Removal Trojan Downloader Generic HGT etc.

OK, looks like we got most of it, just a couple more.

Also go to Add\Remove and uninstall, if present:
Search Assistant Toolbar

Lets run Kilbox again using the same instructions and insert the following files for deletion:
winjvd32.dll
w0275b41.dll
C:\Program Files\Messenger\howyny.html
C:\Program Files\Online Services\kyze.html

Reboot, run ComboFix, the run HJT and post both logs.

Thanks for being patient, I know it gets tedious at times running tool after tool and posting logs, but it's all in the name of being thorough.

 

I had trouble with Killbox as it would not paste from the file menu. I finally had to paste each one in one at a time and then finally say yes to reboot but it did not reboot so I had to reboot the old fashioned way thru start.

Here is the log from combofix
Charly Brantley - 06-08-30 13:07:53.85
ComboFix 06.08.27BT - Running from: C:\Documents and Settings\Charly Brantley\Desktop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Charly Brantley\My Documents\DOBE~1
C:\QooBox\Purity\Documents and Settings\Charly Brantley\My Documents\DOBE~1\??pPatch
C:\QooBox\Purity\Program Files\Common Files\SCURIT~1
C:\QooBox\Purity\Program Files\Common Files\SCURIT~1\?ti2evxx.exe
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1\w?crtupd.exe


((((((((((((((((((((((((((((((( Files Created from 2006-07-30 to 2006-08-30 ))))))))))))))))))))))))))))))))))


2006-08-29 09:50 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2006-08-29 09:50 446,464 -ra------ C:\WINDOWS\system32\hhactivex.dll
2006-08-29 09:50 176,128 --a------ C:\WINDOWS\system32\RcdScan.dll
2006-08-20 16:22 8,464 --a------ C:\WINDOWS\system32\sporder.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-30 08:00 -------- d-------- C:\Documents and Settings\Charly Brantley\Application Data\AVG7
2006-08-29 13:14 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-29 09:59 -------- d-------- C:\Program Files\TrojanHunter 4.2
2006-08-29 09:54 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-08-29 09:54 28416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-08-29 09:50 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-28 13:56 -------- d-------- C:\Program Files\Common Files
2006-08-27 17:21 -------- d-------- C:\Program Files\AIM
2006-08-27 15:34 -------- d-------- C:\Program Files\Common Files\AOL
2006-08-27 15:34 -------- d-------- C:\Program Files\AOL
2006-08-27 09:27 -------- d-------- C:\Program Files\Messenger
2006-08-27 08:03 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-08-27 08:03 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-08-27 08:03 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-08-27 08:02 -------- d-------- C:\Program Files\Grisoft
2006-08-27 07:39 -------- d-------- C:\Program Files\XoftSpy
2006-08-27 07:39 -------- d-------- C:\Program Files\Common Files\kwui
2006-08-27 07:38 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-20 17:44 -------- d-------- C:\Program Files\MSN
2006-08-20 16:32 -------- d-------- C:\Program Files\Online Services
2006-08-18 03:01 -------- d-------- C:\Program Files\Internet Explorer
2006-08-10 20:52 -------- d-------- C:\Program Files\Super DX-Ball
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-22 11:32 -------- d-------- C:\Documents and Settings\Charly Brantley\Application Data\Yahoo!
2006-07-22 11:31 -------- d-------- C:\Program Files\Yahoo!
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint "= "C:\\Program Files\\Apoint\\Apoint.exe "
"MMTray "= "\ "C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"xxo4a232 "= "RUNDLL32.EXE w0275b41.dll,n 0034a22f000000110275b41 "
"AVG7_CC "= "C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"PSLister "= "\ "C:\\Program Files\\PSLister\\PSLister.exe\" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "C:\\Program Files\\Online Services\\kyze.html "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=hex:01,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source "= "C:\\Program Files\\Messenger\\howyny.html "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=hex:01,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,50,01,00,00,00,00,00,00,40,05,00,00,f8,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE "

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE "

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Digital Line Detect.lnk "
"backup "= "C:\\WINDOWS\\pss\\Digital Line Detect.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\DIGITA~1\\DLG.exe "
"item "= "Digital Line Detect "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\MyWebSearch Email Plugin.lnk "
"backup "= "C:\\WINDOWS\\pss\\MyWebSearch Email Plugin.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\MWSOEMON.EXE "
"item "= "MyWebSearch Email Plugin "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\QuickBooks Update Agent.lnk "
"backup "= "C:\\WINDOWS\\pss\\QuickBooks Update Agent.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdate.exe "
"item "= "QuickBooks Update Agent "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Charly Brantley^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"path "= "C:\\Documents and Settings\\Charly Brantley\\Start Menu\\Programs\\Startup\\LimeWire On Startup.lnk "
"backup "= "C:\\WINDOWS\\pss\\LimeWire On Startup.lnkStartup "
"location "= "Startup "
"command "= "C:\\PROGRA~1\\LimeWire\\LimeWire.exe -startup "
"item "= "LimeWire On Startup "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Charly Brantley^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
"path "= "C:\\Documents and Settings\\Charly Brantley\\Start Menu\\Programs\\Startup\\MyWebSearch Email Plugin.lnk "
"backup "= "C:\\WINDOWS\\pss\\MyWebSearch Email Plugin.lnkStartup "
"location "= "Startup "
"command "= "C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\MWSOEMON.EXE "
"item "= "MyWebSearch Email Plugin "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AIM]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "aim "
"hkey "= "HKCU "
"command "= "C:\\Program Files\\AIM\\aim.exe -cnetwait.odl "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ATIPTA]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "atiptaxx "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ccApp]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ccApp "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Dell QuickSet]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "quickset "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Dell\\QuickSet\\quickset.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DellSupport]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "DSAgnt "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\dla]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "tfswctrl "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\system32\\dla\\tfswctrl.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DVDLauncher]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "DVDLauncher "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HostManager]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "AOLHostManager "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Common Files\\AOL\\1125277778\\ee\\AOLHostManager.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\IntelWireless]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ifrmewrk "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ISUSPM Startup]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ISUSPM "
"hkey "= "HKLM "
"command "= "C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ISUSScheduler]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "issch "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MMTray]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "mm_tray "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "msmsgs "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MyWebSearch Email Plugin]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "mwsoemon "
"hkey "= "HKLM "
"command "= "C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PCMService]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "PCMService "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "qttask "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RealTray]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "RealPlay "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Spyware Begone]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "freescan "
"hkey "= "HKCU "
"command "= "C:\\freescan\\freescan.exe -FastScan "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Spyware Doctor]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "swdoctor "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "jusched "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Symantec NetDriver Monitor]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "SNDMon "
"hkey "= "HKLM "
"command "= "C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\THGuard]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "THGuard "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\TrojanHunter 4.2\\THGuard.exe\" "
"inimapping "= "0 "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjvd32


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-08-30 13:08:42.10
ComboFix.txt
ComboFix2.txt
ComboFix3.txt
ComboFix4.txt

 

That rundll is very tenacious as I have deleted it during this process but it comes back.

Here is the HiJackThis log

Logfile of HijackThis v1.99.1
Scan saved at 13:15, on 06-08-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.opera.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [xxo4a232] RUNDLL32.EXE w0275b41.dll,n 0034a22f000000110275b41
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe "
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

 

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjvd32 - winjvd32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

 

Ok, those two primary files are gone lets get the registry points removed manually.

But lets first back up your registry.

Now lets navigate to the points we need:

Click the 'Start' button, select 'Run', hit 'Enter'.

When box appears, type 'regedit', hit 'Enter'.

Navigate to the following key, by unticking the '+' next to each subkey:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]

In the right hand side of the window, look for:
Source

Hi-lite it and right-click, select 'modify' and then delete 'kyze.html' close the edit box.

Then do the same for this registry point:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]

Look for source and do as previous to delete 'howyny.html' Close edit box.

Then navigate to the following section:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjvd32

Look in the left hand side of the window and delete 'winjvd32'.

Close out the registry.

Lets grab what I hope will be one last ComboFix log and post it.

