15 replies to this topic

[111mike]

Hello,

I have a computer here that is experiencing many start-up and runtime difficulties. Extremely slow, pop-ups, browser redirect etc....

Also, when I try to boot up into safe mode, I get the safe mode black screen, but no start menu or desktop icons. Just a plain black safe mode screen. I can cont-alt-del to pull up task manager, but cannot run any programs through it.

Furthermore, after running AVG and adaware, computer keeps restarting whenever I attempt to log on other user. Finally got it booted up under last known good configuration.

Here's my hijack this log.
Any help would be greatly appreciated,

Thank you,
111mike

Logfile of HijackThis v1.99.1
Scan saved at 2:59:28 PM, on 11/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\FSPC\fspc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\FSAUA\program\fsus.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {009AFE83-E233-4239-94B2-6379E961F631} - C:\WINDOWS\System32\enncmnnd.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {135B1B31-252E-4715-9B37-BFA3AB2AB6AD} - C:\WINDOWS\System32\awtsr.dll (file missing)
O2 - BHO: (no name) - {31EF5308-E90D-44D5-8E76-29626CDB4748} - C:\WINDOWS\System32\ctl3dv.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\System32\jelgkhso.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {62D8C559-3DF4-4591-886C-9DFC840D3106} - C:\WINDOWS\System32\enncmnnd.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\System32\nmrjinxv.dll",realset
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O12 - Plugin for .m4a: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: awtsr - C:\WINDOWS\System32\awtsr.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: __c0014CDE - C:\WINDOWS\System32\__c0014CDE.dat (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[Simon V.]

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

I'm sorry for the delay, seems like your topic got overlooked. If you come here in the future, there is a topic to post in if you haven't received a reply for over 5 days: http://forums.whatth...931#entry406931

Why don't you have Service Pack 2 installed? (Note: do not install Service Pack 2 before your computer is clean!)

Step 1

You are operating your computer with multiple Anti-Virus programs running in memory at once:

AVG 7.5
F-Secure Anti-Virus

Anti-Virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two Anti-Virus programs running at the same time can cause your computer to run very slow, become unstable and even crash.

If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

Please disable or uninstall one or the other so they do not conflict.

Step 2

Please disable Spyware Doctor OnGuard, as it may interfere with the fix.

• From within Spyware Doctor, click the OnGuard button on the left side.
• Uncheck Activate OnGuard.
• Reboot your computer to complete the process.

Note: Be sure to enable Spyware Doctor OnGuard when you are clean!

Step 3

Please download Combofix:

• From BleepingComputer
• From TechSupport

Double-click on combofix.exe and follow the prompts.
When finished, it will produce a log for you. Save it to a convenient location.

Note: Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.

Note: Combofix should never take more that 20 minutes including the reboot if malware is detected. If it does, press Ctrl, Alt and Del at the same time and, under the Processes tab, end any processes of findstr, find, sed or swreg, then Combofix should continue. If that happened I'd like to know and what process you had to end.

Step 4

Open HijackThis.

• Click on the Config button.
• Click on the Misc Tools button.
• Click on the Open Uninstall Manager button.
• Click on the Save list... button and save the file to a convenient location. When you press Save, Notepad will open with the contents of that file.

Step 5

In your next reply, please post:

• why you don't have Service Pack 2 installed
• the Combofix log (C:\Combofix.txt)
• the Uninstall List (uninstall_list.txt)
• a new HijackThis log

[111mike]

Thank you for your response,

This is my girlfriend's computer. I'm not sure why sp2 is not installed. I know it was online, and I know that automatic updates was/is turned on. So, I'm not sure.

After my initial post, I uninstalled both f-secure and SpyDr. Before going back online, I will make sure there is adequate protection. Will also make sure sp2 gets installed.

