System32\lsbvzzru.dat
2007-09-29 20:29:45 246545 --a

C:\WINDOWS\System32\libssl32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2007-09-29 20:29:45 1188375 --a

C:\WINDOWS\System32\libeay32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2007-09-19 16:54:01 4212 ---h

C:\WINDOWS\System32\zllictbl.dat
2007-09-13 15:41:22 0 d

C:\Program Files\MARS
2007-09-13 15:41:22 0 d--h

C:\Program Files\InstallShield Installation Information

-- Registry Dump

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66F0BEA7-8BA9-4092-B438-0A2EE0A89068}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5D55887-A7DF-41E2-B3C7-547440406FDF}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [09/05/2001 04:24 AM C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [12/06/2001 11:55 AM C:\WINDOWS\system32\atiptaxx.exe]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [09/10/2001 03:00 PM]
"QuickTime Task"="C:\WINDOWS\System32\qttask.exe" [01/16/2002 07:00 PM]
"Pop3trap.exe"="C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe" [12/18/2001 10:09 PM]
"WebTrapNT.exe"="C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe" [12/18/2001 09:58 PM]
"JOGSERV2.EXE"="C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe" [01/11/2002 03:21 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [11/02/2001 07:01 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/02/2001 02:49 PM]
"CleanupProgram"="C:\Sonysys\cleanup.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [10/22/2007 10:39 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [09/06/2007 03:14 PM]

C:\Documents and Settings\Brian\Start Menu\Programs\Startup\
VirtuaGirl2.lnk - D:\Program Files\Vg\VirtuaGirl2.exe [7/26/2007 11:27:27 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [7/5/2007 11:51:34 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]
PowerPanel.lnk - C:\Program Files\PowerPanel\Program\PcfMgr.exe [1/16/2002 5:26:06 PM]
Real-time Monitor.lnk - C:\WINDOWS\Installer\{A839294B-70A9-11D5-9F5A-0050DAD742CD}\_106B5A0.exe [1/16/2002 7:19:48 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jatrbnen]
comctl32l.dll 10/06/2007 11:51 AM 81408 C:\WINDOWS\system32\comctl32l.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
midgqdpu

-- End of Deckard's System Scanner: finished at 2007-10-30 18:16:33

And here is the extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

-- System Information

Microsoft Windows XP Home Edition (build 2600)
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 Mobile CPU 1.60GHz
Percentage of Memory in Use: 73%
Physical Memory (total/avail): 254.98 MiB / 67.86 MiB
Pagefile Memory (total/avail): 626.08 MiB / 376.82 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1937.48 MiB

C: is Fixed (NTFS) - 14.94 GiB total, 9.84 GiB free.
D: is Fixed (NTFS) - 40.94 GiB total, 31.22 GiB free.
E: is Removable (No Media)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD600VE-00HDT0 - 55.89 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 14.94 GiB - C:
\PARTITION1 - Installable File System - 40.94 GiB - D:

\\.\PHYSICALDRIVE1 - Sony MSC-U03 USB Device

-- Security Center

AUOptions is set to notify before download.

-- Environment Variables

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Brian\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BRIAN1
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\
LOGONSERVER=\\BRIAN1
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Brian\LOCALS~1\Temp
TMP=C:\DOCUME~1\Brian\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=BRIAN1
USERNAME=Brian
USERPROFILE=C:\Documents and Settings\Brian
windir=C:\WINDOWS

-- User Profiles

Owner (admin)
Brian (admin)

