Hopefully I can get this resolved in the next day or two. I am home for a few days and my parents' computer is messed up AGAIN. It is beyond my abilities. I've seen a few other similar posts, but figured my own HJT log would be better than relying on fixes that were suggested to others. Symptoms include no control panel available, crazy popups on desktop talking about spyware, VIRUS ALERT! next to the time on taskbar, and various other missing things on start menu. Thanks for any help.



Logfile of HijackThis v1.99.1
Scan saved at 23:52: VIRUS ALERT!, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\cmd.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: fdkowvbp - {CB43E6DF-F6E4-4464-8AE2-F680AD49185E} - C:\WINDOWS\fdkowvbp.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [lphcaguj0ee2a] C:\WINDOWS\system32\lphcaguj0ee2a.exe
O4 - HKLM\..\Run: [advap32] C:\DOCUME~1\SMARTP~1\LOCALS~1\Temp\scksexde.exe/r
O4 - HKLM\..\Run: [SMrhceguj0ee2a] C:\Program Files\rhceguj0ee2a\rhceguj0ee2a.exe
O4 - HKLM\..\Run: [54173bab] rundll32.exe "C:\WINDOWS\system32\mrfmoeot.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: .lnk = C:\WINDOWS\SYSTEM32\msmapibx32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: eqvwamkl - {EBF6771C-5789-4E36-B14A-11E6BA764D72} - C:\WINDOWS\eqvwamkl.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe


.

Hi! Welcome to the forums.

Please remove the out of date version of HijackThis that you have.


Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. For Vista users, right-click DSS and select Run As Administrator
4. If asked to install HijackThis click on Yes
5. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
6. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply

Sorry about the slow reply. I just now had time to check for the reply. Here are the logs you requested.


-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
45: 2008-08-04 23:19:06 UTC - RP155 - Deckard's System Scanner Restore Point
44: 2008-08-03 22:47:48 UTC - RP154 - System Checkpoint
43: 2008-07-31 21:35:01 UTC - RP153 - System Checkpoint
42: 2008-07-29 03:22:40 UTC - RP152 - Installed Ad-Aware
41: 2008-07-26 18:05:06 UTC - RP151 - Last known good configuration


-- First Restore Point --
1: 2008-07-26 18:04:10 UTC - RP111 - Installed Windows XP KB913580.


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis (run as Smart People.exe) ----------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-04 18:21:28
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\SYSTEM32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\WINDOWS\SYSTEM32\cisvc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\McAfee.com\VSO\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\McAfee.com\VSO\McShield.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\WINDOWS\SYSTEM32\CIDAEMON.EXE
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Documents and Settings\Smart People\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {39DC821C-FE03-415F-8F47-B50ADA5D7D1A} - C:\WINDOWS\SYSTEM32\rqRLdDWp.dll
O2 - BHO: QXK Olive - {73044EAD-C67A-4673-81E0-191EA6653B7B} - C:\WINDOWS\nfavxwdbsxo.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: {d0a25d57-a5ca-bdca-4884-934ee1003428} - {8243001e-e439-4884-acdb-ac5a75d52a0d} - C:\WINDOWS\SYSTEM32\uvggfx.dll
O2 - BHO: (no name) - {BF13249A-89B6-463C-AC16-783A5EA945D0} - C:\WINDOWS\SYSTEM32\khfCtqnm.dll
O3 - Toolbar: fdkowvbp - {CB43E6DF-F6E4-4464-8AE2-F680AD49185E} - C:\WINDOWS\fdkowvbp.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [lphcaguj0ee2a] C:\WINDOWS\system32\lphcaguj0ee2a.exe
O4 - HKLM\..\Run: [advap32] C:\DOCUME~1\SMARTP~1\LOCALS~1\Temp\scksexde.exe/r
O4 - HKLM\..\Run: [SMrhceguj0ee2a] C:\Program Files\rhceguj0ee2a\rhceguj0ee2a.exe
O4 - HKLM\..\Run: [54173bab] rundll32.exe "C:\WINDOWS\system32\bgqbnbwi.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: .lnk = C:\WINDOWS\SYSTEM32\msmapibx32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - AppInit_DLLs: kxyogu.dll iufjzg.dll uvggfx.dll
O20 - Winlogon Notify: rqRLdDWp - C:\WINDOWS\system32\rqRLdDWp.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\system32\WinCtrl32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - C:\Program Files\McAfee.com\VSO\McShield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - C:\Program Files\McAfee.com\VSO\mcvsrte.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O24 - Desktop Component 0: my current home page - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 6534 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 agp440 (Intel AGP Bus Filter) - c:\windows\\systemroot\system32\drivers\agp440.sys (file missing)
R0 Winrx62 - c:\windows\system32\drivers\winrx62.sys
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 ohcusb (Open Host Controller Miniport USB Driver) - c:\windows\system32\drivers\ohcusb.sys
R3 CBTNDIS5 (CBTNDIS5 NDIS Protocol Driver) - c:\windows\system32\cbtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

S2 ohdusb (Open Host Controller Miniport USB Driver (rev.d)) - c:\windows\system32\drivers\ohdusb.sys (file missing)
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 NICSer_WPC54G - c:\program files\linksys\wireless-g notebook adapter\nicserv.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-08-04 18:18:00 508 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (DFW71H31-Administrator).job
2008-08-04 18:04:38 506 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (DFW71H31-Smart People).job


-- Files created between 2008-07-04 and 2008-08-04 -----------------------------

2008-08-04 17:52:47 98688 --a------ C:\WINDOWS\system32\bgqbnbwi.dll
2008-08-04 17:49:48 130432 --a------ C:\WINDOWS\system32\uvggfx.dll
2008-08-04 17:49:47 130432 --a------ C:\WINDOWS\system32\koklagwj.dll
2008-08-03 17:51:35 98688 -----n--- C:\WINDOWS\system32\chkewcmr.dll
2008-08-03 17:48:36 130432 --a------ C:\WINDOWS\system32\iufjzg.dll
2008-08-03 17:48:36 130432 --a------ C:\WINDOWS\system32\hmnboqqn.dll
2008-08-02 17:47:47 130432 --a------ C:\WINDOWS\system32\zeltdw.dll
2008-08-02 17:47:45 130432 --a------ C:\WINDOWS\system32\rmhjhmng.dll
2008-08-01 16:17:41 129920 --a------ C:\WINDOWS\system32\kxyogu.dll
2008-08-01 16:17:39 129920 --a------ C:\WINDOWS\system32\trntjgrh.dll
2008-07-31 17:43:57 120960 --a------ C:\WINDOWS\system32\gzefmo.dll
2008-07-31 17:43:57 120960 --a------ C:\WINDOWS\system32\dhjyrltr.dll
2008-07-30 17:39:23 120960 --a------ C:\WINDOWS\system32\vgzojo.dll
2008-07-30 17:39:21 120960 --a------ C:\WINDOWS\system32\pkhoqdkm.dll
2008-07-28 22:15:59 0 d-------- C:\WINDOWS\privacy_danger
2008-07-28 17:54:32 120960 --a------ C:\WINDOWS\system32\ixquhz.dll
2008-07-28 17:54:30 120960 --a------ C:\WINDOWS\system32\fkrbucpu.dll
2008-07-27 12:23:46 116352 --a------ C:\WINDOWS\system32\giaeas.dll
2008-07-27 12:23:43 116352 --a------ C:\WINDOWS\system32\vnaruewx.dll
2008-07-26 15:03:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-26 14:57:29 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-26 13:05:54 116864 --a------ C:\WINDOWS\system32\hsfziy.dll
2008-07-26 13:05:51 116864 --a------ C:\WINDOWS\system32\mimuibqj.dll
2008-07-26 13:03:59 782436 --ahs---- C:\WINDOWS\system32\mnqtCfhk.ini2
2008-07-26 13:03:28 323584 --a------ C:\WINDOWS\system32\khfCtqnm.dll
2008-07-26 12:59:17 94208 --a------ C:\WINDOWS\system32\pphcaguj0ee2a.exe
2008-07-26 12:59:14 0 d-------- C:\Documents and Settings\Smart People\Application Data\rhceguj0ee2a
2008-07-26 12:57:33 16896 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2008-07-26 12:57:24 33152 --a------ C:\WINDOWS\system32\vtUmKEVo.dll
2008-07-26 12:57:24 33152 --a------ C:\WINDOWS\system32\rqRLdDWp.dll
2008-07-26 12:57:14 0 d-------- C:\Documents and Settings\Smart People\Application Data\TmpRecentIcons
2008-07-26 12:56:50 229376 --a------ C:\WINDOWS\wnslvxtf.dll
2008-07-26 12:56:50 376832 --a------ C:\WINDOWS\nfavxwdbsxo.dll
2008-07-26 12:56:50 86016 --a------ C:\WINDOWS\grswptdl.exe
2008-07-26 12:56:50 204800 --a------ C:\WINDOWS\fdkowvbp.dll
2008-07-26 12:56:50 180224 --a------ C:\WINDOWS\eqvwamkl.dll
2008-07-26 12:56:50 94208 --a------ C:\WINDOWS\edbo.exe
2008-07-26 12:56:39 60928 --a------ C:\WINDOWS\system32\blphcaguj0ee2a.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-07-09 19:03:28 32549 --a------ C:\WINDOWS\king-uninstall.exe