Here are the logs:


Logfile of HijackThis v1.99.1
Scan saved at 4:46:42 PM, on 11/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {009AFE83-E233-4239-94B2-6379E961F631} - C:\WINDOWS\System32\enncmnnd.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {135B1B31-252E-4715-9B37-BFA3AB2AB6AD} - C:\WINDOWS\System32\awtsr.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {62D8C559-3DF4-4591-886C-9DFC840D3106} - C:\WINDOWS\System32\enncmnnd.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O12 - Plugin for .m4a: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: awtsr - C:\WINDOWS\System32\awtsr.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: __c0014CDE - C:\WINDOWS\System32\__c0014CDE.dat (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


360Share Pro(remove only)
Adobe Flash Player 9 ActiveX
Adobe Reader 6.0
Adobe Shockwave Player
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20030807.3)
AOL Instant Messenger (SM)
Apple Software Update
Atlantis - Trial by Fire
AVG 7.5
CCleaner (remove only)
CompuServe
eMachines Bay Reader
Google Earth
Google Photos Screensaver
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Updater
HijackThis 1.99.1
ICQ
Intel® Extreme Graphics Driver
Intel® PRO Network Adapters and Drivers
Internet Explorer Q831167
iTunes
Java 2 Runtime Environment, SE v1.4.2
Learn2 Player (Uninstall Only)
Lexmark 4200 Series
Lexmark 4200 Series Fax Solutions
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Works 7.0
Mozilla Firefox (2.0.0.1)
Netscape 6 (6.2.1)
PHOTOfunSTUDIO -viewer-
PowerDVD
Public Messenger ver 2.03
QuickTime
RealPlayer Basic
Realtek AC'97 Audio
Search
Sierra On-Line Games (Remove only)
SoftV92 Data Fax Modem with SmartCP
Update for Windows XP (KB898461)
Viewpoint Media Player (Remove Only)
Winamp (remove only)
Windows Backup Utility
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar



ComboFix 07-11-19.4C - John 2007-11-28 13:56:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.334 [GMT -8:00]
Running from: K:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\{3000E~1
C:\Program Files\Common Files\{E000E~1
C:\Program Files\Common Files\{E000E~2
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Images\0032E20F.urr
C:\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn-new.html
C:\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn-new.html
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Cache\00178973
C:\Program Files\MyWebSearch\bar\Cache\00185C63.bin
C:\Program Files\MyWebSearch\bar\Cache\00185FCE.bin
C:\Program Files\MyWebSearch\bar\Cache\0018629D.bin
C:\Program Files\MyWebSearch\bar\Cache\0018651E.bin
C:\Program Files\MyWebSearch\bar\Cache\0032B737
C:\Program Files\MyWebSearch\bar\Cache\0032BEE7
C:\Program Files\MyWebSearch\bar\Cache\0032C2A1.bin
C:\Program Files\MyWebSearch\bar\Cache\0032C715.bin
C:\Program Files\MyWebSearch\bar\Cache\0032CBF7.bin
C:\Program Files\MyWebSearch\bar\Cache\0032CE1A.bin
C:\Program Files\MyWebSearch\bar\Cache\00B9EF6D.bin
C:\Program Files\MyWebSearch\bar\Cache\00B9F1DE.bin
C:\Program Files\MyWebSearch\bar\Cache\00B9F47E.bin
C:\Program Files\MyWebSearch\bar\Cache\00B9F633.bin
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\spysheriff
C:\Program Files\spysheriff\base.avd
C:\Program Files\spysheriff\base001.avd
C:\Program Files\spysheriff\base002.avd
C:\Program Files\spysheriff\found.wav
C:\Program Files\spysheriff\notfound.wav
C:\Program Files\spysheriff\removed.wav
C:\Program Files\spysheriff\SpySheriff.dvm
C:\Program Files\spysheriff\SpySheriff.exe
C:\WINDOWS\system32\arfcwwbs.exe
C:\WINDOWS\system32\bcnvinrk.dll
C:\WINDOWS\system32\bkibhcwx.exe
C:\WINDOWS\system32\blbydghy.exe
C:\WINDOWS\system32\bvcnnxyi.exe
C:\WINDOWS\system32\cbqnlccv.exe
C:\WINDOWS\system32\ctl3dv.dll
C:\WINDOWS\system32\dgyexvxp.exe
C:\WINDOWS\system32\drivers\wybupstc.dat
C:\WINDOWS\system32\drxjuoxu.dll
C:\WINDOWS\system32\gsnutwbe.exe
C:\WINDOWS\system32\jukugdtp.dll
C:\WINDOWS\system32\lfepdicm.exe
C:\WINDOWS\system32\mhmhehkp.dll
C:\WINDOWS\system32\mjgxkdac.exe
C:\WINDOWS\system32\nefkrjri.dll
C:\WINDOWS\system32\njdwwjmn.exe
C:\WINDOWS\system32\nmrjinxv.dll
C:\WINDOWS\system32\nnvkhhmr.dll
C:\WINDOWS\system32\pkhehmhm.ini
C:\WINDOWS\system32\qpcdqrul.exe
C:\WINDOWS\system32\qrwkbjhi.exe
C:\WINDOWS\system32\rmhhkvnn.ini
C:\WINDOWS\system32\vqexxqpu.exe
C:\WINDOWS\system32\vxnijrmn.ini
C:\WINDOWS\system32\winjrqsj.exe
C:\WINDOWS\system32\xkyimunc.dll
C:\WINDOWS\system32\ybpjikcr.exe
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_AXGLWXEE
-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_DOMAINSERVICE
-------\axglwxee
-------\Client IP-IPX
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-20 15:17 <DIR> d-------- C:\WINDOWS\Google Toolbar
2007-11-20 14:53 <DIR> d-------- C:\Documents and Settings\Cindy\Application Data\AVG7
2007-11-20 11:15 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-20 11:15 <DIR> d-------- C:\Documents and Settings\John\Application Data\AVG7
2007-11-20 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-20 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-20 08:26 <DIR> d-------- C:\Program Files\CCleaner
2007-11-17 13:38 <DIR> d-------- C:\Documents and Settings\John\Application Data\Lavasoft
2007-11-17 13:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-17 13:29 <DIR> d-------- C:\Documents and Settings\John\Application Data\U3
2007-11-17 13:06 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-11-17 13:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-17 11:56 <DIR> d-------- C:\Documents and Settings\John\Application Data\Panasonic
2007-11-09 21:55 71,188 --a------ C:\WINDOWS\system32\nkxwbayo.exe
2007-11-09 09:20 71,188 --a------ C:\WINDOWS\system32\vouijqog.exe
2007-11-08 08:03 71,188 --a------ C:\WINDOWS\system32\slnhrlih.exe
2007-10-28 12:01 <DIR> d-------- C:\Documents and Settings\Cindy\Application Data\Panasonic
2007-10-28 11:57 <DIR> d-------- C:\Documents and Settings\Cindy\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-20 23:22 --------- d-----w C:\Program Files\Google
2007-11-20 23:22 --------- d-----w C:\Program Files\F-Secure
2007-11-20 23:17 --------- d-----w C:\Program Files\Panasonic
2007-11-20 23:02 --------- d-----w C:\Program Files\BigFix
2007-11-20 21:58 --------- d-----w C:\Program Files\QuickTime
2007-11-20 21:58 --------- d-----w C:\Program Files\Lexmark 4200 Series
2007-11-20 15:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-10 05:53 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-28 19:54 --------- d-----w C:\Program Files\iTunes
2007-10-27 21:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Tools
2007-05-20 02:22 1,499,350 --sha-w C:\WINDOWS\system32\rstwa.bak1
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{009AFE83-E233-4239-94B2-6379E961F631}]
C:\WINDOWS\System32\enncmnnd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{135B1B31-252E-4715-9B37-BFA3AB2AB6AD}]
C:\WINDOWS\System32\awtsr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62D8C559-3DF4-4591-886C-9DFC840D3106}]
C:\WINDOWS\System32\enncmnnd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-20 11:14]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-20 11:14]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-04-15 20:27:22]

[hklm\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{bd0fc212-0a36-4232-83cc-2063fb9282e0}"= C:\WINDOWS\System32\qzviz.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsr]
C:\WINDOWS\System32\awtsr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0014CDE]
C:\WINDOWS\System32\__c0014CDE.dat


.
Contents of the 'Scheduled Tasks' folder
"2007-11-19 00:22:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 14:02:06
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-28 14:02:57 - machine was rebooted
.
--- E O F ---


Thanks

[Simon V.]

Hi

Download the diagnostic tool MGADiag and save it to your desktop.

• Double-click on MGADiag.exe.
• Click Run and Run again.
• Click Continue, then Copy.
• Paste the report back here.

[111mike]

Downloaded MGADiag.exe as suggested. Single clicked to open(computer is set to open files with single click). There was no run option, however. Selected continue to run diagnostics. It took 30 seconds or so to run and then produced various operating system information. Selected copy when finished, but nothing happened. No options for a report or anything similar. Closed it. Tried several times, but same results. There was a resolve button, but your instructions did not say to select it, so I left it alone 111mike

[Simon V.]

