Recommended Driver Scanner

Member Panel

Remember me ?

Forgot password?   

Sponsors and Ads

Noticeboard
PC Forum PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs » [Fixed] WinFix??

[Fixed] Hijackthis! Logs - [Fixed] WinFix?? posted in the Security & Safety forums; Hello, I was wondering if someone could please help me. i am not the most computer smart bloke in the world, but my computer is suffering from pop up ads ...

JOIN US NOW to remove these Ads

Post New Thread  Reply
Page 1 of 2 1 2 >
  #1  
Old 10-02-2006
Bronze Member
  
Join Date: Oct 2006
Posts: 6
mcollise - See this Members User comments on their Profile page
Default [Fixed] WinFix??
Hello,
I was wondering if someone could please help me. i am not the most computer smart bloke in the world, but my computer is suffering from pop up ads and pop up spyware and virus information as we as"click here to download the latest virus and spyware software..." I hav been told I may have winfix / winantivirus?? I am not sure. I have followed your screens and here are my hijack log and ewido logs.

Logfile of HijackThis v1.99.1
Scan saved at 10:17:50 PM, on 2/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Windows\system32\HpSrvUI.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\system32\msiexec.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo!7
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.d ll
O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O3 - Toolbar: Seekmo Toolbar - {53E0B6E8-A51D-448B-B692-40B67B285543} - C:\Program Files\Seekmo Programs\Seekmo Toolbar\SeekmoTB.dll
O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_3 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000000-0000-0000-0000-100005000004} - http://code.trasferimento.biz/l/80a3...43dcaf4_35.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{4443EEB7-32B6-4C55-BE7D-1CA7FB9F32D3}: Domain = sa.bigpond.net.au
O21 - SSODL: ************ - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

AND

ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 9:59:45 PM 2/10/2006
+ Scan result:

C:\Program Files\Safety Bar -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Safety Bar\SafetyBar.dll -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Safety Bar\Uninstall.bat -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1359937993-2584481472-1090776897-1003\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\system32\isnotify.exe -> Downloader.Zlob.aew : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe -> Dropper.Small : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\explorer\run\\kernel32.dll -> Trojan.Small : Cleaned with backup (quarantined).

Hopefully someone can help me get rid of this thing on my computer. It is driving me nuts.

Thankyou

Mark
  #2  
Old 10-02-2006
joe5's Avatar
Elite Member
My PC
 
Join Date: Jun 2005
Location: Netherlands
Posts: 9,036
joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page
Default
Hya Mark, you've got a couple of problems going on there.


1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Please download VundoFix.exe
to your desktop.
  • Double-click *VundoFix.exe* to run it.
  • Click the *Scan for Vundo* button.
  • Once it's done scanning, click the *Remove Vundo* button.
  • You will receive a prompt asking if you want to remove the files, click *YES*
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click *OK*.
  • Please post the contents of C:\*vundofix.txt* in your next reply.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the *Scan for Vundo* button." when
VundoFix appears at reboot.




Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP


When done, please post the Combofix log, the Vundofix log, the Smitfraudfix log, and a new HiJackThis log please.


__________________
- PCHF Team. - (NL) - Mal-ware Eradicator! -
  #3  
Old 10-03-2006
Bronze Member
  
Join Date: Oct 2006
Posts: 6
mcollise - See this Members User comments on their Profile page
Default
Hi Joe5, thanks for the advice. I have done the scans you asked me to with the following results. Hope this makes sense to you !!