 

Here it is

Charly Brantley - 06-08-30 15:07:51.92
ComboFix 06.08.27BT - Running from: C:\Documents and Settings\Charly Brantley\Desktop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Charly Brantley\My Documents\DOBE~1
C:\QooBox\Purity\Documents and Settings\Charly Brantley\My Documents\DOBE~1\??pPatch
C:\QooBox\Purity\Program Files\Common Files\SCURIT~1
C:\QooBox\Purity\Program Files\Common Files\SCURIT~1\?ti2evxx.exe
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1\w?crtupd.exe


((((((((((((((((((((((((((((((( Files Created from 2006-07-30 to 2006-08-30 ))))))))))))))))))))))))))))))))))


2006-08-29 09:50 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2006-08-29 09:50 446,464 -ra------ C:\WINDOWS\system32\hhactivex.dll
2006-08-29 09:50 176,128 --a------ C:\WINDOWS\system32\RcdScan.dll
2006-08-20 16:22 8,464 --a------ C:\WINDOWS\system32\sporder.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-30 14:05 -------- d-------- C:\Documents and Settings\Charly Brantley\Application Data\AVG7
2006-08-29 13:14 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-29 09:59 -------- d-------- C:\Program Files\TrojanHunter 4.2
2006-08-29 09:54 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-08-29 09:54 28416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-08-29 09:50 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-28 13:56 -------- d-------- C:\Program Files\Common Files
2006-08-27 17:21 -------- d-------- C:\Program Files\AIM
2006-08-27 15:34 -------- d-------- C:\Program Files\Common Files\AOL
2006-08-27 15:34 -------- d-------- C:\Program Files\AOL
2006-08-27 09:27 -------- d-------- C:\Program Files\Messenger
2006-08-27 08:03 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-08-27 08:03 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-08-27 08:03 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-08-27 08:02 -------- d-------- C:\Program Files\Grisoft
2006-08-27 07:39 -------- d-------- C:\Program Files\XoftSpy
2006-08-27 07:39 -------- d-------- C:\Program Files\Common Files\kwui
2006-08-27 07:38 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-20 17:44 -------- d-------- C:\Program Files\MSN
2006-08-20 16:32 -------- d-------- C:\Program Files\Online Services
2006-08-18 03:01 -------- d-------- C:\Program Files\Internet Explorer
2006-08-10 20:52 -------- d-------- C:\Program Files\Super DX-Ball
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-22 11:32 -------- d-------- C:\Documents and Settings\Charly Brantley\Application Data\Yahoo!
2006-07-22 11:31 -------- d-------- C:\Program Files\Yahoo!
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint "= "C:\\Program Files\\Apoint\\Apoint.exe "
"MMTray "= "\ "C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"xxo4a232 "= "RUNDLL32.EXE w0275b41.dll,n 0034a22f000000110275b41 "
"AVG7_CC "= "C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"PSLister "= "\ "C:\\Program Files\\PSLister\\PSLister.exe\" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "C:\\Program Files\\Online Services\\ "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=dword:40000001
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source "= "C:\\Program Files\\Messenger\\ "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=dword:40000001
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,50,01,00,00,00,00,00,00,40,05,00,00,f8,03,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=dword:40000004
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE "

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE "

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Digital Line Detect.lnk "
"backup "= "C:\\WINDOWS\\pss\\Digital Line Detect.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\DIGITA~1\\DLG.exe "
"item "= "Digital Line Detect "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\MyWebSearch Email Plugin.lnk "
"backup "= "C:\\WINDOWS\\pss\\MyWebSearch Email Plugin.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\MWSOEMON.EXE "
"item "= "MyWebSearch Email Plugin "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\QuickBooks Update Agent.lnk "
"backup "= "C:\\WINDOWS\\pss\\QuickBooks Update Agent.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdate.exe "
"item "= "QuickBooks Update Agent "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Charly Brantley^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"path "= "C:\\Documents and Settings\\Charly Brantley\\Start Menu\\Programs\\Startup\\LimeWire On Startup.lnk "
"backup "= "C:\\WINDOWS\\pss\\LimeWire On Startup.lnkStartup "
"location "= "Startup "
"command "= "C:\\PROGRA~1\\LimeWire\\LimeWire.exe -startup "
"item "= "LimeWire On Startup "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Charly Brantley^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
"path "= "C:\\Documents and Settings\\Charly Brantley\\Start Menu\\Programs\\Startup\\MyWebSearch Email Plugin.lnk "
"backup "= "C:\\WINDOWS\\pss\\MyWebSearch Email Plugin.lnkStartup "
"location "= "Startup "
"command "= "C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\MWSOEMON.EXE "
"item "= "MyWebSearch Email Plugin "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AIM]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "aim "
"hkey "= "HKCU "
"command "= "C:\\Program Files\\AIM\\aim.exe -cnetwait.odl "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ATIPTA]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "atiptaxx "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ccApp]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ccApp "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Dell QuickSet]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "quickset "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Dell\\QuickSet\\quickset.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DellSupport]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "DSAgnt "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\dla]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "tfswctrl "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\system32\\dla\\tfswctrl.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DVDLauncher]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "DVDLauncher "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HostManager]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "AOLHostManager "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Common Files\\AOL\\1125277778\\ee\\AOLHostManager.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\IntelWireless]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ifrmewrk "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ISUSPM Startup]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ISUSPM "
"hkey "= "HKLM "
"command "= "C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ISUSScheduler]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "issch "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MMTray]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "mm_tray "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "msmsgs "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MyWebSearch Email Plugin]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "mwsoemon "
"hkey "= "HKLM "
"command "= "C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PCMService]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "PCMService "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "qttask "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RealTray]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "RealPlay "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Spyware Begone]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "freescan "
"hkey "= "HKCU "
"command "= "C:\\freescan\\freescan.exe -FastScan "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Spyware Doctor]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "swdoctor "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "jusched "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Symantec NetDriver Monitor]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "SNDMon "
"hkey "= "HKLM "
"command "= "C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\THGuard]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "THGuard "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\TrojanHunter 4.2\\THGuard.exe\" "
"inimapping "= "0 "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-08-30 15:08:30.63
ComboFix.txt
ComboFix2.txt
ComboFix3.txt
ComboFix4.txt

 

OK, that all appears to be legit, no more unwanted entries. Is the machine now running better?

Let me know of any unusual symptoms occuring.

As I sit here typing this, I am nagged by that rootkit line in Combofix. Lets run to quick rootkit tools to ease my mind.

Please download RootKitRevealer from here

Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire log file back into this thread for me to view.


Then:
Download and run F-Secure Blacklight
Double-click on bibeta.exe to run it.
Click the *I accept* button near the bottom of that page.
Download and run Blacklight click > scan then > next, next again then exit
there will be a new text file near Blacklight.Post it please. The text file is named:
fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
!!Do not rename any files yet

Post both logs back here. Call me paranoid I guess, sorry.

 

Here is the first log from rootkitrevealer and I am still getting that rundll error at startup but when I click ok it goes away and does not come back until next startup.

Also when I was running rootkitrevealer I had several pop up of Trojan Horses by AVG shield and they were discovered when rootkitrevealer was scanning the System information folder/restore. I just said to ignor them.

I also have a generic error relating to the owners email address and something about the pop3 server could not be found. I am sure she using IM as she is a college student neighbor of mine. this is the message

Generic error message
EMAIL EDITED BY TEMERC
POP3 server unavailable. Network problems? [Server response:-ERR AVG POP3 Proxy Server: Cannot connect to the mail server!]