-- Find3M Report ---------------------------------------------------------------

2008-07-28 22:22:47 0 d-------- C:\Program Files\Dell
2008-07-28 22:22:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-26 17:21:31 0 d-------- C:\Program Files\Aprps
2008-07-26 15:06:34 0 d-------- C:\Program Files\Lavasoft
2008-07-26 15:06:29 0 d-------- C:\Documents and Settings\Smart People\Application Data\Lavasoft
2008-07-26 14:57:29 0 d-------- C:\Program Files\Common Files
2008-07-16 14:01:02 0 d-------- C:\Documents and Settings\Smart People\Application Data\Real
2008-06-25 20:21:52 0 d-------- C:\Documents and Settings\Smart People\Application Data\Sun
2008-06-25 19:53:15 0 d-------- C:\Program Files\Java
2008-06-25 19:47:35 0 d-------- C:\Program Files\Common Files\Java
2008-06-11 05:11:14 0 d-------- C:\Program Files\Messenger
2008-05-24 20:45:33 1160 --a------ C:\WINDOWS\mozver.dat
2008-05-24 18:37:27 0 --a------ C:\WINDOWS\nsreg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39DC821C-FE03-415F-8F47-B50ADA5D7D1A}]
07/26/2008 12:57: VIRUS ALERT! 33152 --a------ C:\WINDOWS\system32\rqRLdDWp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73044EAD-C67A-4673-81E0-191EA6653B7B}]
07/26/2008 09:14: VIRUS ALERT! 376832 --a------ C:\WINDOWS\nfavxwdbsxo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8243001e-e439-4884-acdb-ac5a75d52a0d}]
08/04/2008 17:49: VIRUS ALERT! 130432 --a------ C:\WINDOWS\system32\uvggfx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF13249A-89B6-463C-AC16-783A5EA945D0}]
07/26/2008 13:03: VIRUS ALERT! 323584 --a------ C:\WINDOWS\system32\khfCtqnm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [10/19/2005 09:59: VIRUS ALERT!]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [10/19/2005 09:59: VIRUS ALERT!]
"BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 05:59: VIRUS ALERT! C:\WINDOWS\BCMSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [05/02/2003 17:21: VIRUS ALERT!]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [05/02/2003 17:15: VIRUS ALERT!]
"MCAgentExe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [09/06/2002 18:15: VIRUS ALERT!]
"MCUpdateExe"="C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe" [09/04/2002 10:28: VIRUS ALERT!]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [09/12/2003 16:20: VIRUS ALERT!]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [10/04/2002 15:09: VIRUS ALERT!]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [05/27/2004 21:05: VIRUS ALERT!]
"RegistryUpdate"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28: VIRUS ALERT!]
"lphcaguj0ee2a"="C:\WINDOWS\system32\lphcaguj0ee2a.exe" []
"advap32"="C:\DOCUME~1\SMARTP~1\LOCALS~1\Temp\scksexde.exe/r" []
"SMrhceguj0ee2a"="C:\Program Files\rhceguj0ee2a\rhceguj0ee2a.exe" []
"54173bab"="C:\WINDOWS\system32\bgqbnbwi.dll" [08/04/2008 17:52: VIRUS ALERT!]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56: VIRUS ALERT!]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)
"DisableRegistryTools"=1 (0x1)
"NoDispCPL"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=1 (0x1)
"StartMenuLogoff"=1 (0x1)
"NoStartMenuMorePrograms"=1 (0x1)
"NoSetFolders"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= my current home page

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{39DC821C-FE03-415F-8F47-B50ADA5D7D1A}"= C:\WINDOWS\system32\rqRLdDWp.dll [07/26/2008 12:57: VIRUS ALERT! 33152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRLdDWp]
rqRLdDWp.dll 07/26/2008 12:57: VIRUS ALERT! 33152 C:\WINDOWS\SYSTEM32\rqRLdDWp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 08/04/2008 17:10: VIRUS ALERT! 16896 C:\WINDOWS\SYSTEM32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=kxyogu.dll iufjzg.dll uvggfx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\khfCtqnm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winrx62.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-08-04 18:24:45 ------------










Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.00GHz
Percentage of Memory in Use: 72%
Physical Memory (total/avail): 254.33 MiB / 70.08 MiB
Pagefile Memory (total/avail): 625.2 MiB / 246.87 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1927.59 MiB

C: is Fixed (NTFS) - 18.58 GiB total, 12.27 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - IC25N020ATCS04-0 - 18.63 GiB - 2 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 18.58 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Smart People\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DFW71H31
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Smart People
LOGONSERVER=\\DFW71H31
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\SMARTP~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\SMARTP~1\LOCALS~1\Temp
USERDOMAIN=DFW71H31
USERNAME=Smart People
USERPROFILE=C:\Documents and Settings\Smart People
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Smart People (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
AntivirXP08 --> "C:\Program Files\rhceguj0ee2a\uninstall.exe"
BCM V.92 56K Modem --> C:\WINDOWS\BCMSMU.exe quiet
Broadcom Advanced Control Suite --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{89EE857B-8970-4F9F-AB58-A1C873AC72B3} /l1033
DAO --> MsiExec.exe /I{64116298-93C5-401D-B06C-39D8E3338508}
Dell Picture Studio - Dell Image Expert --> MsiExec.exe /I{151C555A-A9E7-4A2E-B6D7-165D04A3C956}
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Dell Support --> MsiExec.exe /X{43FCA273-9534-40DB-B7C5-D7758875616A}
Designer's Gallery CustomWorks --> MsiExec.exe /X{67ABA78E-749F-4B28-8475-EAC59AC22848}
Designer's Gallery DensityWorks Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F37C9A85-1F88-49AD-AA35-1B080F9A831B}\Setup.exe"
Designer's Gallery HoopWorks Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EDA3BDC3-7698-4935-8AE8-06498987EA4F}\Setup.exe"
Designer's Gallery LetterWorks --> MsiExec.exe /X{F3B33C23-BB4F-4710-B957-E128994450D3}
Designer's Gallery QuiltWorks --> MsiExec.exe /X{FAC095B7-B6E0-4971-81B5-FB66A35312E2}
Designer's Gallery SizeWorks Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C9698EE5-EC16-4F62-B14C-0925BDDD535A}\Setup.exe"
Designer's Gallery Studio III Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{069EB112-5CD8-4D71-8E40-3EF10FFB4596}\Setup.exe"
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
king.com (remove only) --> "C:\WINDOWS\king-uninstall.exe"
McAfee.com SecurityCenter --> c:\PROGRA~1\mcafee.com\shared\mghtml.exe mcp://c:\PROGRA~1\mcafee.com\agent\uninst\screm.ui::uninstall.htm
McAfee.com VirusScan Online --> c:\PROGRA~1\mcafee.com\shared\mghtml.exe mcp://c:\PROGRA~1\mcafee.com\agent\uninst\vsoremui.dll::uninstall.htm
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Mozilla Firefox (2.0.0.15) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Odyssey Client --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{99D42EC7-652B-4819-B3E6-6450C815E03F}
Paint Shop Pro 7 --> MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 UNINSTALL
RealOne Player --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Wireless-G Notebook Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A2EDF5F-F3C6-4919-AE34-C08A71AD034A}\Setup.exe" -l0x9