COMBOFIX SCAN LOG

Owner - 06-10-03 15:34:01.20 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Owner\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Inetget2
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{3003B0BD-0958-1033-0207-03102520003d}

((((((((((((((((((((((((((((((( Files Created from 2006-09-03 to 2006-10-03 ))))))))))))))))))))))))))))))))))

2006-10-02 17:32 86,068 --a------ C:\WINDOWS\system32\genhnlyn.dll
2006-10-02 17:32 86,068 --a------ C:\WINDOWS\system32\genhnlyn.dll
2006-09-28 07:42 668,049 ---hs---- C:\WINDOWS\system32\uvvwa.bak2
2006-09-28 07:42 668,049 ---hs---- C:\WINDOWS\system32\uvvwa.bak2
2006-09-27 21:06 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-09-27 21:06 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-09-27 07:36 45,525 --a------ C:\WINDOWS\system32\uiriwxud.dll
2006-09-27 07:36 45,525 --a------ C:\WINDOWS\system32\uiriwxud.dll
2006-09-27 07:35 669,158 ---hs---- C:\WINDOWS\system32\uvvwa.bak1
2006-09-27 07:35 669,158 ---hs---- C:\WINDOWS\system32\uvvwa.bak1
2006-09-27 07:35 577,588 ---hs---- C:\WINDOWS\system32\awvvu.dll
2006-09-27 07:35 577,588 ---hs---- C:\WINDOWS\system32\awvvu.dll
2006-09-27 07:35 143,380 --a------ C:\WINDOWS\system32\pmocvafg.exe
2006-09-27 07:35 143,380 --a------ C:\WINDOWS\system32\pmocvafg.exe
2006-09-07 10:38 0 --a------ C:\WINDOWS\system32\Ultra.dll
2006-09-07 10:38 0 --a------ C:\WINDOWS\system32\Ultra.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))

2006-10-03 05:46 -------- d-------- C:\Program Files\Common Files
2006-10-02 23:22 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-10-02 18:30 -------- d-------- C:\Program Files\Microsoft Office
2006-10-02 18:14 -------- d-------- C:\Program Files\WildTangent
2006-10-02 18:13 -------- d-------- C:\Program Files\LimeWire
2006-09-29 17:57 -------- d-------- C:\Program Files\PcBugDoctor
2006-09-27 21:07 -------- d-------- C:\Program Files\Internet Explorer
2006-09-27 17:01 -------- d-------- C:\Program Files\Trend Micro
2006-09-27 07:36 -------- d-------- C:\Program Files\VSToolbar
2006-09-27 07:36 -------- d-------- C:\Documents and Settings\Owner\Application Data\SearchToolbarCorp
2006-09-26 13:24 -------- d-------- C:\Program Files\PConPoint
2006-09-21 10:44 -------- d-------- C:\Program Files\Seekmo Programs
2006-09-09 15:07 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-09-09 15:06 -------- d-------- C:\Documents and Settings\Owner\Application Data\Template
2006-09-07 10:00 -------- d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-09-07 09:59 -------- d-------- C:\Program Files\Lavasoft
2006-09-06 20:27 31248 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2006-09-06 20:27 197648 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2006-09-06 20:09 1051456 --a------ C:\WINDOWS\system32\drivers\VsapiNT.sys
2006-09-06 12:03 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-30 09:11 -------- d-------- C:\Program Files\Windows Media Player
2006-08-21 21:51 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 18:44 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 18:44 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-12 04:08 -------- d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2006-08-07 16:21 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-07-27 22:54 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 17:54 72704 --a------ C:\WINDOWS\system32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"MoneyAgent"="\"c:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_3 -reboot 1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.ex e"
"hp Silent Service"="C:\\Windows\\system32\\HpSrvUI.exe"
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"StorageGuard"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"USB"="C:\\WINDOWS\\system32\\usb.exe"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.ex e"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"BigPond Toolbar"="\"C:\\Program Files\\Telstra\\Toolbar\\bpumTray.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2006\\pccguide.exe\""
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Runonceex]
@=""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00 ,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00 ,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff ,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23 ,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\polic ies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"************"="{03413bf7-e34c-445b-bfc0-a2b127255871}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvvu
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmqx32
HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\BugDoctorOwner.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1100658809.job
C:\WINDOWS\tasks\Owner backup.job
C:\WINDOWS\tasks\Owner scan and fix.job

Completion time: Tue 03/10/2006 15:35:46.68
ComboFix.txt
ComboFix2.txt


VUNDOFIX LOG

When I did this scan it originally got one thing but after I hit the delete button, it got rid of it and I cant find any log, so I did another Vundo scan and it said that nothing was detected. So sorry I cant give you a scan log from this one.

