Windows cannot find vmmdiag32.exe

Hello,

I am running Windows XP Professional and the AVG Virus Protection program I am using detected and "healed" a virus that it found (which is good). The virus name was "Sality.exe" I believe. However, now when I startup my computer, after getting to the desktop, the message: "Windows cannot find vmmdiag32.exe" comes up and appears to slow down my computer a little. This message is very annoying and I would like to know what I should/can do to have this mesage go away.

Has anyone had this happen to them and do you have a solution? My computer will still work after clicking "OK" on the dialog box, but I would like my computer to run properly and not have this message appear anymore. Such is life with Windows... I tried a system restore to a couple days prior but it was unable to do the system restore for reasons not given.

I don't appear to have any viruses on my machine but this appears to be a side effect of the virus removal or maybe the message is simply a scam for me to put this bad file back in my Windows\System32 directory so that it will do more harm. Either way I would like to have this message gone. Maybe we can just delete the entry in the appropriate .ini file which prompts this message to come up.

If you have a solution and/or recommendation, please respond to this post or email me at EMAIL EDITED BY TEMERC.

I appreciate your help very much and hope that this can be solved with a minimal amount of pain.

Thanks,
Gary

 

Hello and welcome to WindowsBBS Forums.

Well it's good your AVG got that file, as it should have. Did it give you a file path where the virus was found?

For us to better analyze your machine, could we please get an HijackThis! log file.

With this log we can better determine what else may be present on your machine. In this day and age, it is quite common to have more than one nasty combined.

Please do as instructed below and we'll offer help timely.

HiJackThis v:1.99.1zip.
DL the zip file to your desktop, then create a new folder on your C drive, called 'HJT' or 'HijackThis'. Then unzip the files to the new folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.

Run the program, and press Scan. You will notice the Scan button will turn into a "Save Log" button. Save the log and Post that log onto this topic. DO NOT DELETE or modify anything yet, as some of it is needed to keep your system in proper working order.

 

cannot find vmmdiag32.exe

I have done a hijack this scan and created a log dile can someone please have a look and tell me how to fix my **** slow computer.
Cheers Jay


Logfile of HijackThis v1.99.1
Scan saved at 11:50:44 PM, on 23/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe vmmdiag32.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [Windows Automatical Updater] dcz.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WINDO23] C:\WINDOWS\system32\c.exe
O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY
O4 - HKLM\..\RunServices: [Windows Automatical Updater] dcz.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Automatical Updater] dcz.exe
O4 - HKCU\..\Run: [WinMedia] C:\361101032253072.exe
O4 - HKCU\..\Run: [Winsvr] C:\3611010322516384.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153867562017
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WLogon - srvc.dll (file missing)
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft information dll service (msidll) - Unknown owner - C:\WINDOWS\system\msidll.exe (file missing)
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe (file missing)

 

Ok, you have a real nasty one there, but we have an automated fix for it, please do as instructed below.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

 

vmmdiag32.exe file is missing in windows98 osys

Rangarao

 

OK, I need some clarification here before we proceed.

I missed the fact that a different user posted the HJT log which required the SDFix.

Is Jay actually gherb, and they logged in using a different name, or is Jay another user?

And who is RangaRao and what is the purpose of your post?

This thread needs to be sorted out before we continue.

 

HijackThis Log

Hello TeMerc,

Here is the Report.txt (log) file after running the SDFix.exe program that you supplied:


SDFix: Version 1.31
-------------------

Scan run on:
Tue 10/24/2006

Time:
12:07 PM


Microsoft Windows XP [Version 5.1.2600]

Running from: C:\Documents and Settings\Gary Herbelot\Desktop\SDFix

Stage One...

Checking Services...

Name:
-----


Path:
----




Repairing Registry...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two...

Checking For Malware:
--------------------


Backing Up and Removing any Files Found...

Final Check:

Services:
---------




Files:
------



Any files removed are saved to the SDFix\backups Folder

FINISHED


Logfile of HijackThis v1.99.1
Scan saved at 11:57:49 AM, on 10/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\kmw_run.exe
C:\WINDOWS\system32\kkw_run.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe vmmdiag32.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [kkw_run.exe] kkw_run.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: pasksa - C:\WINDOWS\SYSTEM32\pasksa.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: xartcd5 - xartcd5.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


I ran the program and the error message that I was getting on the Desktop when booting is now gone. Thanks TeMerc for the help. I couldn't have figured it out without your help. You rock dude!
gherb

 

Not quite out of the woods just yet, you're still infected with a pretty nasty bug.

