Problematic Pop-ups or Bugs

I recently have been experiancing problems with pop ups on my computer. Even when i am not connected to the internet the computer wants to load IE 7 and load a pop up advert.

The adverts usually load up www.broadcaster.com or winantivirus. It is becoming more of a nuisance and lately even more annoying.

It acts as if my computer has had a bug or program secretly downloaded between pages off the net. I've tried to use my programs to get rid of such pests such as SpyBot, Ad-Aware and even microsofts attempt with windows defender, but to no avail, i even tried my anti-virus eTrust Anti-Virus with all the latest definitions on all the forementioned programs but with no results.

I did locate a suspicious file known as winsystems16.exe running in the processes and also another one has appeared called wowexec.exe. Is this anything?

Please if there is any way you could help me get rid of this nuisance i would b grateful.

Thanks

Paul

 

Hello and welcome to WindowsBBS Forums.

This could be a sign of a Vundo infection. So lets get HijackThis! installed and get a log posted so we can have a look.

I'll move the thread to Spyware & Virus Removal forum too.

Please do as instructed below in the order presented.


Please download HijackThis! SetUp from here. Save the file to your desktop.

Double-click the HijackThis! SetUp icon to begin the installation. Follow the prompts for the default install location of:'C:\Program Files\HijackThis'. Tick the 'Create a desktop' button when the option appears. Select next, then allow HijackThis! to start.

Close down HJT and I'd like you to rename the HijackThis executable, hijackthis.exe to <anything of your choice> .exe, as long you change it's name. by doing so, this may reveal more of the infection, if it's Vundo. Vundo has been coded to block HJT when it is detected.


Next open HJT again and press the [Scan] button. You will notice the [Scan] button will turn into a [Save Log] button. Click the [Save Log] button and notepad will open up with the contents of the scan. Right-click in the saved log, and select 'copy'. Then proceed to your original thread, unless otherwise instructed and click the '[Reply]' button and paste the saved contents to be reviewed. Do not make any modifications to the log or perform any 'fixes' until told to do so.

 

Thanks for your help.

Here is what i got from the HiJack This!

Logfile of HijackThis v1.99.1
Scan saved at 2:39:22 AM, on 07/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169411152375
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEE0B529-9EE5-4BED-9FC1-AA7EC706934F}: NameServer = 213.208.106.224 213.208.106.223
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hope you can get some sort of knowledge from this, if any help is needed then let me know.

Thanks again!

Paul

 

Ok, I'm not seeing anything in that log. But I do need you to change the name of the HJT executable as I previously asked.

Do that then run the following file search tool.

Please download SilentRunners from here

Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run.
Silent Runners will ask if you want to skip the supplementary search.
Please select 'No' to include them.
Then select 'Yes' to confirm the search.
When the scan is finished, a message will pop up and a logfile will have been created on the desktop.

Please post the entire contents of this logfile created back into this thread for me to see.

 

Hi TeMarc,

Sorry about not renaming HJT, i have done this now and rescaned, this is what i found:

Logfile of HijackThis v1.99.1
Scan saved at 4:46:44 PM, on 07/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\hpg.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {242165AE-A428-42A5-BB91-29A5EC7848BE} - C:\WINDOWS\system32\ljhhe.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\yxpwrpan.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B528C6CC-AA98-4753-8980-A6B97A220A63} - C:\WINDOWS\system32\yayayxu.dll
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169411152375
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEE0B529-9EE5-4BED-9FC1-AA7EC706934F}: NameServer = 213.208.106.223 213.208.106.224
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ljhhe - C:\WINDOWS\system32\ljhhe.dll
O20 - Winlogon Notify: yayayxu - C:\WINDOWS\SYSTEM32\yayayxu.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

See next post for results of silent runners scan

Thanks for the help

Paul

 

This is the results from the silent runners scan:

"Silent Runners.vbs ", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++} "