SMITFRAUDFIX LOG

SmitFraudFix v2.104
Scan done at 17:24:41.18, Tue 03/10/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1
C:\DOCUME~1\Owner\FAVORI~1\Antivirus Test Online.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End


NEW HIJACK LOG

Logfile of HijackThis v1.99.1
Scan saved at 5:24:00 PM, on 3/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Windows\system32\HpSrvUI.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\NOTEPAD.EXE
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqKYGRP.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo!7
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_3 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000000-0000-0000-0000-100005000004} - http://code.trasferimento.biz/l/80a3...43dcaf4_35.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{4443EEB7-32B6-4C55-BE7D-1CA7FB9F32D3}: Domain = sa.bigpond.net.au
O21 - SSODL: ************ - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


Hopefully you can make sense of all this, and once again thank you for all your help.

Mark
  #4  
Old 10-03-2006
joe5's Avatar
Elite Member
My PC
 
Join Date: Jun 2005
Location: Netherlands
Posts: 9,036
joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page
Default
Please print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode. (hit f8 before Windows loads when booting up)
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.

The report can also be found at the root of the system drive, usually at C:\rapport.txt



Please download VirtumundoBeGone:
http://secured2k.home.comcast.net/to...undoBeGone.exe

* Save it to the Desktop
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the Desktop
* Follow the directions as indicated

This program may generate a "BLUE SCREEN OF DEATH" which is an expected/necessary part of the process.
Do not be concerned.
Just reboot if your system "jams".

To confirm successful deletion, and determine if there are any additional problems, please post the VirtumundoBeGone log VBG.txt. It is found on the Desktop.


__________________
- PCHF Team. - (NL) - Mal-ware Eradicator! -
  #5  
Old 10-04-2006
Bronze Member
  
Join Date: Oct 2006
Posts: 6
mcollise - See this Members User comments on their Profile page
Default
Hello,
I have done all those new scans and attached the logs below. Please tell me that I have gotten rid of this thing.....

Smitfraudfix log

SmitFraudFix v2.104
Scan done at 16:28:16.03, Wed 04/10/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\DOCUME~1\Owner\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End