-- Add/Remove Programs

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7E9980-3652-29D4-8908-006097A470FC}\setup.exe" /Uninstall
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{21313051-BEA2-11D4-8FA4-00B0D02D2438}\setup.exe" UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6CAF07A2-BEA4-11D4-8FA4-00B0D02D2438}\setup.exe" UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6D1B8E00-39E3-4810-BAB1-693E31CEFC42}\setup.exe" UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7052066D-7016-11D5-B89E-00B0D0D26B88}\setup.exe" UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5B0ABC0-3177-11D3-AC45-0000F879D942}\setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5B0ABC0-3177-11D3-AC45-0000F879D969}\setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D54AAC0A-BE99-11D4-8FA4-00B0D02D2438}\setup.exe" UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop Elements --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop Elements\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop Elements\Uninst.dll"
Adobe Premiere 6 LE --> C:\WINDOWS\UNINST.EXE -f"C:\Program Files\Adobe\Premiere 6 LE\DeIsL1.isu" -c"C:\Program Files\Adobe\Premiere 6 LE\Uninst.dll"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Camera Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D1B3874F-3057-11D6-B2EA-0050BA18806B}\Setup.exe"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
DigitalPrint 1.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E2069DE3-5924-4766-A385-CDA273885A31}\setup.exe" /Uninstall
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVgate --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{29F61465-428A-11D4-B646-00C04F790F76}\setup.exe"
Experience VAIO --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E52F43B3-1638-4624-9ACF-B130130AA13E}\setup.exe"
Generic SoftK56 Data Fax --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_2486&SUBSYS_80FA104D\uninst.exe -U -IVEN_8086&DEV_2486&SUBSYS_80FA104D
HijackThis 2.0.2 --> "C:\Documents and Settings\Brian\Desktop\HijackThis.exe" /uninstall
HotKey Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B36C3DFD-BAB0-4513-BD27-FA4906A738FD}\setup.exe"
ImageStation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AD3B1DDF-52AD-405E-B931-7ACF76937E5F}\setup.exe"
ImageStation Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72275927-4241-46A7-A9C4-B86C6B256EB6}\setup.exe"
Intel(R) PRO Ethernet Adapter and Software --> Prounstl.exe
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
Jog Dial Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{03156B45-21D6-45C6-8760-7314BD19D0D1}\setup.exe"
Jog GUI PlugIn CJ --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5A3CD8F-C0B8-4590-923C-B8BFD1A8C142}\setup.exe"
Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Motion JPEG Software Decoder --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Sony\Motion JPEG Software Decoder\Uninst.isu"
MovieShaker 3.3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D4A49B00-02F8-11D5-B64D-00C04F790F76}\setup.exe"
Music Visualizer Library 1.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3B24B725-D81F-442D-8CE5-2AF05A4A4CC9}\setup.exe"
OpenMG Secure Module 3.0.01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A228A09C-4826-42E0-A3D8-95B2BAAB5049}\Setup.exe" /UNINSTALL
Panda TotalScan --> C:\Program Files\Panda Security\TotalScan\ascuninst.exe
PC-cillin 2000 --> MsiExec.exe /X{A839294B-70A9-11D5-9F5A-0050DAD742CD}
PhotoPrinter 2000 Pro --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\PhotoPrinter 2000 Pro\Uninst.isu"
PicoPlayer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8139011A-4039-46C7-8614-A3F8948121AD}\setup.exe"
PicoPlayer Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C70C75F-A265-4C62-B90F-8F80AA69F262}\setup.exe"
PicoPlayerSplashScreen --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{00609F70-5043-4C20-895A-D6EF7ACE9304}\setup.exe"
PictureGear 5.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5FF58521-5E44-11D4-A433-00105A8547C6}\setup.exe"
PowerPanel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DCB53CB5-E82D-4F5E-BFE2-CBB200E19BEF}\setup.exe"
Quicken 2002 New User Edition --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\QUICKENW\Uninst.isu" -c"C:\Program Files\QUICKENW\uninst.dll"
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RealJukebox --> C:\Program Files\Real\RealJukebox\Update\rnuninst.exe RealNetworks|RealJukebox|1.0
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
RealProducer Basic 8.5 --> C:\Program Files\Real\RealProducer\rnuninst.exe RealNetworks|RealProducer|8.5
Screenblast ACID 2.0 --> MsiExec.exe /I{C7A5D4E9-7ED3-4FB5-8FC1-A6D99A727670}
Screenblast Sound Forge 1.0a --> MsiExec.exe /I{7F90516D-4F1F-4468-9FA1-46ECFB59E39F}
Smart Capture --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4B6F4C00-E935-11D3-A98A-0080986030D9}\setup.exe"
SonicStage 1.1.00 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E535DC62-56D6-11D5-8AE3-00105A7276CD}\setup.exe" UNINSTALL
SonicStage CD-R Writing Module --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F3CB4DC0-4FC0-11D5-9254-0000F460E7A9}\setup.exe"
Sony Certificate PCH --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0448678-1203-4158-A58F-B3D0B616BF9E}\setup.exe"
Sony DV Shared Library --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6990A2BF-D1D2-11D3-81BC-00609789C908}\setup.exe"
Sony Notebook Setup --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8F80C8A-1285-40BB-AABB-BF6150E3AB12}\setup.exe"
Sony on Yahoo! Essentials --> C:\Program Files\Yahoo!\unwise.exe C:\progra~1\yahoo!\install.log
Sony Utilities DLL --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF3D45BB-2260-4008-88EA-492E7744A9DF}\setup.exe"
SpywareBlaster v3.5.1 --> "D:\Programs\Spyware Blaster\SpywareBlaster\unins000.exe"
StripSaver2 --> D:\PROGRA~1\STRIPS~1\UNWISE.EXE D:\PROGRA~1\STRIPS~1\INSTALL.LOG
Support Actions Win2K,WinXP --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48BE827A-2D06-4804-90C3-4F2F8460F9D4}\setup.exe"
Synaptics TouchPad --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
VAIO Brezza Wallpaper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ACEC9C3E-0100-4EBE-B298-35A2145828A0}\setup.exe"
VAIO Edit Components --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{761C9026-14F0-4352-8658-934558272404}\setup.exe"
VAIO Grid Wallpaper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{21CF3E6E-1659-433E-B6CE-165D793560DA}\setup.exe"
VAIO Help & Support --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6060E6A1-5342-4D2B-8F66-B6D6E20BBD03}\setup.exe"
VAIO Registration --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6DF804A8-2CC2-4D22-A958-4534F6EC3C76}\setup.exe"
VAIO Serenus Wallpaper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{802EF464-4992-42B3-8434-45151AD3C933}\setup.exe"
VAIO Support --> "c:\program files\support.com\client\bin\tgfix.exe" /rm /nq
VirtuaGirl 2 --> D:\PROGRA~1\Vg\UNWISE.EXE D:\PROGRA~1\Vg\INSTALL.LOG
VisualFlow 2.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5B0ABC0-3177-11D3-AC45-0000F879D920}\setup.exe" /Uninstall
WinMX --> C:\Program Files\WinMX\uninstall.exe
WinZip 11.1 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

-- Application Event Log

Event Record #/Type491 / Warning
Event Submitted/Written: 10/30/2007 06:09:20 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type490 / Error
Event Submitted/Written: 10/30/2007 05:26:07 PM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Event Record #/Type489 / Error
Event Submitted/Written: 10/30/2007 05:26:05 PM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type485 / Warning
Event Submitted/Written: 10/30/2007 05:15:35 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type484 / Error
Event Submitted/Written: 10/30/2007 04:24:03 PM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

-- Security Event Log

No Errors/Warnings found.