We need to run another special tool.

Download haxfix.exe
and save it to your desktop.

• Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
• Checkmark "Create a desktop icon "
• Click "Next "
• When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
• Click "Finish "

A red "dos window" (dos box) will open with options:

• 
  1. Make logfile
  2. Run auto fix
  3. Run manual fix
  E. Exit Haxfix

• Select option 1. Make logfile by typing 1 and then pressing Enter
• Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt
• Copy the contents of that logfile and paste it into this thread. (c:\haxfix.txt)

 

HaxFix logfile

Hello again TeMerc,

Here is the copy of the log file after running the HaxFix.exe program.

Once again, thanks for the help and I will await further instructions from you.
gherb

HAXFIX logfile - by Marckie
______________
version 4.28
Thu 10/26/2006 16:26:09.95

checking for haxdoor
--------------------
checking for a3d files....
a3d files not found

checking for matching notify keys....
no matching notify keys found

checking for matching services....
matching services found
Aspi32

checking for matching safeboot services....
no matching safeboot services found

checking for other haxdoorfiles....


Checking for goldun
-------------------

checking for SSODL keys....
no ssodl keys found

checking for notify keys....
pasksa
xartcd5

checking for services....
xartcd7

checking for other goldunfiles....
wmdconf32.dll found


Finished

 

Nice, looks like we got some more stuff. Lets get a special search\rermoval tool which may help with some of the lessor remaining nasties first and then a new HJT log.

Download combofix.exe

• Double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Then give me both ComboFix and a newly generated HJT log please.

 

TeMerc,

Here is the ComboFix.txt log file contents:

Gary Herbelot - 06-10-29 18:34:06.81 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Gary Herbelot\Desktop "

((((((((((((((((((((((((((((((( Files Created from 2006-09-29 to 2006-10-29 ))))))))))))))))))))))))))))))))))