VirtumundoBeGone Log

[10/04/2006, 16:49:26] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe" )
[10/04/2006, 16:49:33] - Detected System Information:
[10/04/2006, 16:49:33] - Windows Version: 5.1.2600, Service Pack 2
[10/04/2006, 16:49:33] - Current Username: Owner (Admin)
[10/04/2006, 16:49:33] - Windows is in NORMAL mode.
[10/04/2006, 16:49:33] - Searching for Browser Helper Objects:
[10/04/2006, 16:49:33] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[10/04/2006, 16:49:33] - BHO 2: {06647158-359E-4D10-A8DE-E6145DA90BE9} (Trend Micro Antifraud Toolbar)
[10/04/2006, 16:49:33] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[10/04/2006, 16:49:33] - BHO 4: {1A40CA1A-DA1A-4A68-9680-F6F8E5A824A3} ()
[10/04/2006, 16:49:33] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/04/2006, 16:49:33] - Checking for HKLM\...\Winlogon\Notify\awvvu
[10/04/2006, 16:49:33] - Found: HKLM\...\Winlogon\Notify\awvvu - This is probably Virtumundo.
[10/04/2006, 16:49:33] - Assigning {1A40CA1A-DA1A-4A68-9680-F6F8E5A824A3} MSEvents Object
[10/04/2006, 16:49:33] - BHO list has been changed! Starting over...
[10/04/2006, 16:49:33] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[10/04/2006, 16:49:33] - BHO 2: {06647158-359E-4D10-A8DE-E6145DA90BE9} (Trend Micro Antifraud Toolbar)
[10/04/2006, 16:49:33] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[10/04/2006, 16:49:33] - BHO 4: {1A40CA1A-DA1A-4A68-9680-F6F8E5A824A3} (MSEvents Object)
[10/04/2006, 16:49:33] - ALERT: Found MSEvents Object!
[10/04/2006, 16:49:33] - BHO 5: {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} (ActivateBand Class)
[10/04/2006, 16:49:33] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/04/2006, 16:49:33] - BHO 7: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[10/04/2006, 16:49:33] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/04/2006, 16:49:33] - Checking for HKLM\...\Winlogon\Notify\genhnlyn
[10/04/2006, 16:49:33] - Key not found: HKLM\...\Winlogon\Notify\genhnlyn, continuing.
[10/04/2006, 16:49:33] - BHO 8: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} ()
[10/04/2006, 16:49:33] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/04/2006, 16:49:33] - Checking for HKLM\...\Winlogon\Notify\mnyviewer
[10/04/2006, 16:49:33] - Key not found: HKLM\...\Winlogon\Notify\mnyviewer, continuing.
[10/04/2006, 16:49:33] - Finished Searching Browser Helper Objects
[10/04/2006, 16:49:33] - *** Detected MSEvents Object
[10/04/2006, 16:49:33] - Trying to remove MSEvents Object...
[10/04/2006, 16:49:34] - Terminating Process: IEXPLORE.EXE
[10/04/2006, 16:49:37] - Terminating Process: RUNDLL32.EXE
[10/04/2006, 16:49:37] - Disabling Automatic Shell Restart
[10/04/2006, 16:49:37] - Terminating Process: EXPLORER.EXE
[10/04/2006, 16:49:38] - Suspending the NT Session Manager System Service
[10/04/2006, 16:49:38] - Terminating Windows NT Logon/Logoff Manager
[10/04/2006, 16:49:39] - Re-enabling Automatic Shell Restart
[10/04/2006, 16:49:39] - File to disable: C:\WINDOWS\system32\awvvu.dll
[10/04/2006, 16:49:39] - Renaming C:\WINDOWS\system32\awvvu.dll -> C:\WINDOWS\system32\awvvu.dll.vir
[10/04/2006, 16:49:40] - File successfully renamed!
[10/04/2006, 16:49:40] - Removing HKLM\...\Browser Helper Objects\{1A40CA1A-DA1A-4A68-9680-F6F8E5A824A3}
[10/04/2006, 16:49:40] - Removing HKCR\CLSID\{1A40CA1A-DA1A-4A68-9680-F6F8E5A824A3}
[10/04/2006, 16:49:40] - Adding Kill Bit for ActiveX for GUID: {1A40CA1A-DA1A-4A68-9680-F6F8E5A824A3}
[10/04/2006, 16:49:40] - Deleting ATLEvents/MSEvents Registry entries
[10/04/2006, 16:49:40] - Removing HKLM\...\Winlogon\Notify\awvvu
[10/04/2006, 16:49:40] - Searching for Browser Helper Objects:
[10/04/2006, 16:49:40] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[10/04/2006, 16:49:40] - BHO 2: {06647158-359E-4D10-A8DE-E6145DA90BE9} (Trend Micro Antifraud Toolbar)
[10/04/2006, 16:49:40] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[10/04/2006, 16:49:40] - BHO 4: {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} (ActivateBand Class)
[10/04/2006, 16:49:40] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/04/2006, 16:49:40] - BHO 6: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[10/04/2006, 16:49:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/04/2006, 16:49:40] - Checking for HKLM\...\Winlogon\Notify\genhnlyn