Hi

When you click Copy, the report will be automatically copied to the clipboard. Just click on the Add Reply button, right-click and select Paste. The report should now be pasted in the reply window.

[111mike]

Here ye be, Diagnostic Report (1.7.0066.0): ----------------------------------------- WGA Data--> Validation Status: Validation Control not Installed Validation Code: 0 Online Validation Code: N/A Cached Validation Code: N/A Windows Product Key: *****-*****-J8BM6-MXPH6-3R2BW Windows Product Key Hash: YMRVitCEjlJfwDQfjDvm97FbWA4= Windows Product ID: 55277-OEM-2111907-00103 Windows Product ID Type: 2 Windows License Type: OEM SLP Windows OS version: 5.1.2600.2.00010300.1.0.hom CSVLK Server: N/A CSVLK PID: N/A ID: {5DAEE3F0-3CD4-4810-BA69-D3264122B161}(3) Is Admin: Yes TestCab: 0x0 WGA Version: N/A, hr = 0x80070002 Signed By: N/A, hr = 0x80070002 Product Name: N/A Architecture: N/A Build lab: N/A TTS Error: N/A Validation Diagnostic: 025D1FF3-171-1_16E0B333-147-80004005_E2AD56EA-337-8009_E2AD56EA-338-2ee7_16E0B333-80-80004005_78155E4D-303-80004005 Resolution Status: N/A Notifications Data--> Cached Result: N/A File Exists: No Version: N/A, hr = 0x80070002 WgaTray.exe Signed By: N/A, hr = 0x80070002 WgaLogon.dll Signed By: N/A, hr = 0x80070002 OGA Data--> Office Status: 109 N/A OGA Version: N/A, 0x80070002 Signed By: N/A, hr = 0x80070002 Office Diagnostics: FCEE394C-2989-80070002 Browser Data--> Proxy settings: N/A User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe Download signed ActiveX controls: Prompt Download unsigned ActiveX controls: Disabled Run ActiveX controls and plug-ins: Allowed Initialize and script ActiveX controls not marked as safe: Disabled Allow scripting of Internet Explorer Webbrowser control: Active scripting: Script ActiveX controls marked as safe for scripting: File Scan Data--> Other data--> Office Details: <GenuineResults><MachineData><UGUID>{5DAEE3F0-3CD4-4810-BA69-D3264122B161}</UGUID><Version>1.7.0066.0</Version><OS>5.1.2600.2.00010300.1.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-3R2BW</PKey><PID>55277-OEM-2111907-00103</PID><PIDType>2</PIDType><SID>S-1-5-21-3399234712-2498161875-1829638493</SID><SYSTEM><Manufacturer>eMachines </Manufacturer><Model>D845GVSR </Model></SYSTEM><BIOS><Manufacturer>Intel Corp.</Manufacturer><Version>SR84510B.44T.0042.P09.0406030153</Version><SMBIOSVersion major="2" minor="3"/><Date>20040603******.******+***</Date><SLPBIOS>EMACHINES</SLPBIOS></BIOS><HWID>074F314F01842052</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>eMachines</name><model>T2958</model></SBID><OEM/><BRT/></MachineData> <Software><Office><Result>109</Result><Products/></Office></Software></GenuineResults>

[Simon V.]

Hi

Step 1

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

File::

C:\WINDOWS\system32\nkxwbayo.exe
C:\WINDOWS\system32\vouijqog.exe
C:\WINDOWS\system32\slnhrlih.exe
C:\WINDOWS\system32\rstwa.bak1

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{009AFE83-E233-4239-94B2-6379E961F631}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{135B1B31-252E-4715-9B37-BFA3AB2AB6AD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62D8C559-3DF4-4591-886C-9DFC840D3106}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{bd0fc212-0a36-4232-83cc-2063fb9282e0}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsr]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0014CDE]

Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save.



Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

Step 2

Please do an online scan with Kaspersky WebScanner.

Click on Kaspersky Online Scanner. On the welcome screen, click Accept.

You will be promted to install an ActiveX component from Kaspersky, click Install.

• The program will launch and then begin downloading the latest definition files.
• Once the files have been downloaded click on Next.
• Now click on Scan Settings.
• In the scan settings make sure that the following are selected:

• Scan using the following Anti-Virus database:
  
  Extended (if available, otherwise Standard)

• Scan Options:
  
  Scan Archives
  Scan Mail Bases

• Click OK.
• Now under Select a Target to Scan:
  
  Select My Computer.