-- Application Event Log -------------------------------------------------------

Event Record #/Type1528 / Error
Event Submitted/Written: 08/03/2008 05:07:56 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module nfavxwdbsxo.dll, version 0.0.0.0, fault address 0x00001394.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type1492 / Error
Event Submitted/Written: 07/30/2008 10:01:41 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application gcc.exe, version 1.0.0.4, faulting module unknown, version 0.0.0.0, fault address 0x010c813a.
Processing media-specific event for [gcc.exe!ws!]

Event Record #/Type1470 / Error
Event Submitted/Written: 07/28/2008 07:52:19 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1464 / Error
Event Submitted/Written: 07/28/2008 07:22:00 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application Ad-Aware.exe, version 7.1.0.10, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1449 / Error
Event Submitted/Written: 07/27/2008 00:28:52 PM / 07/27/2008 00:28:55 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type11378 / Error
Event Submitted/Written: 08/04/2008 05:13:12 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Open Host Controller Miniport USB Driver (rev.d) service failed to start due to the following error:
%%2

Event Record #/Type11377 / Error
Event Submitted/Written: 08/04/2008 05:13:12 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Parallel port driver service failed to start due to the following error:
%%1058

Event Record #/Type11349 / Error
Event Submitted/Written: 08/04/2008 04:39:46 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Open Host Controller Miniport USB Driver (rev.d) service failed to start due to the following error:
%%2

Event Record #/Type11348 / Error
Event Submitted/Written: 08/04/2008 04:39:46 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Parallel port driver service failed to start due to the following error:
%%1058

Event Record #/Type11344 / Warning
Event Submitted/Written: 08/03/2008 10:42:30 PM
Event ID/Source: 240 / Win32k
Event Description:
A request to suspend power was denied by winlogon.exe.



-- End of Deckard's System Scanner: finished at 2008-08-04 18:24:45 ------------

If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once Recovery Console is installed, you should see a blue screen prompt like the one below:



Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced. Please post that log and a new HijackThis log in your next reply.


1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run

I'm really sorry this is taking so long. I am in Arkansas and the computer I am fixing is in Oklahoma. I have to explain your instructions over the phone because my parent's are pretty much computer illiterate. I had my mom go through your suggested steps and when combofix was almost finished it had to reboot. Upon rebooting there was a rundll error that said:

rundll
error loading c:\windows\system32\knnygsop.dll
The specified module could not be found

Combofix never created the log file so we are kind of stuck. Any suggestions???

Thanks for your patience,
Josh

No. that was a vundo file, which Combofix removed, but the run key is still there, so I need to see Combos log and remove what remains, before it spreads again.

"so I need to see Combos log and remove what remains, before it spreads again"

As i said in my previous reply, Combofix never created a log. Combofix said that it was rebooting then never did anything after the reboot. I had them search for the text file with no luck. Will it be hidden somewhere?

Hi

It should be in here.

C:\Combofix

If not, they will need to run combofix again, and the new log will tell me what was removed on the previous run.

Well we found combofix.txt. However, it isn't complete so there is nothing to post for you. I guess just close this thread and I'll try again some other time when I can get the computer in hand. Sorry for wasting so much of your time. Thanks for the help.

Josh

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.