2006-10-26 15:26 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2006-10-26 15:26 7,483 --a------ C:\clean.bat
2006-10-26 15:26 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-10-26 15:26 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2006-10-26 15:26 38,400 --a------ C:\WINDOWS\system32\moveex.exe
2006-10-22 11:25 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-10-19 17:54 81,920 --a------ C:\WINDOWS\system32\wmdconf32.dll
2006-10-19 17:53 2,560 --a------ C:\36110103225.exe
2006-10-17 12:33 6,049,280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-17 12:33 50,688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-17 12:33 458,752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-17 12:33 180,736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-17 12:05 206,336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 12:01 13,312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-17 11:58 61,952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12,288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 266,752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:27 380,928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-09 19:59 6,688 --a------ C:\WINDOWS\system32a00xstemp.exe
2006-10-09 19:24 6,688 --a------ C:\WINDOWS\system32_00xstemp.exe
2006-10-09 12:44 6,688 --a------ C:\WINDOWS\system32]00xstemp.exe
2006-10-09 12:44 3,056 --a------ C:\WINDOWS\system32\045454.sys
2006-10-09 12:44 10,790 --a------ C:\WINDOWS\system32\pasksa.dll
2006-10-09 08:52 0 --a------ C:\WINDOWS\system32\xartcd7.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-26 15:26 -------- d-------- C:\Program Files\HaxFix
2006-10-22 11:29 -------- d-------- C:\Program Files\Internet Explorer
2006-10-21 14:22 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-10-19 11:23 -------- d-------- C:\Program Files\Apple Software Update
2006-10-17 12:33 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-17 12:33 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-17 12:33 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 12:01 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-17 12:01 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-17 12:01 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-17 12:01 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-17 12:01 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-17 12:00 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-17 12:00 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-17 12:00 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:23 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-16 18:11 16128 --a------ C:\WINDOWS\system32\drivers\RIOUNIV.SYS
2006-10-16 18:11 1171456 --a------ C:\WINDOWS\system32\RIOWMSP.DLL
2006-10-16 10:03 -------- d---s---- C:\Documents and Settings\Gary Herbelot\Application Data\Microsoft
2006-10-13 10:39 -------- d-------- C:\Program Files\Google
2006-10-10 12:07 -------- d-------- C:\Program Files\Windows Media Player
2006-09-30 15:59 -------- d-------- C:\Program Files\Stellarium
2006-09-28 08:18 -------- d-------- C:\Program Files\QuickTime
2006-09-27 20:12 -------- d-------- C:\Program Files\iTunes
2006-09-27 20:12 -------- d-------- C:\Program Files\iPod
2006-09-27 20:12 -------- d-------- C:\Documents and Settings\Gary Herbelot\Application Data\Apple Computer
2006-09-27 09:38 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-24 18:31 -------- d-------- C:\Documents and Settings\Gary Herbelot\Application Data\Sony Corporation
2006-09-24 13:06 -------- d-------- C:\Program Files\Cakewalk Express Gold
2006-09-21 05:37 5822 --a------ C:\Documents and Settings\Gary Herbelot\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log
2006-09-21 05:36 -------- d-------- C:\Program Files\HP
2006-09-21 05:36 -------- d-------- C:\Program Files\Hewlett-Packard
2006-09-21 05:33 -------- d-------- C:\Program Files\Overland
2006-09-20 16:53 -------- d-------- C:\Documents and Settings\Gary Herbelot\Application Data\AdobeUM
2006-09-20 16:53 -------- d-------- C:\Documents and Settings\Gary Herbelot\Application Data\Adobe
2006-09-20 16:52 -------- d-------- C:\Program Files\Common Files\Adobe
2006-09-20 16:51 875 --a------ C:\Documents and Settings\Gary Herbelot\Application Data\AdobeDLM.log
2006-09-20 16:51 0 --a------ C:\Documents and Settings\Gary Herbelot\Application Data\dm.ini
2006-09-20 16:51 -------- d-------- C:\Program Files\Adobe
2006-09-20 16:49 -------- d-------- C:\Program Files\Common Files
2006-09-20 16:05 -------- d-------- C:\Documents and Settings\Gary Herbelot\Application Data\Macromedia
2006-09-20 13:54 -------- d-------- C:\Documents and Settings\Gary Herbelot\Application Data\Google
2006-09-20 10:51 -------- d-------- C:\Program Files\Messenger
2006-09-20 10:48 -------- d-------- C:\Program Files\Outlook Express
2006-09-20 10:48 -------- d-------- C:\Program Files\Common Files\System
2006-09-20 08:59 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-20 08:59 -------- d-------- C:\Program Files\Analog Devices
2006-09-20 07:47 -------- d-------- C:\Documents and Settings\Gary Herbelot\Application Data\Identities
2006-09-20 07:23 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-09-20 07:22 4992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-09-20 07:22 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-09-20 07:22 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-09-20 07:22 -------- d-------- C:\Program Files\Grisoft
2006-09-20 07:22 -------- d-------- C:\Documents and Settings\Gary Herbelot\Application Data\AVG7
2006-09-20 07:11 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-09-20 07:11 -------- d-------- C:\Program Files\Microsoft Office
2006-09-20 07:11 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-20 07:11 -------- d-------- C:\Program Files\Common Files\Designer
2006-09-20 07:10 -------- d-------- C:\Program Files\Snapshot Viewer
2006-09-20 07:09 -------- d-------- C:\Program Files\microsoft frontpage
2006-09-20 07:09 -------- d-------- C:\Documents and Settings\Gary Herbelot\Application Data\Microsoft Web Folders
2006-09-20 06:24 -------- d-------- C:\Documents and Settings\Gary Herbelot\Application Data\Ahead
2006-09-20 06:23 -------- d-------- C:\Program Files\Nero
2006-09-20 06:23 -------- d-------- C:\Program Files\Common Files\Ahead
2006-09-19 22:07 -------- d-------- C:\Documents and Settings\Gary Herbelot\Application Data\Smith Micro
2006-09-19 22:06 -------- d-------- C:\Program Files\Verizon Wireless
2006-09-19 22:06 -------- d-------- C:\Program Files\LG Drivers
2006-09-19 22:06 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-09-19 22:03 -------- d-------- C:\Program Files\Sony
2006-09-19 22:00 -------- d-------- C:\Program Files\Rio
2006-09-19 21:56 -------- d-------- C:\Program Files\Kensington
2006-09-19 21:56 -------- d-------- C:\Documents and Settings\Gary Herbelot\Application Data\Kensington
2006-09-19 21:21 -------- d-------- C:\Program Files\Common Files\Hewlett-Packard
2006-09-19 21:19 -------- d-------- C:\Program Files\Common Files\HP
2006-09-19 21:01 -------- d--h----- C:\Program Files\Uninstall Information
2006-09-19 20:52 -------- d-------- C:\Program Files\xerox
2006-09-19 20:51 0 -rahs---- C:\MSDOS.SYS
2006-09-19 20:51 0 -rahs---- C:\IO.SYS
2006-09-19 20:51 0 --a------ C:\CONFIG.SYS
2006-09-19 20:51 0 --a------ C:\AUTOEXEC.BAT
2006-09-19 20:49 -------- d--h----- C:\Program Files\WindowsUpdate
2006-09-19 20:48 -------- d-------- C:\Program Files\NetMeeting
2006-09-19 20:48 -------- d-------- C:\Program Files\Movie Maker
2006-09-19 20:48 -------- d-------- C:\Program Files\Common Files\Services
2006-09-19 20:48 -------- d-------- C:\Program Files\Common Files\MSSoap
2006-09-19 20:47 -------- d-------- C:\Program Files\Online Services
2006-09-19 20:47 -------- d-------- C:\Program Files\ComPlus Applications
2006-09-19 20:46 -------- d-------- C:\Program Files\Windows NT
2006-09-19 20:46 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-09-19 20:46 -------- d-------- C:\Program Files\MSN
2006-09-19 13:26 -------- d-------- C:\Program Files\Common Files\SpeechEngines
2006-09-19 13:26 -------- d-------- C:\Program Files\Common Files\ODBC
2006-09-19 13:25 62 --ahs---- C:\Documents and Settings\Gary Herbelot\Application Data\desktop.ini
2006-09-12 21:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-06 16:43 22752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-08-25 07:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 04:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 01:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 03:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "\ "C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\" "
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"swg "= "C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe "
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HP Component Manager "= "\ "C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\" "
"DXDllRegExe "= "dxdllreg.exe "
"kmw_run.exe "= "kmw_run.exe "
"MSWheel "=" "
"kkw_run.exe "= "kkw_run.exe "
"NWEReboot "=" "
"NeroFilterCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"AVG7_CC "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP "
"HP Software Update "= "C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"iTunesHelper "= "\ "C:\\Program Files\\iTunes\\iTunesHelper.exe\" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange "= "1 "
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pasksa
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xartcd5