[10/04/2006, 16:49:40] - Key not found: HKLM\...\Winlogon\Notify\genhnlyn, continuing.
[10/04/2006, 16:49:40] - BHO 7: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} ()
[10/04/2006, 16:49:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/04/2006, 16:49:40] - Checking for HKLM\...\Winlogon\Notify\mnyviewer
[10/04/2006, 16:49:40] - Key not found: HKLM\...\Winlogon\Notify\mnyviewer, continuing.
[10/04/2006, 16:49:40] - Finished Searching Browser Helper Objects
[10/04/2006, 16:49:40] - Finishing up...
[10/04/2006, 16:49:40] - A restart is needed.
[10/04/2006, 16:49:54] - Attempting to Restart via STOP error (Blue Screen!)
[10/04/2006, 16:58:48] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe" )
[10/04/2006, 16:58:51] - Detected System Information:
[10/04/2006, 16:58:51] - Windows Version: 5.1.2600, Service Pack 2
[10/04/2006, 16:58:51] - Current Username: Owner (Admin)
[10/04/2006, 16:58:51] - Windows is in NORMAL mode.
[10/04/2006, 16:58:51] - Searching for Browser Helper Objects:
[10/04/2006, 16:58:51] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[10/04/2006, 16:58:51] - BHO 2: {06647158-359E-4D10-A8DE-E6145DA90BE9} (Trend Micro Antifraud Toolbar)
[10/04/2006, 16:58:51] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[10/04/2006, 16:58:51] - BHO 4: {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} (ActivateBand Class)
[10/04/2006, 16:58:51] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/04/2006, 16:58:51] - BHO 6: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[10/04/2006, 16:58:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/04/2006, 16:58:51] - Checking for HKLM\...\Winlogon\Notify\genhnlyn
[10/04/2006, 16:58:51] - Key not found: HKLM\...\Winlogon\Notify\genhnlyn, continuing.
[10/04/2006, 16:58:51] - BHO 7: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} ()
[10/04/2006, 16:58:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/04/2006, 16:58:51] - Checking for HKLM\...\Winlogon\Notify\mnyviewer
[10/04/2006, 16:58:51] - Key not found: HKLM\...\Winlogon\Notify\mnyviewer, continuing.
[10/04/2006, 16:58:51] - Finished Searching Browser Helper Objects
[10/04/2006, 16:58:51] - Finishing up...
[10/04/2006, 16:58:51] - Nothing found! Exiting...
[10/04/2006, 16:59:20] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe" )
[10/04/2006, 16:59:21] - Detected System Information:
[10/04/2006, 16:59:21] - Windows Version: 5.1.2600, Service Pack 2
[10/04/2006, 16:59:21] - Current Username: Owner (Admin)
[10/04/2006, 16:59:21] - Windows is in NORMAL mode.
[10/04/2006, 16:59:21] - Searching for Browser Helper Objects:
[10/04/2006, 16:59:21] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[10/04/2006, 16:59:21] - BHO 2: {06647158-359E-4D10-A8DE-E6145DA90BE9} (Trend Micro Antifraud Toolbar)
[10/04/2006, 16:59:21] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[10/04/2006, 16:59:21] - BHO 4: {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} (ActivateBand Class)
[10/04/2006, 16:59:21] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/04/2006, 16:59:21] - BHO 6: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[10/04/2006, 16:59:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/04/2006, 16:59:21] - Checking for HKLM\...\Winlogon\Notify\genhnlyn
[10/04/2006, 16:59:21] - Key not found: HKLM\...\Winlogon\Notify\genhnlyn, continuing.
[10/04/2006, 16:59:21] - BHO 7: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} ()
[10/04/2006, 16:59:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/04/2006, 16:59:21] - Checking for HKLM\...\Winlogon\Notify\mnyviewer
[10/04/2006, 16:59:21] - Key not found: HKLM\...\Winlogon\Notify\mnyviewer, continuing.
[10/04/2006, 16:59:21] - Finished Searching Browser Helper Objects
[10/04/2006, 16:59:21] - Finishing up...
[10/04/2006, 16:59:21] - Nothing found! Exiting...

And the latest HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 5:00:34 PM, on 4/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Windows\system32\HpSrvUI.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.d ll
O2 - BHO: Trend Micro Antifraud Toolbar - {06647158-359E-4D10-A8DE-E6145DA90BE9} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ActivateBand Class - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\genhnlyn.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "