I've got the recent version of the VX2 malware that nothing seems to clean. Here's a HijackThis log, and I'll note that
- I've recently updated: 1.06r1 Personal, SE1R111 08.06.2006
- the VX2 cleaner says there's nothing to clean
- the problems Ad Aware finds are in the registry, but are replaced as soon as they're removed (Ran Ad Aware many times before realizing this was special, tried it manually, too, with no effect, nothing in Task Manager processes.)
- the files in the identified registry entries are not on my system (Yes, hidden/system files visible but I can't see IEContent directories or directories in Downloaded Internet Files.)
- I've reviewed all recent forum posts regarding ABetterInternet.Nail and nothing there helped remove it.
- Haven't added/deleted anything recently, but I do find Win32 BI Application in my Add/Remove Programs, but it can't find payload.inf so nothing happens.

Here's my log; thanks for your assistance!
Frank
----------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 6:34:55 PM, on 6/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Logitech\Video\AlbumDB2.exe
C:\PROGRA~1\Logitech\Video\FxSvr2.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://antwrp.gsfc.nasa.gov/apod/astropix.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://antwrp.gsfc.nasa.gov/apod/astropix.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\thewd.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,fckbnwe.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HotSync Manager.lnk.disabled
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O4 - Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &IE Toolbar search - res://C:\WINDOWS\Downloaded Program Files\CONFLICT.1\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124983387447
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} -
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} -
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} -
O16 - DPF: {CEBC955E-58AF-11D2-A30A-00A0C903492B} (CV3 Class) -
O16 - DPF: {E344ADA2-75B6-4E7E-B221-0A04FD5B0165} -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6BD9D42-73F8-46CF-8334-CA56627BFB24}: NameServer = 24.92.226.180,24.93.1.121,24.93.1.120
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Fix-It Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

I've been stuck with this as well. Can find no solutions to fix it. Please help.

This is actually the qoologic trojan. It is extemely difficult for the automated programs to remove and will need a special (free) tool to remove it.

First, Please disable Spybot Teatimer,as it may hinder in the fixing of some registry entries. You can re-enable it after you're clean.

1) Open Spybot-S&D
2) Go to the Mode menu and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
......................................................
Please download Brute Force Uninstaller to your desktop.[list]
[*]Right click the BFU folder on your desktop, and choose Extract All
[*]Click "Next"
[*]In the box to choose where to extract the files to,
[*]Click "Browse"
[*]Click on the + sign next to "My Computer"
[*]Click on "Local Disk (C:) or whatever your primary drive is
[*]Click "Make New Folder"
[*]Type in BFU
[*]Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

[*]Download qoofix.bat (rightclick on this link and choose save as)
[*]Place qoofix.bat in your C:\BFU - folder. (Important!)
[*]Doubleclick qooFix.bat, Close all browsers and explorer folders.
[*]Choose option 1 (Qoolfix autofix) and follow the prompts.
[*]Please be patient, it will take about five minutes.
[*]After the PC has restarted please post another hijackthis log.

C. Jane,
I'd actually already done this, albeit without turning off TeaTimer. Starting from a clean boot, TeaTimer off, nothing open (used Start/Run) there's no change. QooFix.bat still gives me:
Bad command or file name (repeated 6 times)
Unsupported version (and repeated 4 times in the Notepad log)

Here's the subseqeunt HijackThis log ...

thanks,
Frank

Logfile of HijackThis v1.99.1
Scan saved at 10:58:26 PM, on 6/13/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://antwrp.gsfc.nasa.gov/apod/astropix.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://antwrp.gsfc.nasa.gov/apod/astropix.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\thewd.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,fckbnwe.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - Startup: HotSync Manager.lnk.disabled
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O4 - Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &IE Toolbar search - res://C:\WINDOWS\Downloaded Program Files\CONFLICT.1\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124983387447
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} -
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} -
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} -
O16 - DPF: {CEBC955E-58AF-11D2-A30A-00A0C903492B} (CV3 Class) -
O16 - DPF: {E344ADA2-75B6-4E7E-B221-0A04FD5B0165} -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6BD9D42-73F8-46CF-8334-CA56627BFB24}: NameServer = 24.92.226.180,24.93.1.121,24.93.1.120
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Fix-It Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Aside from disabling TeaTimer you also have the restrictions in place within Spybot that should also be temporarily disabled as it may interfere with the fix.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Here is another tool to try please.

1. Download this file - combofix.zip
http://download.bleepingcomputer.com/sUBs/combofix.exe

2. From within the zipped file, double click on combofix.exe & follow the prompts.

Note: If you receive a popup with a Disclaimer, read that and answer Y for yes (or N for no)
Y is recommended (if you put N, the tool will exit without fixing and will remove the combofix file and folders)

Do NOT click on the window while the fix is running, because that will cause your system to hang and the fix to stall.

3. When finished, it shall produce a log for you. Post that log in your next reply

4. Reboot your PC and scan again with HijackThis to produce a fresh HijackThis as well, please.

Sorry to say, I'd already been down the combofix route, too. (I tried everything you'd suggested to anyone before asking for help.) Tried it again, this time with Spybot's SDHelper turned off, too, as well as Popup Killer and ZoneAlarm. No difference.

The Combofix window only says "bad command or file name" and then a popup tells me it's "wrong OS, incompatible with Windows 9x and NT" (I'm on W2K SP4, an NT variant as you know). In the midst of this I got a popup, so I know the ~!@#$%^&* thing is still there.

Regardless, here's a HijackThis log after trying this ...

thanks for your continued support!
Frank

PS Forgot to note that when I close the Combofix window, it deletes the Combofix file!

Logfile of HijackThis v1.99.1
Scan saved at 10:10:50 PM, on 6/14/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://antwrp.gsfc.nasa.gov/apod/astropix.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://antwrp.gsfc.nasa.gov/apod/astropix.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\thewd.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,fckbnwe.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - Startup: HotSync Manager.lnk.disabled
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O4 - Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &IE Toolbar search - res://C:\WINDOWS\Downloaded Program Files\CONFLICT.1\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124983387447
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} -
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} -
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} -
O16 - DPF: {CEBC955E-58AF-11D2-A30A-00A0C903492B} (CV3 Class) -
O16 - DPF: {E344ADA2-75B6-4E7E-B221-0A04FD5B0165} -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6BD9D42-73F8-46CF-8334-CA56627BFB24}: NameServer = 24.92.226.180,24.93.1.121,24.93.1.120
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Fix-It Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

I'm going to ask miekiemoes to peek in here and see if she can spot or recommend what is needed to get these tools working. It's from the infection, but I'm not sure what should be done to fix it and miekie is much better than I am in these special cases.

Let's try this next Frank:

Please download, install, and update the free version of Ewido AntiMalware:
http://www.ewido.net/en/download/

This is a good trojan scanner and will help to block any further trojan downloads of malware onto your system while we're trying to clean it all up. Should any nasties try to enter your system it should popup a warning and you can block anything new coming in. But first lets install it, update it, and we'll scan later in SAFE MODE.

[1]From the main ewido screen, click on update in the left menu, then click the Start update button.

[2]After the update finishes (the status bar at the bottom will display "Update successful")

Close the program after updating (don't scan with it yet, we'll do that in SAFE MODE)

Copy the following instructions to have handy as you will need to be offline, in SAFE MODE and with IE closed so you will not be able to view this page during the process.

Reboot your PC into SAFE MODE
You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.


How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Next, run a scan with Ewido.

[3]Click on the Scanner button in the left menu, then click on the Complete System Scan button. This scan can take quite a while to run, so please be patient

[4]If Ewido finds anything, it will pop up a notification. You can select "remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

[5]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Copy and paste the results from that scan back here please for review

*Note: Ewido is a free trial product for 14 days. After that you can purchase it for full features OR you can also keep the free version to use as an on-demand scanner (recommended).
You will still be able to manually update Ewido using the *update* button

Now we're getting somewhere. Downloaded Ewido, ran in Safe Mode, and again after rebooting with it set to check all files. It is not fast (~2 hours for the all files run) but it is finding things and removing nearly all ...

At least that's what I think the logs are saying, and a quick AdAware scan confirms the same two Critical Objects that I've had since the start. What's next?

Thanks,
Frank

First log, run in Safe Mode
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:26:53 PM, 6/15/2006
+ Report-Checksum: ADC0AD19

+ Scan result:

HKLM\SOFTWARE\SearchRelevancy -> Adware.SearchRelevancy : Cleaned with backup
[232] C:\WINDOWS\system32\jfmsuap.dll -> Downloader.Qoologic.bj : Cleaned with backup
C:\Documents and Settings\default\Cookies\dad@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned with backup
C:\Documents and Settings\default\Cookies\dad@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\default\Cookies\dad@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\default\Cookies\dad@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\default\Cookies\dad@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\amm06.ocx -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\fswinst.ocx -> Adware.FreeScratch : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaGatewayX.dll -> Adware.WinAD : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\fswinst.ocx -> Adware.FreeScratch : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\fswinst.ocx -> Adware.FreeScratch : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup
C:\WINDOWS\optimize.exe -> Downloader.Dyfuca.ey : Cleaned with backup
C:\WINDOWS\stubinstaller4292.exe -> Downloader.Small.asf : Cleaned with backup
C:\WINDOWS\stubinstaller6282.exe -> Downloader.Small.asf : Cleaned with backup
C:\WINDOWS\SYSTEM32\dmonwv.dll -> Downloader.Agent.agw : Cleaned with backup
C:\WINDOWS\SYSTEM32\httppost.exe -> Adware.Specofer : Cleaned with backup
C:\WINDOWS\SYSTEM32\jucvo.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\unstall.exe -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\unwn.exe -> Trojan.Qoologic : Cleaned with backup
C:\WINDOWS\up9.exe -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\webhdll.dll_tobedeleted -> Adware.WebHancer : Cleaned with backup


::Report End

Second log run after normal full boot and will all files selected
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:25:32 AM, 6/16/2006
+ Report-Checksum: 57C6E965

+ Scan result:

[988] C:\WINDOWS\system32\jfmsuap.dll -> Downloader.Qoologic.bj : Error during cleaning
[1168] C:\WINDOWS\system32\jfmsuap.dll -> Downloader.Qoologic.bj : Error during cleaning
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\vfytj.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\SYSTEM32\fckbnwe.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\SYSTEM32\jucvo.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__jfmsuap.dll -> Downloader.Qoologic.bj : Cleaned with backup


::Report End
---------------------------------------------
And just for kicks, a HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 12:36:38 AM, on 6/16/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://antwrp.gsfc.nasa.gov/apod/astropix.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://antwrp.gsfc.nasa.gov/apod/astropix.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\thewd.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,fckbnwe.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [ylxle] C:\WINDOWS\system32\dxnsdr.exe reg_run
O4 - Startup: HotSync Manager.lnk.disabled
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O4 - Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &IE Toolbar search - res://C:\WINDOWS\Downloaded Program Files\CONFLICT.1\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124983387447
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} -
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} -
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} -
O16 - DPF: {CEBC955E-58AF-11D2-A30A-00A0C903492B} (CV3 Class) -
O16 - DPF: {E344ADA2-75B6-4E7E-B221-0A04FD5B0165} -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6BD9D42-73F8-46CF-8334-CA56627BFB24}: NameServer = 24.92.226.180,24.93.1.121,24.93.1.120
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Fix-It Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Given Downloader.Qoologic.bj was cleaned when Ewido was run in Safe Mode, but was still present after a normal boot and not cleaned, I decided to run Ewido again in Safe Mode:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:51:32 AM, 6/16/2006
+ Report-Checksum: 50B7B87A

+ Scan result:

No infected objects found.


::Report End

Gone in Safe Mode, yet still present and uncleanable after a normal boot ... Any thoughts? This is one persistent ~!@#$%^& bit of malware!

Thanks,
Frank

Success at last?

Since computers don't need sleep, I let Ewido run one more time in a normal boot, and this time it came up clean. I then ran Adaware, which found the two registry entries that had been there all along, cleaned them, and I now have a clean Adaware scan!! Haven't seen "0 Critical Objects" in a long time ...

Here's a detailed summary; did I get this right?

Scan with Adaware, find ABetterInternet.Nail (2 entries) that won't clean. Turns out to be Qoologic, not a VX2 variant.

Tried qoofix.bat with Brute Force Uninstaller and it returned "bad command or file name" and "unsupported version" error messages

Tried combofix.exe which returned an error message, "Wrong OS, incompatible with Windows 9x and NT" and then deleted itself.

Tried Ewido in safe mode, default settings, and it ran successfully, finding and removing 23 problems.

Ran Ewido in normal boot, scanning all files, and it ran successfully, finding 6 but only cleaning 4:
C:\WINDOWS\system32\jfmsuap.dll -> Downloader.Qoologic.bj : Error during cleaning
This was confirmed by Adaware, same 2 registry entries.

Ran Ewido again in Safe Mode, scanning all files, and it came up clean.

Ran Ewido a 4th time, back in a normal boot and it came up clean; log looks just like the previous run.

Ran Adaware and the 2 registry entries were still present. Cleaned them and ran Adaware again. I FINALLY FOR A GREEN CHECK MARK!! 0 Critical Objects

The sequence that (apparently) worked was
- Ewido Safe Mode
- Ewido normal boot, all files
- Ewido Safe Mode, all files
- Ewido normal boot, all files
- Adaware, clean criticals
- Adaware, confirm no critical objects

I think I'll run Ewido one more time, and surf the net a little to verify I'm no longer getting popups before declaring victory, but it sure looks a lot better than it has!

Thank you so very much for sticking with me through this and continuing to pull something new out of your bag of tricks as each of the initial fixes crashed.

Frank

Ok, good job.

Next, we're going to try this tool made for the Alcra/Alcan worm removal. Judging by the array of malware I see found on your system, that is typical for this worm. Alcra also makes changes to your system which can affect your file associations, preventing you from running certain processes needed to clean. This tool will fix those and look for any remnants of the malware typically downloaded by this worm (only one of which is the Qoologic trojan we have been fighting...there are many more).

1. {skipped..this instruction is for downloading and installing Ewido which you have already done}

2. Please download Brute Force Uninstaller to your desktop.

• Right click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk (C:) or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

4. Reboot into Safe Mode
You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

5. Once in safe mode, start Ewido AntiMalware

a. Click on scanner

b. Click on *complete system scan*

c. Let the program scan the machine.

d. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose Remove, then put a check next to Perform action on all infections in the left corner of the box so you don't have to sit and watch Ewido the whole time.
Checkmark the box: *Create encrypted backup in the quarantine* (recommended)

Click OK.

When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

6. Then, please go to Start > My Computer and navigate to the C:\BFU folder.

• Start the Brute Force Uninstaller by doubleclicking BFU.exe
• Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
• Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
• Wait for the complete script execution box to pop up and press OK.
• click "save"
  IN "filename" enter log.txt
• click exit to exit the BFU program.

Please copy the contents of the log.txt back here in your next reply. The log.txt will be in the C:\BFU\ folder

Reboot back into normal mode

7. Now please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below.

Logs needed in your next post are:

log.txt will be in the C:\BFU\ folder

Ewido Scan log

Fresh HijackThis log

OK, here's what I got. I'd already run Ewido in Safe Mode and got a clean bill of health. I ran Alcanshorty script in BFU and had to save the log manually, cut and paste from BFU. Doesn't look like Alcanshorty did much ... And of course there's a HijackThis log.

Things look clean to me, but then I would never have gotten this far by myself, and HijackThis says I've got files loading in registry that don't show up in a search, so your wish is my command.

thanks,
Frank

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:51:32 AM, 6/16/2006
+ Report-Checksum: 50B7B87A

+ Scan result:

No infected objects found.


::Report End
----------------------------------------------
BFU v1.00.9
Windows 2000 SP4 (WinNT 5.00.2195 SP4)
Script started at 1:44:41 AM, on 6/17/2006

Option Unload Explorer: Yes
Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)
Failed: ServiceStop Network Monitor (service not found)
Failed: ServiceStop cmdService (service not found)
Failed: ServiceDisable Network Monitor (service not found)
Failed: ServiceDisable cmdService (service not found)
Failed: ServiceDelete Network Monitor (service not found)
Failed: ServiceDelete cmdService (service not found)
Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|winlog (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)
Failed: RegDelValue HKCU\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|WinUpdate.exe (key not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)
Failed: FolderDelete C:\Program Files\winupdates (folder not found)
Failed: FolderDelete C:\Program Files\winupdate (folder not found)
Failed: FolderDelete C:\Program Files\winsupdater (folder not found)
Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)
Failed: FolderDelete C:\Program Files\MsMovies (folder not found)
Failed: FolderDelete C:\Program Files\wmplayer (folder not found)
Failed: FolderDelete C:\Program Files\outlook (folder not found)
Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)
Failed: FileDelete C:\DOCUME~1\default\LOCALS~1\Temp\~DFC269.tmp (operation failed)
Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)
Failed: FolderDelete C:\Program Files\DNS (folder not found)
Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)
Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\svchostsys (folder not found)
Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)
Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)
Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)
Failed: FolderDelete C:\Program Files\Update06 (folder not found)
Failed: FolderDelete C:\Program Files\Update03 (folder not found)
Failed: FolderDelete C:\Program Files\Update04 (folder not found)
Failed: FolderDelete C:\Program Files\Update08 (folder not found)
Failed: FolderDelete C:\Program Files\W-Update (folder not found)
Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)
Failed: FolderDelete C:\Program Files\Cas (folder not found)
Failed: FolderDelete C:\Program Files\CasStub (folder not found)
Failed: FolderDelete C:\Program Files\Cas2Stub (folder not found)
Failed: FolderDelete C:\Program Files\ipwins (folder not found)
Failed: FolderDelete C:\temp (folder not found)
Failed: FolderDelete C:\WINDOWS\mdrive (folder not found)
Failed: FolderCreate C:\bintheredunthat (folder already exists)
Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)
Script completed.
------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 2:03:54 AM, on 6/17/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://antwrp.gsfc.nasa.gov/apod/astropix.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://antwrp.gsfc.nasa.gov/apod/astropix.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,fckbnwe.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [ylxle] C:\WINDOWS\system32\dxnsdr.exe reg_run
O4 - Startup: HotSync Manager.lnk.disabled
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O4 - Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &IE Toolbar search - res://C:\WINDOWS\Downloaded Program Files\CONFLICT.1\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124983387447
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} -
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} -
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} -
O16 - DPF: {CEBC955E-58AF-11D2-A30A-00A0C903492B} (CV3 Class) -
O16 - DPF: {E344ADA2-75B6-4E7E-B221-0A04FD5B0165} -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6BD9D42-73F8-46CF-8334-CA56627BFB24}: NameServer = 24.92.226.180,24.93.1.121,24.93.1.120
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Fix-It Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Hello Frank,

The BFU script only shows what it didn't find, not what it does. It incorporates some registry fixes too that may mean we can now try the Combofix (should work now ~crosses fingers~). The Alcan/Alcra worm downloads a boatload of malware onto your system, in addition to damaging certain functions and processes needed to clean. So hopefully this will work now. (Delete the present combofix.exe you now have and download a fresh copy as it may have been updated since we last tried it, but procedure to run stays the same).

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe

2. Double click on combofix.exe & follow the prompts.

Note: If you receive a popup with a Disclaimer, read that and answer Y for yes (or N for no)
Y is recommended (if you put N, the tool will exit without fixing and will remove the combofix file and folders)

Do NOT click on the window while the fix is running, because that will cause your system to hang and the fix to stall.

3. When finished, it shall produce a log for you. Post that log in your next reply

Briefly, I'm rather new to all of this sort of thing, but wanted to say thank you to all parties concerned for both their inquiries and their responses.

I contracted the "Abetterinternet.nail", or Qoologic, whichever, whatever, a few weeks back, and have been unable to figure out how to relieve myself of its torturous processes and manifestations. Thankfully I found your postings. After reading, and then walking through the various informational and process postings, I was finally able to come up with a "No Critical Errors" report from Lavasoft.

Thank You, Thank You, Thank You. Something tells me I'm a fan for life!

Good for you rous. Glad it was a help to you too

Jane,
First off, I've been downloading an exe, not a zip, so there's no extraction needed. I ran it in both a normal boot and Safe Mode and there's no change - returns bad command or file name and not compatible with Windows 9x or NT, then deletes the file. I even saved a copy in another directory, and that's gone, too.

I did get Ewido to run, after several daily updates, and it found something that seems inocuous.
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:55:06 PM, 6/18/2006
+ Report-Checksum: AA689081

+ Scan result:

C:\Documents and Settings\default\Cookies\dad@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup


::Report End

Any more ideas?

Thanks,
Frank

I inadvertently posted the old ComboFix instructions instead of the newer one which is, indeed, an exe and not a zip to be extracted (had to go back and edit that in my prior post).

Let's try this please, in case this is the problem:

Download FIXPATH2.ZIP.
http://internet.cybermesa.com/~bstewart/files/fixpath2.zip

Extract the files to a folder in C:\, like C:\FIXPATH2.

RUNNING THE PROGRAM:

* Open a command prompt window by going to start > run and copy and type: cmd
In the command prompt, type: cd C:\ and press Enter

So you should get C:\>

Then type: cd FIXPATH2 and press Enter

So you should get: C:\>fixpath2

Then type: FIXPATH.EXE and press Enter
* It will display some preliminary information, and ask if it should continue and check for errors. Click Yes.
* If it successfully updates the Path value in the registry, you will need to
reboot for the change to take effect. !! This is really important !!

If the path is the correct one already it will tell you and you can ust type: Exit to close the window.
....................................................
Let me know how that goes, then we can try QooFix using BFU again (you already have BFU so you can ignore the install part for the main BFU program)...DO download the qoofix.bat script to put in the BFU folder. Don't confuse it with the Alcanshort script.

[1] {Skip - you already have this} Download Brute Force Uninstaller
http://www.merijn.org/files/bfu.zipBrute Force Uninstaller
Save it to your C:\

[2] {Skip - you already have this} Create a new folder called BFU on the C: drive ( C:\BFU)
Extract the files from the zip archive into that folder
So BFU should be on your root. In most cases this is C:\

[3]Rightclick on this link and choose "save as" or "save target as"
Save qooFix.bat to the C:\bfu folder
http://downloads.subratam.org/Lon/qooFix.bat

[4]Doubleclick qooFix.bat, Close all browsers and explorer folders.

[5]Choose option 1 (Qoolfix autofix) and follow the prompts.

[6]Please be patient, it will take about five minutes.

[7]After the PC has restarted please scan with HijackThis and post a fresh hijackthis log.

Jane,
Ran Pathfix successfully with no real report. Ran qoolfix again with no change, bad command or file name, Wrong OS ...

Then I looked at the file - it's a batch file - and realized I was getting an error message based on:
VER|find "Windows 2000">NUL
IF NOT ERRORLEVEL 1 GOTO NT

I removed this section and it only gave me 2 Bad Command messages before running as you describe. Rebooted and came right here to tell you. Here's a new HijackThis. Only thing I see is:
O4 - HKCU\..\Run: [ylxle] C:\WINDOWS\system32\dxnsdr.exe reg_run
This has been a regular request for internet access through Zome Alarm, denied, of course, and a file I can't find.

thanks,
Frank

Logfile of HijackThis v1.99.1
Scan saved at 12:00:18 AM, on 6/20/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Logitech\Video\AlbumDB2.exe
C:\PROGRA~1\Logitech\Video\FxSvr2.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://antwrp.gsfc.nasa.gov/apod/astropix.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://antwrp.gsfc.nasa.gov/apod/astropix.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [ylxle] C:\WINDOWS\system32\dxnsdr.exe reg_run
O4 - Startup: HotSync Manager.lnk.disabled
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O4 - Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &IE Toolbar search - res://C:\WINDOWS\Downloaded Program Files\CONFLICT.1\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124983387447
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} -
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} -
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} -
O16 - DPF: {CEBC955E-58AF-11D2-A30A-00A0C903492B} (CV3 Class) -
O16 - DPF: {E344ADA2-75B6-4E7E-B221-0A04FD5B0165} -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6BD9D42-73F8-46CF-8334-CA56627BFB24}: NameServer = 24.92.226.180,24.93.1.121,24.93.1.120
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Fix-It Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

So qoofix did finally run? Let's do the followiing Fix in HijackThis and then I'll ask you to run a bunch of diagostics tools to get more info

Make sure your PC is configured to show hidden files
How to Show Hidden Files
http://www.xtra.co.nz/help/0,,4155-1916458,00.html


Scan with HijackThis and checkmark these entries, then press *fix checked*

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

O4 - HKCU\..\Run: [ylxle] C:\WINDOWS\system32\dxnsdr.exe reg_run

(These 2 are restritions you have set in Spybot which need to be undone as they will block efforts to run this fix)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -

O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} -

O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} -

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} -

O16 - DPF: {CEBC955E-58AF-11D2-A30A-00A0C903492B} (CV3 Class) -

O16 - DPF: {E344ADA2-75B6-4E7E-B221-0A04FD5B0165} -

Delete this file (if found)
C:\WINDOWS\system32\dxnsdr.exe

Update Ewido and scan with that again. Let me know if anything is found besides cookies.

Post a report from this tool

Download the free beta trial of this tool from F-Secure called Blacklight
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Doubleclick on bibeta.exe to run it.
Click the *I accept* button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new text file near blacklite.Post it please. The text file is named:
fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
!!Do not rename any files yet
..........................
And this one too:

Please download Rootkit Revealer
http://www.sysinternals.com/utilities/rootkitrevealer.html
(link is at the very bottom of the page)

Unzip it to your desktop.
Open the rootkitrevealer folder and double-click rootkitrevealer.exe
Click the Scan button (bottom right)
It may take a while to scan (don't do anything while it's running - leave the PC idle during the scan!)
When it's done, go up to File > Save. Choose to save it to your desktop.
Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here
......................
Download Silent runners here (follow the instructions on that page)
http://www.silentrunners.org/sr_scriptuse.html

If you have antivirus script protection, please allow it (silentrunners.vbs) to run. While waiting, a box will say done.
Wait until there is a All Done message !!, Then open and post the log next to it.

....................................
* Download WinPFind http://www.bleepingcomputer.com/files/winpfind.php
* Right Click the Zip Folder and Select "Extract All"
* Extract it somewhere you will remember like the Desktop
* Dont do anything with it yet!


Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe

* Now Click "Start Scan"
* It will scan the entire System, so please be patient!
* Once the Scan is Complete
o Reboot back to Normal Mode!
o Go to the WinPFind folder
o Locate WinPFind.txt
o Place those results in the next post!.

Sorry, for the delay, Jane, but these things run slow!

Yes, Qoofix did run after I edited out the error trapping, but not without the "bad command or filename" a couple times.

I check fixed the items specified using HijackThis, and verified they were gone.

I have never been able to find dxnsdr.exe, even with hidden and system files showing.

Ewido found nothing, clean scan as it has the last several times.

Attached are the following logs in this order:
Blacklight
Rootkit Revealer
SilentRunners
WinPFind (run in Safe Mode; window doesn't fit in the screen, but then Ewido's window is illegible)

I trust you can make something of them as, beyond the two startup items SilentRunners found and marked "infection warning", I haven't a clue what's good or bad!

thanks,
Frank


Blacklight
----------------
06/21/06 08:37:56 [Info]: BlackLight Engine 1.0.37 initialized
06/21/06 08:37:56 [Info]: OS: 5.0 build 2195 (Service Pack 4)
06/21/06 08:37:56 [Note]: 7019 4
06/21/06 08:37:56 [Note]: 7005 0
06/21/06 08:38:03 [Note]: 7006 0
06/21/06 08:38:03 [Note]: 7011 1072
06/21/06 08:38:03 [Note]: 7026 0
06/21/06 08:38:04 [Note]: 7026 0
06/21/06 08:38:20 [Note]: FSRAW library version 1.7.1015
06/21/06 08:39:37 [Note]: 2000 1006
06/21/06 08:39:37 [Note]: 2000 1006
06/21/06 08:39:37 [Note]: 2000 1006
06/21/06 08:39:37 [Note]: 2000 1006
06/21/06 09:10:05 [Note]: 7007 0


Rootkit Revealer
---------------------
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VideoUpgradeDisplaySettings\Driver0 2/8/2005 3:04 AM 3 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VideoUpgradeDisplaySettings\Service0 2/8/2005 3:04 AM 7 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VideoUpgradeDisplaySettings\Service1 2/8/2005 3:04 AM 5 bytes Data mismatch between Windows API and raw hive data.


SilentRunner (long)
--------------------
"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"PopUpKiller" = "C:\Program Files\PopUp Killer\PopUpKiller.EXE" ["xFX JumpStart"]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"EPSON Stylus C42 Series" = "C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"" [file not found]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"LogitechImageStudioTray" = "C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [file not found]
"LogitechVideoTray" = "C:\Program Files\Logitech\Video\LogiTray.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {HKCU...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office 2000\Office\" [file not found]
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\soa800.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode"
-> {HKLM...CLSID} = "Microsoft Office Binder Explode"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKCU...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\Office\OLKFSTUB.DLL" [MS]
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\olkfstub.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Exchange"
-> {HKCU...CLSID} = "Microsoft Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\Office\MLSHEXT.DLL" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "d:\Program Files\Real\RealOne Player\rpshellext.dll" [file not found]
"{B446400D-0030-457b-8F64-422A19605186}" = "Logitech Gallery"
-> {HKLM...CLSID} = "Logitech Gallery"
\InProcServer32\(Default) = "C:\Program Files\Logitech\ImageStudio\NameSpc.dll" ["Logitech Inc."]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"
-> {HKLM...CLSID} = "My Logitech Pictures"
\InProcServer32\(Default) = "C:\Program Files\Logitech\Video\Namespc2.dll" ["Logitech Inc."]
"{57C51AF9-DEF7-11D3-A801-00C04F163490}" = "Ghost Shell Extension"
-> {HKLM...CLSID} = "PropPage Class"
\InProcServer32\(Default) = "C:\Program Files\Symantec\Norton Ghost 2003\GhoShExt.dll" ["Symantec Corporation"]
"{0561EC90-CE54-4f0c-9C55-E226110A740C}" = "Haali Column Provider"
-> {HKLM...CLSID} = "Haali Column Provider"
\InProcServer32\(Default) = "C:\Program Files\vcd_burn\Avi2Dvd\Programs\Filters\Haali media splitter\mmfinfo.dll" [null data]
"{4EC26602-4807-40FE-A40F-1A41E4D40C78}" = "Dell DJ Explorer"
-> {HKLM...CLSID} = "Dell DJ Explorer"
\InProcServer32\(Default) = "C:\Program Files\Dell\Dell DJ Explorer\CTOJBNS.DLL" ["Creative Technology Ltd"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{0561EC90-CE54-4f0c-9C55-E226110A740C}\(Default) = "Haali Column Provider"
-> {HKLM...CLSID} = "Haali Column Provider"
\InProcServer32\(Default) = "C:\Program Files\vcd_burn\Avi2Dvd\Programs\Filters\Haali media splitter\mmfinfo.dll" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {HKLM...CLSID} = "Ctest Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\wzshlext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {HKLM...CLSID} = "Ctest Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\wzshlext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\wzshlext.dll" [null data]

Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\default\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"

Startup items in "Dad" & "All Users" startup folders:
-----------------------------------------------------
C:\Documents and Settings\default\Start Menu\Programs\Startup
INFECTION WARNING! "HotSync Manager.lnk.disabled" [null data]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE -b -l" [MS]
INFECTION WARNING! "Microsoft Office.lnk.disabled" [null data]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"ZoneAlarm" -> shortcut to: "C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe" ["Zone Labs Inc."]

Enabled Scheduled Tasks:
------------------------
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "MSN Messenger Service"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido anti-malware\ewidoguard.exe" ["ewido networks"]
HID Input Service, HidServ, "C:\WINDOWS\system32\hidserv.exe" [MS]
RIP Listener, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\iprip.dll" [MS]}
Simple TCP/IP Services, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -service" ["Zone Labs Inc."]


Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
EPSON V4 Monitor3SA\Driver = "EBPMON3.DLL" ["SEIKO EPSON CORPORATION"]
LPR Port\Driver = "lprmon.dll" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 53 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 24 seconds.
---------- (total run time: 126 seconds)




WinPFind
----------------------
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
PEC2 1/28/2006 7:35:40 PM 3077115 C:\Marj Med D.ps
UPX! 7/23/2002 8:42:28 PM R 3388563 C:\SETUP2K.EX_
PEC2 10/17/2005 7:52:08 PM 15116598 C:\untitled.bmp

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 6/5/2006 3:00:46 AM 266850304 C:\WINDOWS\MEMORY.DMP
PTech 6/5/2006 3:00:46 AM 266850304 C:\WINDOWS\MEMORY.DMP
SAHAgent 6/5/2006 3:00:46 AM 266850304 C:\WINDOWS\MEMORY.DMP
69.59.186.63 6/5/2006 3:00:46 AM 266850304 C:\WINDOWS\MEMORY.DMP
209.66.67.134 6/5/2006 3:00:46 AM 266850304 C:\WINDOWS\MEMORY.DMP
66.63.167.77 6/5/2006 3:00:46 AM 266850304 C:\WINDOWS\MEMORY.DMP
abetterinternet.com 6/5/2006 3:00:46 AM 266850304 C:\WINDOWS\MEMORY.DMP
web-nex 6/5/2006 3:00:46 AM 266850304 C:\WINDOWS\MEMORY.DMP
ad-w-a-r-e.com 6/5/2006 3:00:46 AM 266850304 C:\WINDOWS\MEMORY.DMP
UPX! 6/20/2006 10:12:00 PM 251126784 C:\WINDOWS\outlook.pst
PTech 12/14/2001 6:31:40 AM HS 66379776 C:\WINDOWS\VMMHIBER.W9X

Checking %System% folder...
UPX! 10/7/2005 1:14:52 PM 308224 C:\WINDOWS\SYSTEM32\avisynth.dll
PTech 7/12/2005 6:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
UPX! 9/12/2002 10:50:42 PM 115200 C:\WINDOWS\SYSTEM32\lw.dll
PECompact2 6/8/2006 9:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 6/8/2006 9:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 1/12/2005 12:39:46 PM 531216 C:\WINDOWS\SYSTEM32\RASDLG.DLL
winsync 6/19/2003 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/19/2006 11:26:22 PM H 54156 C:\WINDOWS\QTFont.qfn
6/21/2006 11:01:20 PM H 254034 C:\WINDOWS\ShellIconCache
5/28/2006 4:54:22 PM H 0 C:\WINDOWS\Application Data\Microsoft\Windows\UsrClass.DFG.LOG
6/21/2006 11:02:28 PM S 64 C:\WINDOWS\CSC\00000001
6/5/2006 2:59:30 AM S 64 C:\WINDOWS\CSC\00000002
6/5/2006 2:52:40 AM S 64 C:\WINDOWS\CSC\csc1.tmp
6/20/2006 2:48:44 PM H 237 C:\WINDOWS\SYSTEM32\vsconfig.xml
6/21/2006 10:55:06 PM H 1024 C:\WINDOWS\SYSTEM32\config\DEFAULT.LOG
6/21/2006 11:06:32 PM H 1024 C:\WINDOWS\SYSTEM32\config\SAM.LOG
6/21/2006 11:04:38 PM H 1024 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG
6/21/2006 11:11:40 PM H 1024 C:\WINDOWS\SYSTEM32\config\SOFTWARE.LOG
6/21/2006 11:02:30 PM H 6 C:\WINDOWS\TASKS\SA.DAT
6/20/2006 2:48:04 PM H 67 C:\WINDOWS\TEMP\ffastlog.txt

Checking for CPL files...
5/25/2004 12:06:58 PM 417792 C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation 12/6/1999 5:00:00 PM 67344 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 6/19/2003 8:00:00 AM 301328 C:\WINDOWS\SYSTEM32\appwiz.cpl
4/30/2001 5:51:00 AM 98304 C:\WINDOWS\SYSTEM32\avsmcpa.cpl
Logitech Inc. 8/29/2003 3:19:16 PM 151552 C:\WINDOWS\SYSTEM32\CamCpl.cpl
Conexant 6/12/2000 2:14:12 PM 314368 C:\WINDOWS\SYSTEM32\CSACPL.CPL
Microsoft Corporation 6/19/2003 8:00:00 AM 237328 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 6/19/2003 8:00:00 AM 31504 C:\WINDOWS\SYSTEM32\fax.cpl
Microsoft Corporation 6/19/2003 8:00:00 AM 128272 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 8:14:40 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 6/19/2003 8:00:00 AM 118032 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 6/19/2003 8:00:00 AM 36112 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 10/30/2001 9:10:00 AM 326144 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 6/19/2003 8:00:00 AM 122128 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 11/16/1996 8:00:00 PM 45984 C:\WINDOWS\SYSTEM32\mlcfg32.cpl
Microsoft Corporation 6/19/2003 8:00:00 AM 303888 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 1/12/2005 12:40:00 PM 64784 C:\WINDOWS\SYSTEM32\msmq.cpl
Microsoft Corporation 6/19/2003 8:00:00 AM 17168 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 6/19/2003 8:00:00 AM 41232 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/26/2002 11:11:40 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 6/19/2003 8:00:00 AM 90896 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 8/25/1996 10:12:00 PM R 341504 C:\WINDOWS\SYSTEM32\QTW32.CPL
Apple Computer, Inc. 9/23/2004 7:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 6/19/2003 8:00:00 AM 83216 C:\WINDOWS\SYSTEM32\sticpl.cpl
Microsoft Corporation 6/19/2003 8:00:00 AM 125712 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 6/19/2003 8:00:00 AM 5904 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 6/8/2000 1:00:00 PM 15360 C:\WINDOWS\SYSTEM32\THEMES.CPL
Microsoft Corporation 6/19/2003 8:00:00 AM 61200 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 8:14:40 AM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 1/12/2005 12:40:00 PM 64784 C:\WINDOWS\SYSTEM32\dllcache\msmq.cpl
IBM Corporation 9/23/1999 7:44:36 PM 94208 C:\WINDOWS\SYSTEM32\dllcache\mwcpa32.cpl
Microsoft Corporation 6/19/2003 8:00:00 AM 41232 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/26/2002 11:11:40 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
2/10/2004 3:41:18 AM 608 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ZoneAlarm.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
4/21/2002 6:54:14 PM 1397 C:\Documents and Settings\default\Start Menu\Programs\Startup\HotSync Manager.lnk.disabled
2/8/2005 3:20:02 AM 1701 C:\Documents and Settings\default\Start Menu\Programs\Startup\Microsoft Office.lnk
1/31/2003 11:57:54 PM 1692 C:\Documents and Settings\default\Start Menu\Programs\Startup\Microsoft Office.lnk.disabled

Checking files in %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
T312461 =
Q312461 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{FEF10FA2-355E-4e06-9381-9B24D7F7CC88} = C:\WINDOWS\system32\SHELL32.DLL
{53C74826-AB99-4d33-ACA4-3117F51D3788} = C:\WINDOWS\system32\SHELL32.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\PROGRAM FILES\WINRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\PROGRAM FILES\WINRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\PROGRAM FILES\WINRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0561EC90-CE54-4f0c-9C55-E226110A740C}
= C:\Program Files\vcd_burn\Avi2Dvd\Programs\Filters\Haali media splitter\mmfinfo.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINDOWS\system32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7ab770c7-0e23-4d7a-8aa2-19bfad479829}
= C:\WINDOWS\system32\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINDOWS\system32\docprop2.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
MenuText = :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINDOWS\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\browseui.dll
{8E718888-423F-11D2-876E-00A0C9082467} = @msdxmLC.dll,-1@1033,&Radio : C:\WINDOWS\system32\msdxm.ocx
{B195B3B3-8A05-11D3-97A4-0004ACA6948E} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{8E718888-423F-11D2-876E-00A0C9082467} = @msdxmLC.dll,-1@1033,&Radio : C:\WINDOWS\system32\msdxm.ocx
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
PopUpKiller C:\Program Files\PopUp Killer\PopUpKiller.EXE
Synchronization Manager mobsync.exe /logon
EPSON Stylus C42 Series C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
NeroCheck C:\WINDOWS\system32\NeroCheck.exe
LogitechImageStudioTray C:\Program Files\Logitech\ImageStudio\LogiTray.exe
LogitechVideoTray C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HideSharePwds


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WinOldApp
NoRealMode 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 0
CDRAutoRun 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINDOWS\system32\NETSHELL.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\Userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/22/2006 1:05:02 AM

Can't believe I didn't have you do this yet:

Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click Look2Me-Destroyer.exe to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of Look2Me-Destroyer.txt (it can be found wherever you saved Look2Me-Destroyer.exe) and a new HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

Frank, also....Ewido is now at v. 4.0 just released. You need to uninstall 3.5 and get a freshdownload and install Ewido 4.0.
http://www.ewido.net/en/

3.5 quit updating a number of days ago for me and it wasn't until I got 4.0 that I was able to get fresh updates.

Look2Me needed a reboot after loading as a task, then ran just as you said. My Ewido kept updating, but I've loaded and run V4.0 anyway.

The Look2Me, HijackThis and Ewido4 logs are below.

Any way I can learn to look at HijackThis logs to tell me when I've got another one of these things that normal AdAware can't clean?

thanks,
Frank

PS Forgot to mention that WinPFind blew through my virutal memory even in Safe Mode, and so took that much longer. Only have 256M of RAM ...

-------------------
Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 6/22/2006 9:39:05 PM

Attempting to delete infected files...

Making registry repairs.

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{FEF10FA2-355E-4e06-9381-9B24D7F7CC88}"
HKCR\Clsid\{FEF10FA2-355E-4e06-9381-9B24D7F7CC88}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{53C74826-AB99-4d33-ACA4-3117F51D3788}"
HKCR\Clsid\{53C74826-AB99-4d33-ACA4-3117F51D3788}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

--------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:45:19 PM, on 6/22/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://antwrp.gsfc.nasa.gov/apod/astropix.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://antwrp.gsfc.nasa.gov/apod/astropix.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - Startup: HotSync Manager.lnk.disabled
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O4 - Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &IE Toolbar search - res://C:\WINDOWS\Downloaded Program Files\CONFLICT.1\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124983387447
O16 - DPF: {E344ADA2-75B6-4E7E-B221-0A04FD5B0165} -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6BD9D42-73F8-46CF-8334-CA56627BFB24}: NameServer = 24.92.226.180,24.93.1.121,24.93.1.120
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Fix-It Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

-------------------
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:46:26 PM 6/22/2006

+ Scan result:



C:\Documents and Settings\default\Cookies\dad@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : No action taken.


::Report end

Looks good!

Scan with HijackThis and checkmark these entries, then press the *fix checked* button:

O8 - Extra context menu item: &IE Toolbar search - res://C:\WINDOWS\Downloaded Program Files\CONFLICT.1\toolbar.dll/SEARCH.HTML

O16 - DPF: {E344ADA2-75B6-4E7E-B221-0A04FD5B0165} -
........................................
Do you have an Antivius program running? If so what is it and what version?
........................................
I wonder if ComboFix will work now:

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe

2. Double click on combofix.exe & follow the prompts.

Note: If you receive a popup with a Disclaimer, read that and answer Y for yes (or N for no)
Y is recommended (if you put N, the tool will exit without fixing and will remove the combofix file and folders)

Do NOT click on the window while the fix is running, because that will cause your system to hang and the fix to stall.

3. When finished, it shall produce a log for you. Post that log in your next reply

"Looks good!" I'm honored; maybe I'm finally getting somewhere? Maybe not ...

Combofix operation hasn't changed a lick; I can't edit an EXE and the bleeping web site doesn't give me anything to go on.

You ask about virus protection; I should probably have opened with this.

I use McAfee VirusScan v4.5.1, scan engine 4.4.00, definitions 4.0.4776 (June 2, 06), provided by my employer with manual definitions updates via thumbdrive. Here is the interesting log. Note that it was my first scan since March, and it found some viruses that it couldn't remove although the screen said it had. Subsequent scans were clean ... perhaps.

Updated definitions to 4.0.4792 and it still scans clean ... perhaps.

You know, I do have a good ghost image I could restore; would get rid of the hidden files at least.

Just a thought,
Frank,how may look good but still feels ugly

PS Threw in a HijackThis just for kicks.

First scan since March
----------------------
6/10/2006 12:49 PM Scan Started FAMILY_ROOM\Dad On Demand Scan
6/10/2006 12:51 PM Trojan FAMILY_ROOM\Dad C:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\01UZGDYF\redo[1].htm JS/Noclose.gen (Removable)
6/10/2006 12:51 PM Clean Error FAMILY_ROOM\Dad C:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\01UZGDYF\redo[1].htm JS/Noclose.gen
6/10/2006 12:51 PM Trojan FAMILY_ROOM\Dad C:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\4BAXGFMD\redo2[1].htm JS/Noclose.gen (Removable)
6/10/2006 12:51 PM Clean Error FAMILY_ROOM\Dad C:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\4BAXGFMD\redo2[1].htm JS/Noclose.gen
6/10/2006 12:51 PM Trojan FAMILY_ROOM\Dad C:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\ELSH618L\redo4[1].htm Exploit-ByteVerify (Removable)
6/10/2006 12:51 PM Clean Error FAMILY_ROOM\Dad C:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\ELSH618L\redo4[1].htm Exploit-ByteVerify
6/10/2006 1:08 PM Trojan FAMILY_ROOM\Dad C:\WINDOWS\ac2_0009.exe Generic Downloader.ab (Removable)
6/10/2006 1:08 PM Clean Error FAMILY_ROOM\Dad C:\WINDOWS\ac2_0009.exe Generic Downloader.ab
6/10/2006 1:28 PM Scan Error FAMILY_ROOM\Dad Could not find a diskette in drive D:\.
6/10/2006 1:28 PM Scan Summary FAMILY_ROOM\Dad Scan Summary
6/10/2006 1:28 PM Scan Summary FAMILY_ROOM\Dad Memory scan : No Viruses Found
6/10/2006 1:28 PM Scan Summary FAMILY_ROOM\Dad Boot sectors scanned : 5
6/10/2006 1:28 PM Scan Summary FAMILY_ROOM\Dad Boot sectors infected : 0
6/10/2006 1:28 PM Scan Summary FAMILY_ROOM\Dad Boot sectors cleaned : 0
6/10/2006 1:28 PM Scan Summary FAMILY_ROOM\Dad Files scanned : 64090
6/10/2006 1:28 PM Scan Summary FAMILY_ROOM\Dad Files infected : 4
6/10/2006 1:28 PM Scan Summary FAMILY_ROOM\Dad Files cleaned : 0
6/10/2006 1:28 PM Scan Summary FAMILY_ROOM\Dad Files deleted : 0
6/10/2006 1:28 PM Scan Summary FAMILY_ROOM\Dad Files moved : 0
6/10/2006 1:28 PM Scan Complete FAMILY_ROOM\Dad On Demand Scan


Latest scan, new defs file, c: only.
------------------
6/24/2006 12:29 AM Scan Started FAMILY_ROOM\Dad On Demand Scan
6/24/2006 12:58 AM Scan Summary FAMILY_ROOM\Dad Scan Summary
6/24/2006 12:58 AM Scan Summary FAMILY_ROOM\Dad Memory scan : No Viruses Found
6/24/2006 12:58 AM Scan Summary FAMILY_ROOM\Dad Boot sectors scanned : 1
6/24/2006 12:58 AM Scan Summary FAMILY_ROOM\Dad Boot sectors infected : 0
6/24/2006 12:58 AM Scan Summary FAMILY_ROOM\Dad Boot sectors cleaned : 0
6/24/2006 12:58 AM Scan Summary FAMILY_ROOM\Dad Files scanned : 47047
6/24/2006 12:58 AM Scan Summary FAMILY_ROOM\Dad Files infected : 0
6/24/2006 12:58 AM Scan Summary FAMILY_ROOM\Dad Files cleaned : 0
6/24/2006 12:58 AM Scan Summary FAMILY_ROOM\Dad Files deleted : 0
6/24/2006 12:58 AM Scan Summary FAMILY_ROOM\Dad Files moved : 0
6/24/2006 12:58 AM Scan Complete FAMILY_ROOM\Dad On Demand Scan

HijackThis
-------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:37:25 PM, on 6/23/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://antwrp.gsfc.nasa.gov/apod/astropix.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://antwrp.gsfc.nasa.gov/apod/astropix.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Startup: HotSync Manager.lnk.disabled
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O4 - Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124983387447
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6BD9D42-73F8-46CF-8334-CA56627BFB24}: NameServer = 24.92.226.180,24.93.1.121,24.93.1.120
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Fix-It Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Are you getting any popups at this point?

Your McAfee looks to be a current version. All it found on that log you posted was files in the TIF folder, which isn't the live infection. I'm not sure how good McAfee is on spyware, or it may have been disabled? I'm not sure, but if you just clear the cache of web pages viewed that clears those types of items.

Sometimes, these are found in the webpages viewed cache or Temporary Internet Files. To explain why your AV detects it see this example writeup at Computer Associates regarding generic detection of exploits in webpages:

http://www3.ca.com/securityadvisor/virusin...s.aspx?ID=38853

Look closely at the location of the files found. When you see that they are in your Temporary internet files folder (or, in the case of Firefox, your profile cache folder) this means that your antivirus program has generic detection of web pages which attempt to exploit a vulnerability in your browser.


Similarly, in Firefox delete your cache to remove the offending files found.


I'm not sure why ComboFix isn't recognizing your operating system as Win2k, but the other tools we used should have cleared those multiple infections. Your HijackThis log looks clean so that's why I need to know i if you are seeing any further symptoms or popups

Jane,
I haven't had any pop-up issues since Ewido ran. Glad to hear my HijackThis is clear. Let me go for a week or so to see if pop-ups return, and perhaps running the scanners again, just to be sure.

And one more time, thank you for your help and persistence in addressing this issue. You are the BEST!

Thanks,
Frank

Good news to hear, Frank Glad we could help.

Some final cleanup and prevention recomendations follow.

You can delete any of the special tools we used. They won't be needed again, but if they should, it's best to download fresh copies as they are updated frequently for new variants of malware

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files.

• Quit Internet Explorer and quit any instances of Windows Explorer.
• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help .
How do I prevent Browser Hijacks and Spyware?
http://www.dslreports.com/faq/13620

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/...s/mbsahome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.

Also visit this Free Online Scanner for PC Health and Safety
http://safety.live.com/site/en-US/default.htm
and Microsoft Security At Home
http://www.microsoft.com/athome/security/default.mspx
for tips to Protect your Pc, Protect yourself and Protect your Family.

You haven't steered me wrong yet ...

c:\windows\temp only had 4 files, 2 active and current
c:\document and settings\...\local files\temp deleted all but current. (Search is an easy way to find them)
Temporary internet files were deleted days ago, and again today.
Bookmarked the dslreports, safety.live and security at home sites.
Downloaded MBSA 2.0 and Defender from Microsoft and will run later (already do Windows Update)

Much of this advise is familiar, and part of my normal process for PC and privacy protection, but it's nice to a) have it all summarized and b) be able to point my kids to it and say "do this." (19 & 22 so old enough to take care of themselves, but young enough to think they don't need to ...)

Thanks again,
Frank

{{Hugs}} Mine are 22, 32 and 34. If they want to use MY computer they get a limited user account

Share Your PC
http://www.microsoft.com/windowsxp/using/s...hare/intro.mspx

Hope we were a help to you and yours!