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit" [MS]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ "Safer Networking Limited"]
"MSMSGS" = " "C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = " "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" " [ "Nero AG"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CnxDslTaskBar" = "C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe" [ "Conexant Systems Inc."]
"Windows Defender" = " "C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" [ "NVIDIA Corporation"]
"Realtime Monitor" = "C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s" [ "Computer Associates International, Inc."]
"QuickTime Task" = " "C:\Program Files\QuickTime\qttask.exe" -atboottime" [ "Apple Computer, Inc."]
"iTunesHelper" = " "C:\Program Files\iTunes\iTunesHelper.exe" " [ "Apple Computer, Inc."]
"TkBellExe" = " "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" [ "RealNetworks, Inc."]
"ZoneAlarm Client" = " "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" " [ "Zone Labs, LLC"]
"NeroFilterCheck" = "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [ "Nero AG"]
"PCSuiteTrayApplication" = "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup" [ "Nokia"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" [ "Adobe Systems Incorporated"]
{242165AE-A428-42A5-BB91-29A5EC7848BE}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\ljhhe.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" [ "Safer Networking Limited"]
{68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\yxpwrpan.dll" [null data]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{B528C6CC-AA98-4753-8980-A6B97A220A63}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\yayayxu.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension "
-> {HKLM...CLSID} = "Display Panning CPL Extension "
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext "
-> {HKLM...CLSID} = "HyperTerminal Icon Ext "
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" [ "Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer "
-> {HKLM...CLSID} = "Desktop Explorer "
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" [ "NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" [ "NVIDIA Corporation"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders "
-> {HKLM...CLSID} = "My Sharing Folders "
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]
"{DCED20BE-3645-11D4-BC95-00C04F0E0588}" = "InoShell "
-> {HKLM...CLSID} = "InoShell "
\InProcServer32\(Default) = "C:\Program Files\CA\eTrust Antivirus\InoShell.dll" [ "Computer Associates International, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler "
-> {HKLM...CLSID} = "Outlook File Icon Extension "
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes "
-> {HKLM...CLSID} = "iTunes "
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" [ "Apple Computer, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player "
-> {HKLM...CLSID} = "RealOne Player Context Menu Class "
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" [ "RealNetworks, Inc."]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons "
-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class "
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" [ "Nero AG"]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 Context Menu Shell Extension "
-> {HKLM...CLSID} = "WinAceContext Menu Extension "
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" [ "e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 DragDrop Shell Extension "
-> {HKLM...CLSID} = "WinAceDrag-Drop Extension "
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" [ "e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 Context Menu Shell Extension "
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension "
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" [ "e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 Property Sheet Shell Extension "
-> {HKLM...CLSID} = "WinAceProperty Sheet Extension "
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" [ "e-merge GmbH"]
"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "PhoneBrowser "
-> {HKLM...CLSID} = "Nokia Phone Browser "
\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" [ "Nokia"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook "
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook "
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]
<<!>> "{B528C6CC-AA98-4753-8980-A6B97A220A63}" = "*a" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\yayayxu.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5} "
-> {HKLM...CLSID} = "WPDShServiceObj Class "
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> ljhhe\DLLName = "C:\WINDOWS\system32\ljhhe.dll" [null data]
<<!>> yayayxu\DLLName = "yayayxu.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info "
-> {HKLM...CLSID} = "PDF Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" [ "Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7} "
-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class "
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" [ "Nero AG"]
InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588} "
-> {HKLM...CLSID} = "InoShell "
\InProcServer32\(Default) = "C:\Program Files\CA\eTrust Antivirus\InoShell.dll" [ "Computer Associates International, Inc."]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} "
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension "
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" [ "e-merge GmbH"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588} "
-> {HKLM...CLSID} = "InoShell "
\InProcServer32\(Default) = "C:\Program Files\CA\eTrust Antivirus\InoShell.dll" [ "Computer Associates International, Inc."]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} "
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension "
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" [ "e-merge GmbH"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures\Wallpaper\DPCAST_wallpaperbig.bmp "

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Paul\My Documents\My Pictures\Wallpaper\DPCAST_wallpaperbig.bmp "


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\TOONSC~1.SCR" (ToonsChase.scr) [ "ScreenTime Media"]


Startup items in "Paul" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe" [ "Adobe Systems Incorporated"]
"Adobe Reader Synchronizer" -> shortcut to: "C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe" [null data]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" [ "Apple Computer, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001 "
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger "
"MenuText" = "Windows Messenger "
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" { "C:\WINDOWS\System32\bthserv.dll" [MS]}
eTrust Antivirus Job Server, InoTask, " "C:\Program Files\CA\eTrust Antivirus\InoTask.exe" " [ "Computer Associates International, Inc."]
eTrust Antivirus Realtime Server, InoRT, " "C:\Program Files\CA\eTrust Antivirus\InoRT.exe" " [ "Computer Associates International, Inc."]
eTrust Antivirus RPC Server, InoRPC, " "C:\Program Files\CA\eTrust Antivirus\InoRpc.exe" " [ "Computer Associates International, Inc."]
Event Log Watch, LogWatch, " "C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe" " [ "Computer Associates"]
iPod Service, iPod Service, " "C:\Program Files\iPod\bin\iPodService.exe" " [ "Apple Computer, Inc."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" [ "Lexmark International, Inc."]
Machine Debug Manager, MDM, " "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" " [MS]
NMIndexingService, NMIndexingService, " "C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe" " [ "Nero AG"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" [ "NVIDIA Corporation"]
ServiceLayer, ServiceLayer, " "C:\Program Files\PC Connectivity Solution\ServiceLayer.exe" " [ "Nokia."]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" [ "Zone Labs, LLC"]
Windows Defender, WinDefend, " "C:\Program Files\Windows Defender\MsMpEng.exe" " [MS]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" { "C:\WINDOWS\System32\WUDFSvc.dll" [MS]}


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Lexmark Network Port\Driver = "LEXLMPM.DLL" [ "Lexmark International, Inc."]
Lexmark Z600 Color Jetprinter LangMon\Driver = "LXBCSLM.DLL" [ "Lexmark"]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 109 seconds.
---------- (total run time: 225 seconds)

 

Ahaa!!

I knew that was lurking there, renaming HJT exposed the Vundo infection and the SR log confirmed it.

Lets run the Vundo tool.

Please download VundoFix.exe to your desktop.

• Double-click *VundoFix.exe* to run it.
• Click the *Scan for Vundo* button.
• Once it's done scanning, click the *Remove Vundo* button.
• You will receive a prompt asking if you want to remove the files, click *YES*
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click *OK*.
• Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo* button." when
VundoFix appears at reboot.

After that has run and the log created, run Silent Runners again, and then also a fresh HJT log file and post all 3 for review please.

 

Ok, i will do that now but so i know for next time, could you highlight or bold or underline the command lines that show that there is a Vundo infection in there on the HJT file and Silent file?

Thanks

Will report back in a few mins

Paul

 

Here:

Do not deviate from any instructions please.

I'll await the logs as requested with steps performed

 

Hi there, sorry about the slow reply, the scan for the bug took a lot longer than i expected so i went out. When i come back it found quite a few entrie, so i followed the programs instructions and deleted them, the program then rebooted and cleared the rest before doing another reboot.

I have just completed a scan of both HJT and Silent Runners and here are the log files:

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 11:38:52 PM, on 07/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\AVerMedia\AVerQuick\AVerQuick.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\CA\SHARED~1\SCANEN~1\InoDist.exe
C:\HiJackThis\hpg.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\PROGRA~1\CA\SHARED~1\SCANEN~1\Incoming\iv_nt86.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {242165AE-A428-42A5-BB91-29A5EC7848BE} - C:\WINDOWS\system32\ljhhe.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\yxpwrpan.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B528C6CC-AA98-4753-8980-A6B97A220A63} - C:\WINDOWS\system32\yayayxu.dll (file missing)
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe "
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: AVerQuick.lnk = C:\Program Files\AVerMedia\AVerQuick\AVerQuick.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169411152375
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEE0B529-9EE5-4BED-9FC1-AA7EC706934F}: NameServer = 213.208.106.223 213.208.106.224
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



Below is the Slient runners scan log:

"Silent Runners.vbs ", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++} "


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit" [MS]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ "Safer Networking Limited"]
"MSMSGS" = " "C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = " "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" " [ "Nero AG"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CnxDslTaskBar" = "C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe" [ "Conexant Systems Inc."]
"Windows Defender" = " "C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" [ "NVIDIA Corporation"]
"Realtime Monitor" = "C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s" [ "Computer Associates International, Inc."]
"QuickTime Task" = " "C:\Program Files\QuickTime\qttask.exe" -atboottime" [ "Apple Computer, Inc."]
"iTunesHelper" = " "C:\Program Files\iTunes\iTunesHelper.exe" " [ "Apple Computer, Inc."]
"TkBellExe" = " "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" [ "RealNetworks, Inc."]
"ZoneAlarm Client" = " "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" " [ "Zone Labs, LLC"]
"NeroFilterCheck" = "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [ "Nero AG"]
"PCSuiteTrayApplication" = "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup" [ "Nokia"]
"SunJavaUpdateSched" = " "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" " [ "Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" [ "Adobe Systems Incorporated"]
{242165AE-A428-42A5-BB91-29A5EC7848BE}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\ljhhe.dll" [file not found]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" [ "Safer Networking Limited"]
{68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\yxpwrpan.dll" [file not found]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" [ "Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{B528C6CC-AA98-4753-8980-A6B97A220A63}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\yayayxu.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension "
-> {HKLM...CLSID} = "Display Panning CPL Extension "
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext "
-> {HKLM...CLSID} = "HyperTerminal Icon Ext "
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" [ "Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer "
-> {HKLM...CLSID} = "Desktop Explorer "
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" [ "NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" [ "NVIDIA Corporation"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders "
-> {HKLM...CLSID} = "My Sharing Folders "
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]
"{DCED20BE-3645-11D4-BC95-00C04F0E0588}" = "InoShell "
-> {HKLM...CLSID} = "InoShell "
\InProcServer32\(Default) = "C:\Program Files\CA\eTrust Antivirus\InoShell.dll" [ "Computer Associates International, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler "
-> {HKLM...CLSID} = "Outlook File Icon Extension "
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes "
-> {HKLM...CLSID} = "iTunes "
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" [ "Apple Computer, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player "
-> {HKLM...CLSID} = "RealOne Player Context Menu Class "
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" [ "RealNetworks, Inc."]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons "
-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class "
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" [ "Nero AG"]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 Context Menu Shell Extension "
-> {HKLM...CLSID} = "WinAceContext Menu Extension "
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" [ "e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 DragDrop Shell Extension "
-> {HKLM...CLSID} = "WinAceDrag-Drop Extension "
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" [ "e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 Context Menu Shell Extension "
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension "
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" [ "e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 Property Sheet Shell Extension "
-> {HKLM...CLSID} = "WinAceProperty Sheet Extension "
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" [ "e-merge GmbH"]
"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "PhoneBrowser "
-> {HKLM...CLSID} = "Nokia Phone Browser "
\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" [ "Nokia"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook "
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook "
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]
<<!>> "{B528C6CC-AA98-4753-8980-A6B97A220A63}" = "*b" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\yayayxu.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5} "
-> {HKLM...CLSID} = "WPDShServiceObj Class "
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info "
-> {HKLM...CLSID} = "PDF Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" [ "Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7} "
-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class "
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" [ "Nero AG"]
InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588} "
-> {HKLM...CLSID} = "InoShell "
\InProcServer32\(Default) = "C:\Program Files\CA\eTrust Antivirus\InoShell.dll" [ "Computer Associates International, Inc."]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} "
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension "
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" [ "e-merge GmbH"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588} "
-> {HKLM...CLSID} = "InoShell "
\InProcServer32\(Default) = "C:\Program Files\CA\eTrust Antivirus\InoShell.dll" [ "Computer Associates International, Inc."]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} "
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension "
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" [ "e-merge GmbH"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures\Wallpaper\DPCAST_wallpaperbig.bmp "

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Paul\My Documents\My Pictures\Wallpaper\DPCAST_wallpaperbig.bmp "


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\TOONSC~1.SCR" (ToonsChase.scr) [ "ScreenTime Media"]


Startup items in "Paul" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe" [ "Adobe Systems Incorporated"]
"Adobe Reader Synchronizer" -> shortcut to: "C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe" [null data]
"AVerQuick" -> shortcut to: "C:\Program Files\AVerMedia\AVerQuick\AVerQuick.exe" [empty string]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" [ "Apple Computer, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console "
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} "
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_10 "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" [ "Sun Microsystems, Inc."]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001 "
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger "
"MenuText" = "Windows Messenger "
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" { "C:\WINDOWS\System32\bthserv.dll" [MS]}
eTrust Antivirus Job Server, InoTask, " "C:\Program Files\CA\eTrust Antivirus\InoTask.exe" " [ "Computer Associates International, Inc."]
eTrust Antivirus Realtime Server, InoRT, " "C:\Program Files\CA\eTrust Antivirus\InoRT.exe" " [ "Computer Associates International, Inc."]
eTrust Antivirus RPC Server, InoRPC, " "C:\Program Files\CA\eTrust Antivirus\InoRpc.exe" " [ "Computer Associates International, Inc."]
Event Log Watch, LogWatch, " "C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe" " [ "Computer Associates"]
iPod Service, iPod Service, " "C:\Program Files\iPod\bin\iPodService.exe" " [ "Apple Computer, Inc."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" [ "Lexmark International, Inc."]
Machine Debug Manager, MDM, " "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" " [MS]
NMIndexingService, NMIndexingService, " "C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe" " [ "Nero AG"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" [ "NVIDIA Corporation"]
ServiceLayer, ServiceLayer, " "C:\Program Files\PC Connectivity Solution\ServiceLayer.exe" " [ "Nokia."]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" [ "Zone Labs, LLC"]
Windows Defender, WinDefend, " "C:\Program Files\Windows Defender\MsMpEng.exe" " [MS]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" { "C:\WINDOWS\System32\WUDFSvc.dll" [MS]}


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Lexmark Network Port\Driver = "LEXLMPM.DLL" [ "Lexmark International, Inc."]
Lexmark Z600 Color Jetprinter LangMon\Driver = "LXBCSLM.DLL" [ "Lexmark"]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 88 seconds, including 9 seconds for message boxes)


Hope that it has done its job.

Thanks very much for the help

Paul

 

I need this log please.

Looks like we have gotten everything, tho the Vundo log will confirm for me. We just have some remnant to fix with HJT.

Before we make any changes we'll need to disable Spybot's TeaTimer and Defender.

Spybot:

• Run Spybot-S&D
• Go to the Mode menu, and make sure Advanced Mode is selected
• On the left hand side, choose Tools -> Resident
• Uncheck Resident TeaTimer and OK any prompts

You can reenable TeaTimer once your system is clean.

Defender:

• Open Windows Defender.
• Click on Tools, General Settings.
• Scroll down and uncheck Turn on real-time protection (recommended).
• After you uncheck this, click on the Save button and close Windows Defender.

After all of the fixes are complete it is very important that you re-enable Real-time Protection again.


Open Hijackthis, select the [Do a system scan only] button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


O2 - BHO: (no name) - {242165AE-A428-42A5-BB91-29A5EC7848BE} - C:\WINDOWS\system32\ljhhe.dll (file missing)

O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\yxpwrpan.dll (file missing)

O2 - BHO: (no name) - {B528C6CC-AA98-4753-8980-A6B97A220A63} - C:\WINDOWS\system32\yayayxu.dll (file missing)


Reboot post a new HJT log back into this thread please along with another SR log and the Vundo log from when you ran it.

 

As requested here is the HJT, SR's & Vundo Logs:

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 8:21:53 PM, on 08/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\AVerMedia\AVerQuick\AVerQuick.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Winamp\winamp.exe
C:\HiJackThis\hpg.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe "
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: AVerQuick.lnk = C:\Program Files\AVerMedia\AVerQuick\AVerQuick.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169411152375
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEE0B529-9EE5-4BED-9FC1-AA7EC706934F}: NameServer = 213.208.106.224 213.208.106.223
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

SR's:

"Silent Runners.vbs ", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++} "


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit" [MS]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = " "C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = " "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" " [ "Nero AG"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CnxDslTaskBar" = "C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe" [ "Conexant Systems Inc."]
"Windows Defender" = " "C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" [ "NVIDIA Corporation"]
"Realtime Monitor" = "C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s" [ "Computer Associates International, Inc."]
"QuickTime Task" = " "C:\Program Files\QuickTime\qttask.exe" -atboottime" [ "Apple Computer, Inc."]
"iTunesHelper" = " "C:\Program Files\iTunes\iTunesHelper.exe" " [ "Apple Computer, Inc."]
"TkBellExe" = " "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" [ "RealNetworks, Inc."]
"ZoneAlarm Client" = " "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" " [ "Zone Labs, LLC"]
"NeroFilterCheck" = "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [ "Nero AG"]
"PCSuiteTrayApplication" = "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup" [ "Nokia"]
"SunJavaUpdateSched" = " "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" " [ "Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" [ "Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" [ "Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" [ "Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension "
-> {HKLM...CLSID} = "Display Panning CPL Extension "
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext "
-> {HKLM...CLSID} = "HyperTerminal Icon Ext "
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" [ "Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer "
-> {HKLM...CLSID} = "Desktop Explorer "
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" [ "NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" [ "NVIDIA Corporation"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders "
-> {HKLM...CLSID} = "My Sharing Folders "
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]
"{DCED20BE-3645-11D4-BC95-00C04F0E0588}" = "InoShell "
-> {HKLM...CLSID} = "InoShell "
\InProcServer32\(Default) = "C:\Program Files\CA\eTrust Antivirus\InoShell.dll" [ "Computer Associates International, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler "
-> {HKLM...CLSID} = "Outlook File Icon Extension "
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes "
-> {HKLM...CLSID} = "iTunes "
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" [ "Apple Computer, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player "
-> {HKLM...CLSID} = "RealOne Player Context Menu Class "
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" [ "RealNetworks, Inc."]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons "
-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class "
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" [ "Nero AG"]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 Context Menu Shell Extension "
-> {HKLM...CLSID} = "WinAceContext Menu Extension "
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" [ "e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 DragDrop Shell Extension "
-> {HKLM...CLSID} = "WinAceDrag-Drop Extension "
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" [ "e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 Context Menu Shell Extension "
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension "
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" [ "e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 Property Sheet Shell Extension "
-> {HKLM...CLSID} = "WinAceProperty Sheet Extension "
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" [ "e-merge GmbH"]
"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "PhoneBrowser "
-> {HKLM...CLSID} = "Nokia Phone Browser "
\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" [ "Nokia"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook "
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook "
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5} "
-> {HKLM...CLSID} = "WPDShServiceObj Class "
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info "
-> {HKLM...CLSID} = "PDF Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" [ "Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7} "
-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class "
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" [ "Nero AG"]
InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588} "
-> {HKLM...CLSID} = "InoShell "
\InProcServer32\(Default) = "C:\Program Files\CA\eTrust Antivirus\InoShell.dll" [ "Computer Associates International, Inc."]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} "
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension "
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" [ "e-merge GmbH"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588} "
-> {HKLM...CLSID} = "InoShell "
\InProcServer32\(Default) = "C:\Program Files\CA\eTrust Antivirus\InoShell.dll" [ "Computer Associates International, Inc."]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} "
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension "
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" [ "e-merge GmbH"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures\Wallpaper\DPCAST_wallpaperbig.bmp "

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Paul\My Documents\My Pictures\Wallpaper\DPCAST_wallpaperbig.bmp "


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\TOONSC~1.SCR" (ToonsChase.scr) [ "ScreenTime Media"]