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 06-10-29 18:34:47.98
C:\ComboFix.txt ... 06-10-29 18:34


Here is the contents of the HijackThislog.txt:

Logfile of HijackThis v1.99.1
Scan saved at 6:46:25 PM, on 10/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\kmw_run.exe
C:\WINDOWS\system32\kkw_run.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [kkw_run.exe] kkw_run.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: pasksa - C:\WINDOWS\SYSTEM32\pasksa.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: xartcd5 - xartcd5.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

I await your next set of instructions.

 

OK, almost done. One more specialized tool to run and that should be it. And this isn't for any more infections, more just remnant removal at this point. But let me know what if any unwanted actions you're experiencing on the system.


1) Please download the Killbox.
Save it to the desktop and run it.

2) Select "Delete on Reboot ", and then select "All files ".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\wmdconf32.dll
C:\36110103225.exe
C:\WINDOWS\system32a00xstemp.exe
C:\WINDOWS\system32_00xstemp.exe
C:\WINDOWS\system32]00xstemp.exe
C:\WINDOWS\system32\045454.sys
C:\WINDOWS\system32\pasksa.dll
C:\WINDOWS\system32\xartcd7.sys
xartcd5.dll

4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard ".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.


Do not reboot yet.

Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


O20 - Winlogon Notify: xartcd5 - xartcd5.dll (file missing)


Reboot and run ComboFix first, then HJT and post both logs back into this thread.

 

TeMerc,

Here is the ComboFix.exe log file results:

Gary Herbelot - 06-10-30 15:46:25.17 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Gary Herbelot\Desktop "

((((((((((((((((((((((((((((((( Files Created from 2006-09-30 to 2006-10-30 ))))))))))))))))))))))))))))))))))


2006-10-26 15:26 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2006-10-26 15:26 7,483 --a------ C:\clean.bat
2006-10-26 15:26 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-10-26 15:26 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2006-10-26 15:26 38,400 --a------ C:\WINDOWS\system32\moveex.exe
2006-10-22 11:25 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-10-17 12:33 6,049,280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-17 12:33 50,688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-17 12:33 458,752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-17 12:33 180,736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-17 12:05 206,336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 12:01 13,312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-17 11:58 61,952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12,288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 266,752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:27 380,928 --------- C:\WINDOWS\system32\ieapfltr.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-26 15:26 -------- d-------- C:\Program Files\HaxFix
2006-10-22 11:29 -------- d-------- C:\Program Files\Internet Explorer
2006-10-21 14:22 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-10-19 11:23 -------- d-------- C:\Program Files\Apple Software Update
2006-10-17 12:33 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-17 12:33 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-17 12:33 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 12:01 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-17 12:01 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-17 12:01 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-17 12:01 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-17 12:01 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-17 12:00 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-17 12:00 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-17 12:00 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:23 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-16 18:11 16128 --a------ C:\WINDOWS\system32\drivers\RIOUNIV.SYS
2006-10-16 18:11 1171456 --a------ C:\WINDOWS\system32\RIOWMSP.DLL
2006-10-16 10:03 -------- d---s---- C:\Documents and Settings\Gary Herbelot\Application Data\Microsoft
2006-10-13 10:39 -------- d-------- C:\Program Files\Google
2006-10-10 12:07 -------- d-------- C:\Program Files\Windows Media Player
2006-09-30 15:59 -------- d-------- C:\Program Files\Stellarium
2006-09-28 08:18 -------- d-------- C:\Program Files\QuickTime
2006-09-27 20:12 -------- d-------- C:\Program Files\iTunes
2006-09-27 20:12 -------- d-------- C:\Program Files\iPod
2006-09-27 20:12 -------- d-------- C:\Documents and Settings\Gary Herbelot\Application Data\Apple Computer
2006-09-27 09:38 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-24 18:31 -------- d-------- C:\Documents and Settings\Gary Herbelot\Application Data\Sony Corporation
2006-09-24 13:06 -------- d-------- C:\Program Files\Cakewalk Express Gold
2006-09-21 05:37 5822 --a------ C:\Documents and Settings\Gary Herbelot\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log
2006-09-21 05:36 -------- d-------- C:\Program Files\HP
2006-09-21 05:36 -------- d-------- C:\Program Files\Hewlett-Packard
2006-09-21 05:33 -------- d-------- C:\Program Files\Overland
2006-09-20 16:53 -------- d-------- C:\Documents and Settings\Gary Herbelot\Application Data\AdobeUM
2006-09-20 16:53 -------- d-------- C:\Documents and Settings\Gary Herbelot\Application Data\Adobe
2006-09-20 16:52 -------- d-------- C:\Program Files\Common Files\Adobe
2006-09-20 16:51 875 --a------ C:\Documents and Settings\Gary Herbelot\Application Data\AdobeDLM.log
2006-09-20 16:51 0 --a------ C:\Documents and Settings\Gary Herbelot\Application Data\dm.ini
2006-09-20 16:51 -------- d-------- C:\Program Files\Adobe
2006-09-20 16:49 -------- d-------- C:\Program Files\Common Files
2006-09-20 16:05 -------- d-------- C:\Documents and Settings\Gary Herbelot\Application Data\Macromedia
2006-09-20 13:54 -------- d-------- C:\Documents and Settings\Gary Herbelot\Application Data\Google
2006-09-20 10:51 -------- d-------- C:\Program Files\Messenger
2006-09-20 10:48 -------- d-------- C:\Program Files\Outlook Express
2006-09-20 10:48 -------- d-------- C:\Program Files\Common Files\System
2006-09-20 08:59 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-20 08:59 -------- d-------- C:\Program Files\Analog Devices
2006-09-20 07:47 -------- d-------- C:\Documents and Settings\Gary Herbelot\Application Data\Identities
2006-09-20 07:23 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-09-20 07:22 4992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-09-20 07:22 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-09-20 07:22 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-09-20 07:22 -------- d-------- C:\Program Files\Grisoft
2006-09-20 07:22 -------- d-------- C:\Documents and Settings\Gary Herbelot\Application Data\AVG7
2006-09-20 07:11 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-09-20 07:11 -------- d-------- C:\Program Files\Microsoft Office
2006-09-20 07:11 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-20 07:11 -------- d-------- C:\Program Files\Common Files\Designer
2006-09-20 07:10 -------- d-------- C:\Program Files\Snapshot Viewer
2006-09-20 07:09 -------- d-------- C:\Program Files\microsoft frontpage
2006-09-20 07:09 -------- d-------- C:\Documents and Settings\Gary Herbelot\Application Data\Microsoft Web Folders
2006-09-20 06:24 -------- d-------- C:\Documents and Settings\Gary Herbelot\Application Data\Ahead
2006-09-20 06:23 -------- d-------- C:\Program Files\Nero
2006-09-20 06:23 -------- d-------- C:\Program Files\Common Files\Ahead
2006-09-19 22:07 -------- d-------- C:\Documents and Settings\Gary Herbelot\Application Data\Smith Micro
2006-09-19 22:06 -------- d-------- C:\Program Files\Verizon Wireless
2006-09-19 22:06 -------- d-------- C:\Program Files\LG Drivers
2006-09-19 22:06 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-09-19 22:03 -------- d-------- C:\Program Files\Sony
2006-09-19 22:00 -------- d-------- C:\Program Files\Rio
2006-09-19 21:56 -------- d-------- C:\Program Files\Kensington
2006-09-19 21:56 -------- d-------- C:\Documents and Settings\Gary Herbelot\Application Data\Kensington
2006-09-19 21:21 -------- d-------- C:\Program Files\Common Files\Hewlett-Packard
2006-09-19 21:19 -------- d-------- C:\Program Files\Common Files\HP
2006-09-19 21:01 -------- d--h----- C:\Program Files\Uninstall Information
2006-09-19 20:52 -------- d-------- C:\Program Files\xerox
2006-09-19 20:51 0 -rahs---- C:\MSDOS.SYS
2006-09-19 20:51 0 -rahs---- C:\IO.SYS
2006-09-19 20:51 0 --a------ C:\CONFIG.SYS
2006-09-19 20:51 0 --a------ C:\AUTOEXEC.BAT
2006-09-19 20:49 -------- d--h----- C:\Program Files\WindowsUpdate
2006-09-19 20:48 -------- d-------- C:\Program Files\NetMeeting
2006-09-19 20:48 -------- d-------- C:\Program Files\Movie Maker
2006-09-19 20:48 -------- d-------- C:\Program Files\Common Files\Services
2006-09-19 20:48 -------- d-------- C:\Program Files\Common Files\MSSoap
2006-09-19 20:47 -------- d-------- C:\Program Files\Online Services
2006-09-19 20:47 -------- d-------- C:\Program Files\ComPlus Applications
2006-09-19 20:46 -------- d-------- C:\Program Files\Windows NT
2006-09-19 20:46 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-09-19 20:46 -------- d-------- C:\Program Files\MSN
2006-09-19 13:26 -------- d-------- C:\Program Files\Common Files\SpeechEngines
2006-09-19 13:26 -------- d-------- C:\Program Files\Common Files\ODBC
2006-09-19 13:25 62 --ahs---- C:\Documents and Settings\Gary Herbelot\Application Data\desktop.ini
2006-09-12 21:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-06 16:43 22752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-08-25 07:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 04:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 01:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 03:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "\ "C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\" "
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"swg "= "C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe "
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HP Component Manager "= "\ "C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\" "
"DXDllRegExe "= "dxdllreg.exe "
"kmw_run.exe "= "kmw_run.exe "
"MSWheel "=" "
"kkw_run.exe "= "kkw_run.exe "
"NWEReboot "=" "
"NeroFilterCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"AVG7_CC "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP "
"HP Software Update "= "C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"iTunesHelper "= "\ "C:\\Program Files\\iTunes\\iTunesHelper.exe\" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange "= "1 "
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pasksa
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xartcd5

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 06-10-30 15:47:25.23
C:\ComboFix.txt ... 06-10-30 15:47
C:\ComboFix2.txt ... 06-10-29 18:34

Here is the HiJackThis.exe log file results:

Logfile of HijackThis v1.99.1
Scan saved at 3:43:39 PM, on 10/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\kmw_run.exe
C:\WINDOWS\system32\kkw_run.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG09.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [kkw_run.exe] kkw_run.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: pasksa - C:\WINDOWS\SYSTEM32\pasksa.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: xartcd5 - xartcd5.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Let me know what needs to be done next. Thanks.

 

OK, we have but only two minor items to delete from the registry.

But lets first back up the registry. This is just a precautionary step, and you can delete the saved file once we are done.

Click the 'Start' button, select 'Run', hit 'Enter'.

When box appears, type 'regedit', hit 'Enter'.

Navigate to the following key, by unticking the '+' next to each subkey:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify

In the left hand side of the window, look for the following items:
pasksa
xartcd5

Right-click one at a time, and select 'Delete'. Once both have been deleted, close the registry editor.

We're done. Let me know what if any problems you're having at this point.

We have 3 more things to do, to help ensure you have removed all the little 'leftovers' which may be hiding:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.5.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom

 

Thanks Tom for all the help. You are a wealth of knowledge!

 

Glad we could be of assistance.

Due to resolution or the lack of feedback this topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.