-- System Event Log

Event Record #/Type5503 / Error
Event Submitted/Written: 10/30/2007 06:11:48 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
kl1

Event Record #/Type5501 / Error
Event Submitted/Written: 10/30/2007 06:11:45 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Microsoft AC Adapter Controller service terminated with the following error:
%%5

Event Record #/Type5496 / Error
Event Submitted/Written: 10/30/2007 06:09:18 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type5495 / Error
Event Submitted/Written: 10/30/2007 06:07:19 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service Avg7Alrt with arguments "-Service"
in order to run the server:
{3486DF65-1D90-406A-A072-30629910F113}

Event Record #/Type5494 / Error
Event Submitted/Written: 10/30/2007 05:31:36 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service Avg7Alrt with arguments "-Service"
in order to run the server:
{3486DF65-1D90-406A-A072-30629910F113}

-- End of Deckard's System Scanner: finished at 2007-10-30 18:16:33

Baabiouz · October 2007

Hi!

#1
Backup Your Registry with ERUNT

Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

#2
Please run Notepad and paste the following text into a new file:

REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66F0BEA7-8BA9-4092-B438-0A2EE0A89068}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5D55887-A7DF-41E2-B3C7-547440406FDF}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jatrbnen]

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

#3
Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\info147.sys
C:\WINDOWS\mraera.exe
c:\windows\system32\drivers\aqmxfzjn.dat
C:\WINDOWS\System32\comctl32l.dll
C:\WINDOWS\System32\yftoaira.dat
C:\WINDOWS\System32\exdmwqmp.dat
C:\WINDOWS\System32\rktjnrtd.dat
C:\WINDOWS\System32\lsbvzzru.dat
C:\WINDOWS\system32\comctl32l.dll

Open 'file' in the killbox menu on top and choose Paste from clipboard
You must use the file menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to reboot now, click "yes".
Click OK at any Pending File Rename Operations prompts, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

#4
Let's run one online scanner:

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

[*]Click OK
[*]Now under select a target to scan:

SelectMy Computer

[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

[*]Save the file to your desktop.
[*]Copy and paste that information in your next post.

#5
Please, post a fresh hijackthis log and Kaspersky's results.

4Nmissile · November 2007

I did not have any Pending File Rename Operations prompts during the Killbox process. I was wondering though about putting C:/Windows/System32/eventclsj.dll in the Killbox list? That comes up as a BHO trojan popup when AVG scans too. It has been on my HijackThis scan for sometime now. I have deleted it with HijackThis, but it is one of the BHO's that keeps coming back.

Here is the HijackThis log:

Logfile of HijackThis v1.99.0
Scan saved at 7:42:22 PM, on 11/1/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Sony\JOGDIA~1\JogServ2.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Programs\Hijackthis\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {66F0BEA7-8BA9-4092-B438-0A2EE0A89068} - C:\WINDOWS\System32\eventclsj.dll
O2 - BHO: (no name) - {F5D55887-A7DF-41E2-B3C7-547440406FDF} - c:\windows\system32\comctl32l.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: VirtuaGirl2.lnk = D:\Program Files\Vg\VirtuaGirl2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Real-time Monitor.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Here is the Kaspersky's log:

KASPERSKY ONLINE SCANNER REPORT
Thursday, November 01, 2007 7:41:08 PM
Operating System: Microsoft Windows XP Home Edition, (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/11/2007
Kaspersky Anti-Virus database records: 449903

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 52949
Number of viruses found: 7
Number of infected objects: 12
Number of suspicious objects: 12
Duration of the scan process: 00:56:01

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Brian\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1552OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\Brian\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Brian\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Brian\Desktop\backups\backup-20070825-204053-188.dll Infected: Trojan.Win32.Kolweb.u skipped
C:\Documents and Settings\Brian\Desktop\backups\backup-20070828-201744-737.dll Infected: Trojan.Win32.Kolweb.u skipped
C:\Documents and Settings\Brian\Desktop\big problems.txt Suspicious: Exploit.HTML.Mht skipped
C:\Documents and Settings\Brian\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Brian\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Brian\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Brian\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Brian\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Brian\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Brian\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Brian\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Brian\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{989B6810-0FD5-4057-A861-0457F92C60F9}\RP23\A0005889.dll Object is locked skipped
C:\System Volume Information\_restore{989B6810-0FD5-4057-A861-0457F92C60F9}\RP23\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallQ307271$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ307271$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ307271$\usbuhci.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ307274$\shgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307274$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ307274$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ308374$\ohci1394.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ308374$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ308374$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ308677$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ308677$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ308677$\userenv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ311889$\termsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ312368$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ312368$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ312368$\syssetup.dll Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\BRIAN1.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{E6DDB35C-D7DC-4E95-A3E5-18E04F2040C9}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\comctl32l.dll.bak Infected: Trojan-Clicker.Win32.Delf.jr skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\etc\hosts.20071008-190847.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINDOWS\system32\eventclsj.1 Infected: Trojan-Spy.Win32.BZub.btd skipped
C:\WINDOWS\system32\eventclsj.dll Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\ZLT071d9.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT0720e.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Programs\Hijackthis\hijackthis\backups\backup-20071001-220616-858.dll Infected: Trojan-Spy.Win32.BZub.btd skipped
D:\Programs\Hijackthis\hijackthis\backups\backup-20071002-010333-214.dll Infected: Trojan-Spy.Win32.BZub.btd skipped
D:\Programs\Hijackthis\hijackthis\backups\backup-20071004-020752-226.dll Infected: Trojan-Spy.Win32.BZub.btd skipped
D:\Programs\Hijackthis\hijackthis\backups\backup-20071030-162137-736 Suspicious: Exploit.HTML.Mht skipped
D:\Programs\Hijackthis\hijackthis 1 Suspicious: Exploit.HTML.Mht skipped
D:\Programs\Hijackthis\hijackthis 1.txt Suspicious: Exploit.HTML.Mht skipped
D:\Programs\Hijackthis\hijackthis.log Suspicious: Exploit.HTML.Mht skipped
D:\Programs\Hijackthis\hijackthis1 Suspicious: Exploit.HTML.Mht skipped
D:\Programs\Hijackthis\hijackthis2 Suspicious: Exploit.HTML.Mht skipped
D:\Programs\Hijackthis\hijackthis3 Suspicious: Exploit.HTML.Mht skipped
D:\Programs\Hijackthis\HJTlog Suspicious: Exploit.HTML.Mht skipped
D:\Programs\Hijackthis\HJTlog.txt Suspicious: Exploit.HTML.Mht skipped