Otherwise it is running much better. here is the log

C:\$VAULT$.AVG\02679312.FIL 06-08-30 18:39 72.46 KB Hidden from Windows API.
C:\$VAULT$.AVG\02689234.FIL 06-08-30 18:39 36.46 KB Hidden from Windows API.
C:\$VAULT$.AVG\02696125.FIL 06-08-30 18:40 48.46 KB Hidden from Windows API.
C:\$VAULT$.AVG\02702281.FIL 06-08-30 18:40 21.47 KB Hidden from Windows API.
C:\$VAULT$.AVG\02708937.FIL 06-08-30 18:40 29.47 KB Hidden from Windows API.
C:\$VAULT$.AVG\02713421.FIL 06-08-30 18:40 49.49 KB Hidden from Windows API.
C:\$VAULT$.AVG\02718906.FIL 06-08-30 18:40 2.97 KB Hidden from Windows API.
C:\$VAULT$.AVG\02723656.FIL 06-08-30 18:40 51.02 KB Hidden from Windows API.
C:\$VAULT$.AVG\02728921.FIL 06-08-30 18:40 51.02 KB Hidden from Windows API.
C:\$VAULT$.AVG\02734140.FIL 06-08-30 18:40 345.47 KB Hidden from Windows API.
C:\$VAULT$.AVG\02738609.FIL 06-08-30 18:40 2.97 KB Hidden from Windows API.
C:\$VAULT$.AVG\02743218.FIL 06-08-30 18:40 2.97 KB Hidden from Windows API.
C:\$VAULT$.AVG\02746656.FIL 06-08-30 18:40 5.47 KB Hidden from Windows API.
C:\$VAULT$.AVG\02750062.FIL 06-08-30 18:40 60.97 KB Hidden from Windows API.
C:\$VAULT$.AVG\02754625.FIL 06-08-30 18:41 7.47 KB Hidden from Windows API.
C:\$VAULT$.AVG\02759156.FIL 06-08-30 18:41 74.47 KB Hidden from Windows API.
C:\$VAULT$.AVG\02764671.FIL 06-08-30 18:41 56.47 KB Hidden from Windows API.
C:\$VAULT$.AVG\02768593.FIL 06-08-30 18:41 1.46 KB Hidden from Windows API.
C:\$VAULT$.AVG\02772359.FIL 06-08-30 18:41 62.97 KB Hidden from Windows API.
C:\$VAULT$.AVG\02777140.FIL 06-08-30 18:41 3.47 KB Hidden from Windows API.
C:\$VAULT$.AVG\02783859.FIL 06-08-30 18:41 1.47 KB Hidden from Windows API.
C:\$VAULT$.AVG\02790093.FIL 06-08-30 18:41 63.47 KB Hidden from Windows API.
C:\$VAULT$.AVG\02793437.FIL 06-08-30 18:41 77.02 KB Hidden from Windows API.
C:\$VAULT$.AVG\02813640.FIL 06-08-30 18:42 77.02 KB Hidden from Windows API.
C:\$VAULT$.AVG\02820250.FIL 06-08-30 18:42 76.97 KB Hidden from Windows API.
C:\$VAULT$.AVG\02824437.FIL 06-08-30 18:42 152.47 KB Hidden from Windows API.
C:\$VAULT$.AVG\02827843.FIL 06-08-30 18:42 152.47 KB Hidden from Windows API.
C:\$VAULT$.AVG\02831562.FIL 06-08-30 18:42 152.47 KB Hidden from Windows API.
C:\$VAULT$.AVG\02834625.FIL 06-08-30 18:42 156.46 KB Hidden from Windows API.
C:\$VAULT$.AVG\02853906.FIL 06-08-30 18:42 156.46 KB Hidden from Windows API.
C:\$VAULT$.AVG\02860000.FIL 06-08-30 18:42 52.46 KB Hidden from Windows API.
C:\Documents and Settings\Charly Brantley\Local Settings\Temporary Internet Files\Content.IE5\89S2U0NX\doc21001us[1] 06-08-30 18:41 1.75 KB Hidden from Windows API.
C:\Documents and Settings\Charly Brantley\Local Settings\Temporary Internet Files\Content.IE5\FXVLQ5WB\layout[1].css 06-08-30 18:41 4.02 KB Hidden from Windows API.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000014.exe 06-08-20 16:20 72.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000038.exe 06-08-27 19:53 36.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000039.exe 06-08-21 16:50 48.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000041.dll 06-08-27 15:25 21.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000042.dll 06-08-27 19:56 29.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000060.dll 06-08-21 10:27 49.03 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000064.dll 06-07-05 04:44 2.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001211.dll 06-08-27 20:17 50.54 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001212.dll 06-08-21 10:25 50.54 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001213.exe 06-08-27 19:55 345.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001214.exe 06-08-20 16:20 2.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001215.exe 06-08-27 19:56 2.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001217.exe 06-08-28 08:06 5.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001218.dll 06-08-20 16:27 60.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001219.exe 06-08-20 16:15 7.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001220.exe 06-08-20 16:17 74.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001221.exe 06-08-27 19:52 56.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001224.exe 06-08-20 16:17 1.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001225.dll 06-08-20 16:17 62.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001226.exe 06-08-27 19:53 3.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001228.exe 06-08-27 19:54 1.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001229.dll 06-08-27 19:54 63.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001230.dll 06-08-27 23:01 76.54 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001231.dll 06-08-27 21:21 76.54 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001232.dll 06-08-27 16:28 76.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001233.exe 06-08-11 12:05 152.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001234.exe 06-08-11 12:05 152.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001235.exe 06-08-11 12:05 152.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001236.exe 06-08-21 18:41 156.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001237.exe 06-08-21 18:41 156.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001238.exe 06-08-21 16:48 52.00 KB Visible in Windows API, but not in MFT or directory index.

 

Boy that program almost lost me but I waded thru it. Here is the report.

08/30/06 19:10:11 [Info]: BlackLight Engine 1.0.46 initialized
08/30/06 19:10:11 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/30/06 19:10:12 [Note]: 7019 4
08/30/06 19:10:12 [Note]: 7005 0
08/30/06 19:10:13 [Note]: 7006 0
08/30/06 19:10:13 [Note]: 7011 3432
08/30/06 19:10:13 [Note]: 7026 0
08/30/06 19:10:13 [Note]: 7026 0
08/30/06 19:10:30 [Note]: FSRAW library version 1.7.1019
08/30/06 19:13:06 [Note]: 7007 0

 

OK, all that stuff in the RKR log are all ok, no threats, items found in system restore folder and in the AVG vault.

The Blacklight log is fine too.

That rundll error is related to one of the malware files we removed and should be gone, so I'm not sure why it's still throwing that error.

I'm going to consult with a friend of mine and see what she says, she does nothing but play with and Analise these infections 24\7. She'll know for sure.

But your ok as far as malware goes.

In so far as the email message, that's probably something on the server side, and unrelated to any of the infections. It's not likely related to AIM IM either.

I'll get back about the rundll error soon as I can.

 

I got it this time as I ran HiJackthis one more time and it showed up so I checked and fixed it and it does not show up anymore at startup. I can only figure when i did it before I must have missed that file. All is well and I thank you very much.

LarryB

 

Well, well, well............I guess it's about time we nailed that sucker eh?

Lets have you do some reboots and some surfing, maybe have you run a HJT log file and see if anything returns.

I'll leave this thread open for a few days and if you don't find anything, we can conclude you are good to go.

 

OK I did some surfing without incident and that dll is no longer a pest so here is the log you requested.

I am suggesting that she use Sygate, Spy-bot, Ad-awhere, and Ewido on a regular basis to avoid this in the future. If you have any other suggestions it would be appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 14:29, on 06-08-31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.opera.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe "
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

 

It's all looking good.

I would suggest some other countermeasures as well. Simple to use and updating easy once they have done it a couple of times. I'll reference them below.

And of course the best defense is smart and cautious surfing.

We have 3 more things to do, to help ensure you have removed all the little 'leftovers' which may be hiding:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.1.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom

 

I really thank you Tom for all this help.
This machine only has one user so that is all good.
I have DL the software you suggested and I will teach Charly, the user how to keep it up to date and how to scan on a weekly basis.

I have another machine at home that is slow and I have done all I know on how to speed it up. Would a Hijackthis log be the first thing you would do to decide which way to go? It is also a Dell laptop. I think a 5150.

Thanks again
LarryB

 

Once Charly has updated a couple of those apps, it'll be a breeze.

For you machine the first thing I would do is check for unnecessary processes. This is usually the area which winds up reclaiming some CPU.

Here is an excellent site for that:
AnswersThatWork
Just go to the appropriate letter, and search for the process/exe, they will give good detailed info regarding it, we use it quite often. If you can't find it there, then use Google.

And once you have all that figured out, WinPatrol, which I mentioned above is a nice little start up manager with some other features as well.

If you feel your laptop has some malware on it then post a log in a new thread and I'll have a look.

 

Thanks Tom again for all your help and I will check out the other computer in the way you suggested.
Larry B

 

Glad we could be of assistance.

Due to resolution this topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.