• The program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button and save the file to your desktop.

Step 3

In your next reply, please post:

• the Combofix log (C:\Combofix.txt)
• the Kaspersky Online Scan report
• a new HijackThis log

[111mike]

The computer that I'm working on is not online. I can't run Kaspersky.

[Simon V.]

OK, please only post the Combofix log and tell me how your computer is running.

[111mike]

Here is the log. Everything seems to be running very smoothly. Safe mode is now working correctly. All the icons and start menu are visible and working. Computer boots up quick and normal. Thank you very much for your help. By the way, is it hard to learn how to do what you do here? Is this something I should be asking at the Malware University link? If there's more to be done here, let me know. Otherwise, thanks again.


ComboFix 07-11-19.4C - John 2007-11-29 14:02:23.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.318 [GMT -8:00]
Running from: K:\ComboFix.exe
Command switches used :: K:\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\nkxwbayo.exe
C:\WINDOWS\system32\rstwa.bak1
C:\WINDOWS\system32\slnhrlih.exe
C:\WINDOWS\system32\vouijqog.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\nkxwbayo.exe
C:\WINDOWS\system32\rstwa.bak1
C:\WINDOWS\system32\slnhrlih.exe
C:\WINDOWS\system32\vouijqog.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.

2007-11-29 09:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-11-20 15:17 <DIR> d-------- C:\WINDOWS\Google Toolbar
2007-11-20 14:53 <DIR> d-------- C:\Documents and Settings\Cindy\Application Data\AVG7
2007-11-20 11:15 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-20 11:15 <DIR> d-------- C:\Documents and Settings\John\Application Data\AVG7
2007-11-20 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-20 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-20 08:26 <DIR> d-------- C:\Program Files\CCleaner
2007-11-17 13:38 <DIR> d-------- C:\Documents and Settings\John\Application Data\Lavasoft
2007-11-17 13:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-17 13:29 <DIR> d-------- C:\Documents and Settings\John\Application Data\U3
2007-11-17 13:06 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-11-17 13:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-17 11:56 <DIR> d-------- C:\Documents and Settings\John\Application Data\Panasonic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 22:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-20 23:22 --------- d-----w C:\Program Files\Google
2007-11-20 23:22 --------- d-----w C:\Program Files\F-Secure
2007-11-20 23:17 --------- d-----w C:\Program Files\Panasonic
2007-11-20 23:02 --------- d-----w C:\Program Files\BigFix
2007-11-20 22:53 1,219,675 --sh--w C:\WINDOWS\system32\rstwa.ini2
2007-11-20 21:58 --------- d-----w C:\Program Files\QuickTime
2007-11-20 21:58 --------- d-----w C:\Program Files\Lexmark 4200 Series
2007-11-10 05:55 449,956 --sha-w C:\WINDOWS\system32\rstwa.bak2
2007-11-10 05:53 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-28 20:01 --------- d-----w C:\Documents and Settings\Cindy\Application Data\Panasonic
2007-10-28 19:57 --------- d-----w C:\Documents and Settings\Cindy\Application Data\Apple Computer
2007-10-28 19:54 --------- d-----w C:\Program Files\iTunes
2007-10-27 21:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Tools
.

((((((((((((((((((((((((((((( snapshot@2007-11-28_14.02.21.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-28 21:56:33 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT
+ 2007-11-29 22:02:20 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-20 11:14]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-20 11:14]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-04-15 20:27:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0014CDE]
C:\WINDOWS\System32\__c0014CDE.dat


.
Contents of the 'Scheduled Tasks' folder
"2007-11-19 00:22:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 14:03:00
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-29 14:03:28
C:\ComboFix2.txt ... 2007-11-28 14:02
.
--- E O F ---

[Simon V.]

Hi

By the way, is it hard to learn how to do what you do here? Is this something I should be asking at the Malware University link?

If you're eager to learn, it's not that hard, it just takes some time. If you follow the link to either Malware Removal University or WhatTheTech Classroom, you'll see a link how to join.

Step 1

Be sure that you are set to see hidden files and folders:

• Close all programs so that you are at your desktop.
• Double-click on the My Computer icon.
• Select the Tools menu and click Folder Options.
• After the new window appears select the View tab.
• Put a checkmark in the checkbox labelled Display the contents of system folders.
• Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
• Remove the checkmark from the checkbox labelled Hide file extensions for known file types.
• Remove the checkmark from the checkbox labelled Hide protected operating system files. Answer Yes to the prompt.
• Press the Apply button and then the OK button and close My Computer.

Step 2

Navigate to the following files/folders using Windows Explorer and delete them when found:

C:\WINDOWS\system32\rstwa.ini2
C:\WINDOWS\system32\rstwa.bak2

Step 3

Copy the text below into a Notepad (Go to Start > Run, type Notepad and hit Enter) document:

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0014CDE]

Note: Make sure there is no blank line before REGEDIT4 and one blank line at the end.

Go to File > Save As:. Save the file as "Fix.reg" (Including the quotes)

Double-click on Fix.reg. When asked if you want to merge the file with the registry, click Yes.

Reboot your computer.

You should now visit http://update.microsoft.com/ and download all available updates, most importantly Service Pack 2.

In your next reply, please post a new HijackThis log.

[111mike]

Thanks. I'll have to check out MRU further. I have lots of time on my hands.
Here's the log you requested.

Logfile of HijackThis v1.99.1
Scan saved at 11:08:00 PM, on 11/29/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O12 - Plugin for .m4a: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[Simon V.]

Hi

You should now visit http://update.microsoft.com/ and download all available updates, most importantly Service Pack 2.

This is very important. An unpatched system is more vulnerable for malware infections.

You can fix this line in HijackThis:

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

Your logs look clean; please advise of any problems you are still experiencing, or follow these simple steps to keep your computer clean in the future:

Click Start then Run....

• Type Combofix /u in the runbox and click OK. (Note: The space between the x and the /u needs to be there)
  
  
  
• When shown the disclaimer, select 2.

Rehide your System Files

• Double-click My Computer.
• Click the Tools menu, and then click Folder Options.
• Click the View tab.
• Put a check next to Hide file extensions for known file types.
• Under the Hidden files folder, select Do not show hidden files and folders.
• Check Hide protected operating system files.
• Click Apply, and then click OK.

Disable and Enable System Restore - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

Step 1: Turn off System Restore:

• On the desktop, right-click My Computer
• Click Properties
• Click the System Restore tab
• Check Turn off System Restore
• Click Apply, and then click OK

Step 2: Reboot your computer.

Step 3: Turn on System Restore:

• On the desktop, right-click My Computer
• Click Properties
• Click the System Restore tab
• Uncheck Turn off System Restore
• Click Apply, and then click OK

Note: Only do this once, NOT on a regular basis!

Make your Internet Explorer More Secure

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab.
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
  
  
• Change the Download signed ActiveX controls to Prompt.
• Change the Download unsigned ActiveX controls to Disable.
• Change the Initialise and script ActiveX controls not marked as safe to Disable.
• Change the Installation of desktop items to Prompt.
• Change the Launching programs and files in an IFRAME to Prompt.
• Change the Navigate sub-frames across different domains to Prompt.
• When all these settings have been made, click on the OK button.
• If it prompts you as to whether or not you want to save the settings, press the Yes button.

• Next press the Apply button and then the OK to exit the Internet Properties page.

Update your Anti-Virus Software - It is very imprtant that you update your anti-virus software at least once a week (even more if you wish). If you do not update your anti-virus software then it will not be able to catch any of the new variants that will come out.

Use a Firewall - Without a firewall your computer is susceptible to being hacked and taken over. The Windows firewall isn't sufficient as it only monitors incoming connections.

Here are a few (free) firewalls, please download and install one of them:

• ZoneAlarm
• Kerio Personall Firewall
• Comodo Free Firewall

Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Spybot - Search and Destroy - Download and install Spybot - Search and Destroy with its TeaTimer option. This will provide real time spyware and hijacker protection on your computer alongside your virus protection. You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here:
Instructions for - Spybot S & D and Ad-aware

Install Ad-Aware - Download and install Ad-Aware. You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here:
Instructions for - Spybot S & D and Ad-aware

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Stand Up and Be Counted! - Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints: Malware Complaints. You have to be registered to post. After registering just find your country room and register your complaint. The infection you had was Vundo (Virtumundo)

[111mike]

Thanks again for your help.