Scan process completed.

Baabiouz · November 2007

Hi!

Okay, let's try this, use killbox to delete these files:

C:\WINDOWS\system32\comctl32l.dll.bak
C:\WINDOWS\system32\eventclsj.1
C:\WINDOWS\System32\eventclsj.dll

And after using Killbox, delete these files by manual:

C:\Documents and Settings\Brian\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip
C:\WINDOWS\system32\drivers\etc\hosts.20071008-190847.backup

Is eventclsj.dll still there?
(take a fresh hijackthis log and post it back here)

4Nmissile · November 2007

Thanks for all your help so far Baabiouz. I deleted those three files with Killbox and did a reboot. After the reboot I went in and deleted the other two. The comctl32l.dll and eventclsj.dll are not in my system32 folder that I see anymore. They do show up in the HijackThis log and scan though with (file missing) showing up after the files. What does that mean exactly? Are they gone? Should I do a scan and if they show up with the file missing part delete them anyway?

Here is the new HijackThis log:

Logfile of HijackThis v1.99.0
Scan saved at 11:22:00 PM, on 11/4/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\sol.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Programs\Hijackthis\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {66F0BEA7-8BA9-4092-B438-0A2EE0A89068} - C:\WINDOWS\System32\eventclsj.dll (file missing)
O2 - BHO: (no name) - {F5D55887-A7DF-41E2-B3C7-547440406FDF} - c:\windows\system32\comctl32l.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: VirtuaGirl2.lnk = D:\Program Files\Vg\VirtuaGirl2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Real-time Monitor.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Baabiouz · November 2007

Hi!

That "file missing" is reliable in O2 and O3 lines.
So the files have been deleted.

Now, please run HijackThis and click Do system scan only.
Checkmart these lines and klick Fix checked.

O2 - BHO: (no name) - {66F0BEA7-8BA9-4092-B438-0A2EE0A89068} - C:\WINDOWS\System32\eventclsj.dll (file missing)
O2 - BHO: (no name) - {F5D55887-A7DF-41E2-B3C7-547440406FDF} - c:\windows\system32\comctl32l.dll (file missing)

_____________________________

Should I do a scan

It would be good idea.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

[*]Click OK
[*]Now under select a target to scan:

SelectMy Computer

[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

[*]Save the file to your desktop.
[*]Copy and paste that information in your next post.

Please, post a fresh hijackthis log and Kaspersky's results.

4Nmissile · November 2007

When I first booted up the computer I let the AVG start up scan run. It found this file right off the bat. comctl32l.dll.bak (trojan horse BHO.BLG) C:\!Submit\. However, when I went into the C drive and the Submit folder there was nothing there. When I went back and highlighted the Submit folder it showed that the folder was empty (this was after I applied the show all files in folder options too). I then ran HijackThis like you said and removed those two BHO files. I was wondering about an entry that I have had in the past within this post in the HijackThis log. What is C:\WINDOWS\system32\spoolsv.exe? I have heard that it is bad and should be removed. Is this true or not?

Here is the new Kaspersky log:

KASPERSKY ONLINE SCANNER REPORT
Monday, November 05, 2007 10:29:57 PM
Operating System: Microsoft Windows XP Home Edition, (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/11/2007
Kaspersky Anti-Virus database records: 452113

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 62106
Number of viruses found: 6
Number of infected objects: 10
Number of suspicious objects: 12
Duration of the scan process: 01:08:10

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Brian\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Brian\Desktop\backups\backup-20070825-204053-188.dll Infected: Trojan.Win32.Kolweb.u skipped
C:\Documents and Settings\Brian\Desktop\backups\backup-20070828-201744-737.dll Infected: Trojan.Win32.Kolweb.u skipped
C:\Documents and Settings\Brian\Desktop\big problems.txt Suspicious: Exploit.HTML.Mht skipped
C:\Documents and Settings\Brian\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Brian\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Brian\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Brian\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Brian\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Brian\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Brian\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Brian\Local Settings\History\History.IE5\MSHist012007110520071106\index.dat Object is locked skipped
C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Brian\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Brian\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\RECYCLER\S-1-5-21-1177238915-1060284298-854245398-1004\Dc10.zip/Yazzle1552OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\RECYCLER\S-1-5-21-1177238915-1060284298-854245398-1004\Dc10.zip ZIP: suspicious - 1 skipped
C:\RECYCLER\S-1-5-21-1177238915-1060284298-854245398-1004\Dc11.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\System Volume Information\_restore{989B6810-0FD5-4057-A861-0457F92C60F9}\RP23\A0005889.dll Object is locked skipped
C:\System Volume Information\_restore{989B6810-0FD5-4057-A861-0457F92C60F9}\RP24\A0006047.dll Object is locked skipped
C:\System Volume Information\_restore{989B6810-0FD5-4057-A861-0457F92C60F9}\RP24\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallQ307271$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ307271$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ307271$\usbuhci.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ307274$\shgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307274$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ307274$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ308374$\ohci1394.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ308374$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ308374$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ308677$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ308677$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ308677$\userenv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ311889$\termsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ312368$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ312368$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ312368$\syssetup.dll Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\BRIAN1.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\ZLT037a5.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT037d6.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Programs\Hijackthis\hijackthis\backups\backup-20071001-220616-858.dll Infected: Trojan-Spy.Win32.BZub.btd skipped
D:\Programs\Hijackthis\hijackthis\backups\backup-20071002-010333-214.dll Infected: Trojan-Spy.Win32.BZub.btd skipped
D:\Programs\Hijackthis\hijackthis\backups\backup-20071004-020752-226.dll Infected: Trojan-Spy.Win32.BZub.btd skipped
D:\Programs\Hijackthis\hijackthis\backups\backup-20071030-162137-736 Suspicious: Exploit.HTML.Mht skipped
D:\Programs\Hijackthis\hijackthis 1 Suspicious: Exploit.HTML.Mht skipped
D:\Programs\Hijackthis\hijackthis 1.txt Suspicious: Exploit.HTML.Mht skipped
D:\Programs\Hijackthis\hijackthis.log Suspicious: Exploit.HTML.Mht skipped
D:\Programs\Hijackthis\hijackthis1 Suspicious: Exploit.HTML.Mht skipped
D:\Programs\Hijackthis\hijackthis2 Suspicious: Exploit.HTML.Mht skipped
D:\Programs\Hijackthis\hijackthis3 Suspicious: Exploit.HTML.Mht skipped
D:\Programs\Hijackthis\HJTlog Suspicious: Exploit.HTML.Mht skipped
D:\Programs\Hijackthis\HJTlog.txt Suspicious: Exploit.HTML.Mht skipped

Scan process completed.

And here is the new HijackThis log:

Logfile of HijackThis v1.99.0
Scan saved at 10:37:07 PM, on 11/5/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Sony\JOGDIA~1\JogServ2.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
D:\Programs\Hijackthis\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {66F0BEA7-8BA9-4092-B438-0A2EE0A89068} - C:\WINDOWS\System32\eventclsj.dll (file missing)
O2 - BHO: (no name) - {F5D55887-A7DF-41E2-B3C7-547440406FDF} - c:\windows\system32\comctl32l.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: VirtuaGirl2.lnk = D:\Program Files\Vg\VirtuaGirl2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Real-time Monitor.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Baabiouz · November 2007

Hi!

Please fix these line again:
O2 - BHO: (no name) - {66F0BEA7-8BA9-4092-B438-0A2EE0A89068} - C:\WINDOWS\System32\eventclsj.dll (file missing)
O2 - BHO: (no name) - {F5D55887-A7DF-41E2-B3C7-547440406FDF} - c:\windows\system32\comctl32l.dll (file missing)

And reboot your computer after fixing.
_________________________

Delete trashes:

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
This program is for XP and Windows 2000 only!

Double-click ATF Cleaner.exe to open it.

Under Main select the following:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Click Exit on the Main menu to close the program.
___________________________

spoolsv.exe is normal windows file if it founds here:
Windows\system32\spoolsv.exe

You can read more about it here.
____________________________

Do you have still some problems?

Your log are fine.

Please post a fresh hijackthis log

4Nmissile · November 2007

When I first booted up the computer this time the AVG startup scan did not find any of the trdojan BHO's. In fact, it did not find anything this time. I deleted the two BHO missing files from HijackThis and rebooted. Then I ran the ATF Cleaner and emptied the trashcan just for good measure. I have not had any problems at all. HijackThis is still showing the two BHO's though.

Here is the new HijackThis log:

Logfile of HijackThis v1.99.0
Scan saved at 7:50:05 PM, on 11/6/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Programs\Hijackthis\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {66F0BEA7-8BA9-4092-B438-0A2EE0A89068} - C:\WINDOWS\System32\eventclsj.dll (file missing)
O2 - BHO: (no name) - {F5D55887-A7DF-41E2-B3C7-547440406FDF} - c:\windows\system32\comctl32l.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: VirtuaGirl2.lnk = D:\Program Files\Vg\VirtuaGirl2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Real-time Monitor.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Baabiouz · November 2007

Hi!

Hope this deletes those O2 lines:

Backup Your Registry with ERUNT

Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

__________________________________________________________

Please run Notepad and paste the following text into a new file:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66F0BEA7-8BA9-4092-B438-0A2EE0A89068}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F5D55887-A7DF-41E2-B3C7-547440406FDF}]

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Reboot your computer and please post a fresh hijackthis log again

4Nmissile · November 2007

I ran Erunt and the fix.reg again. The BHO's are still in my HijackThis log though. AVG start up scan has not found anything for a few days now though. I haven't had any popups either.

Here is the new log:

Logfile of HijackThis v1.99.0
Scan saved at 9:27:12 PM, on 11/9/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\sol.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Programs\Hijackthis\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {66F0BEA7-8BA9-4092-B438-0A2EE0A89068} - C:\WINDOWS\System32\eventclsj.dll (file missing)
O2 - BHO: (no name) - {F5D55887-A7DF-41E2-B3C7-547440406FDF} - c:\windows\system32\comctl32l.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: VirtuaGirl2.lnk = D:\Program Files\Vg\VirtuaGirl2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Real-time Monitor.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Baabiouz · November 2007

Hi!