Startup items in "Paul" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe" [ "Adobe Systems Incorporated"]
"Adobe Reader Synchronizer" -> shortcut to: "C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe" [null data]
"AVerQuick" -> shortcut to: "C:\Program Files\AVerMedia\AVerQuick\AVerQuick.exe" [empty string]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" [ "Apple Computer, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console "
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} "
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_10 "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" [ "Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_10 "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" [ "Sun Microsystems, Inc."]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001 "
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger "
"MenuText" = "Windows Messenger "
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" { "C:\WINDOWS\System32\bthserv.dll" [MS]}
eTrust Antivirus Job Server, InoTask, " "C:\Program Files\CA\eTrust Antivirus\InoTask.exe" " [ "Computer Associates International, Inc."]
eTrust Antivirus Realtime Server, InoRT, " "C:\Program Files\CA\eTrust Antivirus\InoRT.exe" " [ "Computer Associates International, Inc."]
eTrust Antivirus RPC Server, InoRPC, " "C:\Program Files\CA\eTrust Antivirus\InoRpc.exe" " [ "Computer Associates International, Inc."]
Event Log Watch, LogWatch, " "C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe" " [ "Computer Associates"]
iPod Service, iPod Service, " "C:\Program Files\iPod\bin\iPodService.exe" " [ "Apple Computer, Inc."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" [ "Lexmark International, Inc."]
Machine Debug Manager, MDM, " "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" " [MS]
NMIndexingService, NMIndexingService, " "C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe" " [ "Nero AG"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" [ "NVIDIA Corporation"]
ServiceLayer, ServiceLayer, " "C:\Program Files\PC Connectivity Solution\ServiceLayer.exe" " [ "Nokia."]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" [ "Zone Labs, LLC"]
Windows Defender, WinDefend, " "C:\Program Files\Windows Defender\MsMpEng.exe" " [MS]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" { "C:\WINDOWS\System32\WUDFSvc.dll" [MS]}


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Lexmark Network Port\Driver = "LEXLMPM.DLL" [ "Lexmark International, Inc."]
Lexmark Z600 Color Jetprinter LangMon\Driver = "LXBCSLM.DLL" [ "Lexmark"]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 65 seconds, including 3 seconds for message boxes)

VundoFix.txt Log:


VundoFix V6.3.5

Checking Java version...

Sun Java not detected
Scan started at 5:57:50 PM 07/02/2007

Listing files found while scanning....

C:\WINDOWS\system32\cbxvvwv.dll
C:\WINDOWS\system32\ehhjl.bak1
C:\WINDOWS\system32\ehhjl.bak2
C:\WINDOWS\system32\ehhjl.ini
C:\WINDOWS\system32\ljhhe.dll
C:\WINDOWS\system32\yayayxu.dll
C:\WINDOWS\system32\yxpwrpan.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cbxvvwv.dll
C:\WINDOWS\system32\cbxvvwv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ehhjl.bak1
C:\WINDOWS\system32\ehhjl.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ehhjl.bak2
C:\WINDOWS\system32\ehhjl.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ehhjl.ini
C:\WINDOWS\system32\ehhjl.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljhhe.dll
C:\WINDOWS\system32\ljhhe.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\yayayxu.dll
C:\WINDOWS\system32\yayayxu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yxpwrpan.dll
C:\WINDOWS\system32\yxpwrpan.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ehhjl.ini
C:\WINDOWS\system32\ehhjl.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljhhe.dll
C:\WINDOWS\system32\ljhhe.dll Has been deleted!

Performing Repairs to the registry.
Done!

 

OK, everything looks great, how is the machine performing at this point? Let us know.

 

Hi, The system seems to be running fine now, just needs a declutter with defrag as it has been restored since last time, but apart from the pop-up bugs there hasn't been a single one since i got rid of it with that vundo script program to clear it.

Thank you very much for your help!

Paul

 

Glad we could be of assistance. 8)

We have 3 more things to do, mostly maintenance and then our recommendations:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion. It is very rare that anything significant is ever found.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.5.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom


Due to resolution this topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.