I think someone your protection program is stopping our fixing.

#1
Reboot into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.

#2
Open Hijackthis and and click "Do system scan only".
Checkmark these O2 lines:

O2 - BHO: (no name) - {66F0BEA7-8BA9-4092-B438-0A2EE0A89068} - C:\WINDOWS\System32\eventclsj.dll (file missing)
O2 - BHO: (no name) - {F5D55887-A7DF-41E2-B3C7-547440406FDF} - c:\windows\system32\comctl32l.dll (file missing)

And click "Fix checked".
Close HijackThis and Reboot your computer normally.

Post a fresh hijackthis log back here.

(Let's hope those lines are gone now

)

4Nmissile · November 2007

I booted up in safe mode and deleted those two lines with HijackThis, but they were right back in the new log. Do you think that having PC-Cillin on here has anything to do with it? I always shut it down when it loads up. Should I just remove it altogether?

Here is the new log:

Logfile of HijackThis v1.99.0
Scan saved at 8:01:45 PM, on 11/12/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Sony\JOGDIA~1\JogServ2.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\sol.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Programs\Hijackthis\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {66F0BEA7-8BA9-4092-B438-0A2EE0A89068} - C:\WINDOWS\System32\eventclsj.dll (file missing)
O2 - BHO: (no name) - {F5D55887-A7DF-41E2-B3C7-547440406FDF} - c:\windows\system32\comctl32l.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: VirtuaGirl2.lnk = D:\Program Files\Vg\VirtuaGirl2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Real-time Monitor.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Baabiouz · November 2007

I deleted istructions. I'll write a new instructions in a new reply

Baabiouz · November 2007

I have missed a few things, so i think now we can get rid of that virus.

#1
You are using old version of Hijackthis.
Please find and delete the Hijackthis.exe you already have installed.

Click here to download HijackThis.
Save HJTInstall.exe to your Desktop.
Double click on the HJTInstall.exe icon to start the program.
By default it will install to C:\Program Files\Trend Micro\HijackThis
After the final dialogue box it will launch HijackThis.

You can close HijackThis now.

#2
Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

#3
Please, post a fresh hijackthis log and Combofix log

4Nmissile · November 2007

I ran the scan.

Here is the Combofix scan results:

ComboFix 07-11-08.1 - Brian 2007-11-15 22:38:27.2 - NTFSx86
Running from: C:\Documents and Settings\Brian\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Brian\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Brian\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Brian\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\WINDOWS\system32\comctl32l.dll
C:\WINDOWS\system32\drivers\aqmxfzjn.dat
C:\WINDOWS\system32\drivers\pzxdccnb.dat
C:\WINDOWS\system32\eventclsj.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

\LEGACY_IVUPWVTI

\LEGACY_MIDGQDPU

\ivupwvti

\midgqdpu

((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.

2007-11-01 17:55 <DIR> d

C:\WINDOWS\system32\Kaspersky Lab
2007-11-01 17:55 <DIR> d

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-01 17:49 4 --a

C:\WINDOWS\info147.sys
2007-10-30 18:23 <DIR> d

C:\Documents and Settings\Brian\Application Data\Grisoft
2007-10-30 18:23 10,872 --a

C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-30 18:12 <DIR> d

C:\Deckard
2007-10-28 19:52 2,562 --a

C:\WINDOWS\system32\tmp.reg
2007-10-28 19:51 289,144 --a

C:\WINDOWS\system32\VCCLSID.exe
2007-10-28 19:51 288,417 --a

C:\WINDOWS\system32\SrchSTS.exe
2007-10-28 19:51 53,248 --a

C:\WINDOWS\system32\Process.exe
2007-10-28 19:51 51,200 --a

C:\WINDOWS\system32\dumphive.exe
2007-10-28 19:51 25,600 --a

C:\WINDOWS\system32\WS2Fix.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-16 03:31

d

w C:\Program Files\Trend Micro
2007-11-16 03:04

d

w C:\Documents and Settings\Brian\Application Data\AVG7
2007-10-30 23:22

d

w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-14 22:35 128 ----a-w C:\WINDOWS\system32\drivers\pxfsf.dat
2007-09-30 01:29 246,545 ----a-w C:\WINDOWS\system32\libssl32.dll
2007-09-30 01:29 1,188,375 ----a-w C:\WINDOWS\system32\libeay32.dll
2007-09-06 20:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 20:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-14_18.37.43.28 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-28 13:06:08 135,168 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-29 23:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\11-1-2007\ERDNT.EXE
+ 2007-11-01 22:36:26 3,493,888 ----a-w C:\WINDOWS\erdnt\11-1-2007\Users\00000001\NTUSER.DAT
+ 2007-11-01 22:36:26 8,192 ----a-w C:\WINDOWS\erdnt\11-1-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\11-9-2007\ERDNT.EXE
+ 2007-11-10 02:09:49 3,493,888 ----a-w C:\WINDOWS\erdnt\11-9-2007\Users\00000001\NTUSER.DAT
+ 2007-11-10 02:09:49 8,192 ----a-w C:\WINDOWS\erdnt\11-9-2007\Users\00000002\UsrClass.dat
- 2007-03-13 14:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2007-03-13 15:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2007-06-17 04:11:58 51,200 ----a-w C:\WINDOWS\NirCmd.exe
+ 2007-06-17 05:11:58 51,200 ----a-w C:\WINDOWS\NirCmd.exe
- 2007-09-21 17:19:36 821,728 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
+ 2007-10-22 15:39:26 821,856 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-07-17 19:09:27 40,394 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-10-28 23:03:45 40,394 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-07-17 19:09:27 312,172 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-10-28 23:03:45 312,172 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-10-05 14:07:31 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-07-22 23:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
- 2006-11-29 21:21:29 370,688 ----a-w C:\WINDOWS\system32\swsc.exe
+ 2006-11-29 22:21:29 370,688 ----a-w C:\WINDOWS\system32\swsc.exe
- 2006-12-01 09:20:32 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2006-12-01 10:20:32 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-05 04:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2001-12-06 11:55 C:\WINDOWS\system32\atiptaxx.exe]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [2001-09-10 15:00]
"QuickTime Task"="C:\WINDOWS\System32\qttask.exe" [2002-01-16 19:00]
"Pop3trap.exe"="C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe" [2001-12-18 22:09]
"WebTrapNT.exe"="C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe" [2001-12-18 21:58]
"JOGSERV2.EXE"="C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe" [2002-01-11 15:21]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2001-11-02 19:01]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2001-11-02 14:49]
"CleanupProgram"="C:\Sonysys\cleanup.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-22 10:39]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 15:14]

C:\Documents and Settings\Brian\Start Menu\Programs\Startup\
VirtuaGirl2.lnk - D:\Program Files\Vg\VirtuaGirl2.exe [2007-07-26 23:27:27]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-05 23:51:34]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
PowerPanel.lnk - C:\Program Files\PowerPanel\Program\PcfMgr.exe [2002-01-16 17:26:06]
Real-time Monitor.lnk - C:\WINDOWS\Installer\{A839294B-70A9-11D5-9F5A-0050DAD742CD}\_106B5A0.exe [2002-01-16 19:19:48]

R0 va16w2;va16w2;C:\WINDOWS\System32\DRIVERS\va16w2.sys
R0 va32w2;va32w2;C:\WINDOWS\System32\DRIVERS\va32w2.sys
R1 biosview;biosview;C:\WINDOWS\System32\drivers\biosview.sys
R3 Ich;Ich;C:\WINDOWS\System32\DRIVERS\Ich.sys
R3 SPI;Sony Programmable I/O Control Device;C:\WINDOWS\System32\DRIVERS\SonyPI.sys
R3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\System32\drivers\yacxgc.sys
S3 MR97310_USB_DUAL_CAMERA;MR97310 CIF Dual Mode Camera;C:\WINDOWS\System32\DRIVERS\mr97310c.sys

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 22:44:20
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-15 22:46:48 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-14 17:39
.
--- E O F ---

Here is the Hijackthis scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:51 PM, on 11/15/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: VirtuaGirl2.lnk = D:\Program Files\Vg\VirtuaGirl2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Real-time Monitor.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4985 bytes

Baabiouz · November 2007

Hi!

#1
Open notepad and copy/paste the text in the quotebox below into it:

Driver::
c:\windows\system32\drivers\aqmxfzjn.dat

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

#2
Please, scan your PC;
Panda ActiveScan

- Once you are on the Panda site, click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Do NOT lose it!

#3
Please, send the Panda activescan report and a fresh hijackthis log

Ps. Do you think your computer works better?

4Nmissile · November 2007

I do think that the computer is running better. Although, even when I had those two BHO trojans it did not seem to hinder the performance of my laptop. The Panda scan did show some infections though. The beginning of next year I would like to purchase another laptop with more memory and updated software for school. I will be sure to update all my software and put all of these threat protection programs on it too.

Here is the Combofix log:

ComboFix 07-11-08.1 - Brian 2007-11-18 18:31:43.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.83 [GMT -5:00]Running from: C:\Documents and Settings\Brian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Brian\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 )))))))))))))))))))))))))))))))
.

2007-11-01 17:55 <DIR> d

C:\WINDOWS\system32\Kaspersky Lab
2007-11-01 17:55 <DIR> d

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-01 17:49 4 --a

C:\WINDOWS\info147.sys
2007-10-30 18:23 <DIR> d

C:\Documents and Settings\Brian\Application Data\Grisoft
2007-10-30 18:23 10,872 --a

C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-30 18:12 <DIR> d

C:\Deckard
2007-10-28 19:52 2,562 --a

C:\WINDOWS\system32\tmp.reg
2007-10-28 19:51 289,144 --a

C:\WINDOWS\system32\VCCLSID.exe
2007-10-28 19:51 288,417 --a

C:\WINDOWS\system32\SrchSTS.exe
2007-10-28 19:51 53,248 --a

C:\WINDOWS\system32\Process.exe
2007-10-28 19:51 51,200 --a

C:\WINDOWS\system32\dumphive.exe
2007-10-28 19:51 25,600 --a

C:\WINDOWS\system32\WS2Fix.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-18 22:21

d

w C:\Documents and Settings\Brian\Application Data\AVG7
2007-11-16 03:31

d

w C:\Program Files\Trend Micro
2007-10-30 23:22

d

w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-14 22:35 128 ----a-w C:\WINDOWS\system32\drivers\pxfsf.dat
2007-09-30 01:29 246,545 ----a-w C:\WINDOWS\system32\libssl32.dll
2007-09-30 01:29 1,188,375 ----a-w C:\WINDOWS\system32\libeay32.dll
2007-09-06 20:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 20:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-05 04:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2001-12-06 11:55 C:\WINDOWS\system32\atiptaxx.exe]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [2001-09-10 15:00]
"QuickTime Task"="C:\WINDOWS\System32\qttask.exe" [2002-01-16 19:00]
"Pop3trap.exe"="C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe" [2001-12-18 22:09]
"WebTrapNT.exe"="C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe" [2001-12-18 21:58]
"JOGSERV2.EXE"="C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe" [2002-01-11 15:21]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2001-11-02 19:01]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2001-11-02 14:49]
"CleanupProgram"="C:\Sonysys\cleanup.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-22 10:39]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 15:14]

C:\Documents and Settings\Brian\Start Menu\Programs\Startup\
VirtuaGirl2.lnk - D:\Program Files\Vg\VirtuaGirl2.exe [2007-07-26 23:27:27]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-05 23:51:34]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
PowerPanel.lnk - C:\Program Files\PowerPanel\Program\PcfMgr.exe [2002-01-16 17:26:06]
Real-time Monitor.lnk - C:\WINDOWS\Installer\{A839294B-70A9-11D5-9F5A-0050DAD742CD}\_106B5A0.exe [2002-01-16 19:19:48]

R0 va16w2;va16w2;C:\WINDOWS\System32\DRIVERS\va16w2.sys
R0 va32w2;va32w2;C:\WINDOWS\System32\DRIVERS\va32w2.sys
R1 biosview;biosview;C:\WINDOWS\System32\drivers\biosview.sys
R3 Ich;Ich;C:\WINDOWS\System32\DRIVERS\Ich.sys
R3 SPI;Sony Programmable I/O Control Device;C:\WINDOWS\System32\DRIVERS\SonyPI.sys
R3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\System32\drivers\yacxgc.sys
S3 MR97310_USB_DUAL_CAMERA;MR97310 CIF Dual Mode Camera;C:\WINDOWS\System32\DRIVERS\mr97310c.sys

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-18 18:34:49
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-18 18:35:32
C:\ComboFix2.txt ... 2007-11-15 22:46
C:\ComboFix3.txt ... 2007-10-14 17:39
.
--- E O F ---

Here is the Panda Scan log:

Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Brian\Cookies\brian@ad.yieldmanager[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Brian\Cookies\brian@burstnet[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Brian\Cookies\brian@ccbill[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Brian\Cookies\brian@cgi-bin[1].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Brian\Cookies\brian@kinghost[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Brian\Cookies\brian@realmedia[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Brian\Cookies\brian@statcounter[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Brian\Cookies\brian@toplist[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Brian\Cookies\brian@www.burstbeacon[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Brian\Cookies\brian@yadro[1].txt
Virus:Trj/Kolweb.H Disinfected C:\Documents and Settings\Brian\Desktop\backups\backup-20070825-204053-188.dll
Virus:Trj/Kolweb.H Disinfected C:\Documents and Settings\Brian\Desktop\backups\backup-20070828-201744-737.dll
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Brian\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Brian\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Brian\Desktop\SmitfraudFix\Process.exe
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Brian\Desktop\SmitfraudFix\Reboot.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Brian\Desktop\SmitfraudFix\restart.exe
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Brian\Desktop\SmitfraudFix.exe
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\WindowsEx.dll.041
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Adware:Adware/IST.ISTBar Not disinfected D:\Program Files\Vg\WindowsEx.dll
Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:01 PM, on 11/18/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Sony\JOGDIA~1\JogServ2.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: VirtuaGirl2.lnk = D:\Program Files\Vg\VirtuaGirl2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Real-time Monitor.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5080 bytes

Baabiouz · November 2007

Hi!

Log looks ok.
But, you have installed VirtualGirl, and it is bad program.
Read more about it here.

So its recommend to remove it via add/remove programs.

And then remove this folder:
D:\Program Files\Vg
_____________________________________

Log looks clean...great job!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
  1. Change the Download signed ActiveX controls to Prompt
  2. Change the Download unsigned ActiveX controls to Disable
  3. Change the Initialize and script ActiveX controls not marked as safe to Disable
  4. Change the Installation of desktop items to Prompt
  5. Change the Launching programs and files in an IFRAME to Prompt
  6. Change the Navigate sub-frames across different domains to Prompt
  7. When all these settings have been made, click on the OK button.
  8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.

4Nmissile · November 2007

OK, I removed VirtualGirl completely. I have not had any problems for a while now. I have all of those programs installed on here already. Thanks for your help. I have one more question though, although it is not about my laptop but my external hard-drive. I own a Maxtor 80G one touch. I have never had problems with it and have never saved bad programs or files on it. I have not ever dropped it or damaged it. I have never hooked it up to my computer when I was on the internet either. However, the last few times I have hooked it up to my computer to try and move things. Now though I can't get into the drive. My computer shows it in "My Computer" as drive G. It does show up and when I go in and check the drives it says that it is running fine. However, when I click on the "G" drive it won't open up and I get an error message that says,"G:\ is not accessible.

The request could not be performed because of an I/O device error."

I did a search for that message on google and it brought up a few sites. Most had people who said the drive was fine, but the door to get in was closed. They said that you needed a backdoor to get in and get the files on the drive. They then recommended a few sites and companies that get files off of drives that have been damaged, on fire or anything else where the user can't get in themselves. They also recommended using KNOPPIX from Linux if they did not want to go the expensive route of sending off their drive to a company. I do have KNOPPIX although I have not used it yet. It is such a large program that it takes too long to boot on my laptop so I always end up shutting down the program (KNOPPIX). Do you have any advice or pointers on getting into my Maxtor or retrieving files from it?

Baabiouz · November 2007

Hi!

Great to hear you don't have spyware problems...

I'm sorry, i don't know what's wrong with your harddrive

I think it's best to ask here about that.

I hope you get rid of that bad problem.

Trojan problems and BHO files need removal help.

Comments