LOP Virus: Yet another HJT log! Please help.

I have the same problem as several other users who have messaged you. I believe that I have eliminated the virus/spyware that caused the problems, but cannot seem to cure the affects of the infection. Specific lingering problems include (a) an unwanted blue drop-down menu at the bottom of my internet browswer (MS Internet Explorer) and permanent modifications to my "Favorites" folder to include the following menu items that I cannot delete:

Folders:
Cool Stuff
Travel
Shopping Gifts
Internet
Computers
Online Gaming

Links not in a Folder:
Computers
Movies
Games
Web Hosting
Casino Online

These menu irems do not appear in the "Favorites" folder in my user folder in the Documents and Settings subdirectory. Nor do they appear when I attempt to organize the links.

Also getting lots of pop-ups on my home page (Yahoo Finance) even though the Yahoo pop-up blocker is enabled.

Here is my HJT log. Any help you can provide would be greatly appreciated

Logfile of HijackThis v1.99.0
Scan saved at 11:25:39 AM, on 1/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Expertcity\GoToMyPC\g2pre.exe
C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\CCHLOGIN\logexp.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Corel\Suite8\Programs\ps80.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloaded Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.pchudwmmzdbwtsajfwmaktst...aMfMcWsgksLSGd4lakahK0FOqKllJPHKnqB8PYF1H.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AC3F9041-D4AB-0696-3DFA-A60257009FCC} - C:\PROGRA~1\COALIN~1\mathfast.exe (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {F7FC65E7-4975-02CE-6BC3-BDE493D50700} - C:\DOCUME~1\DAR~1.RPP\APPLIC~1\COALIN~1\mathfast.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [win_upd2.exe] C:\WINDOWS\System32\WINdirect.exe
O4 - HKLM\..\Run: [mfetafcb] C:\WINDOWS\mfetafcb.exe
O4 - HKLM\..\Run: [dupeonlineinfoflap] C:\Documents and Settings\All Users\Application Data\Keep Grey Dupe Online\2Default.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [user win bits real] C:\Documents and Settings\All Users\Application Data\Okay love user win\Tray Bib.exe
O4 - HKCU\..\Run: [win_upd2.exe] C:\WINDOWS\System32\WINdirect.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Htm license] C:\DOCUME~1\DAR~1.RPP\APPLIC~1\TIMEPL~1\Aim Open.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: admap.lnk = C:\admap.bat
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Login Express.lnk = C:\CCHLOGIN\logexp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.westlaw.com
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tax.cchgroup.com/primesrc/apps/cfcom/iftwclix.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rppmhlaw.int
O17 - HKLM\Software\..\Telephony: DomainName = rppmhlaw.int
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBC33103-6215-4DB6-AA41-F8AE7FEE23DA}: NameServer = 192.168.1.129,192.168.1.130
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rppmhlaw.int
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rppmhlaw.int
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: GoToMyPC - Citrix Online - C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe


PS I tried to send my log as an attachment (I am a subscriber) but do not find the "browser" button referred to in the FAQ as being the method to use to attach files. Where do I find that button?

 

Hi Dan and welcome to the forum.

The Hijackthis log is better like this than as an attachment. But based on your user status showing as registered 'member', if you sent money to become a contributing member (subscriber) and so able to directly attach files & pictures, that fact has not been noticed yet.

At any rate, give me a while (hour or two) to take a careful look and I'll post back with some things for you to do to get rid of your critters.

 

Sorry - stuff came up and I won't get a complete analysis of your HJT log for a while. Maybe even not tonight so if anyone else has time, feel free. There is some stuff that for sure needs to go but I don't want to give you a partial list.

 

Those links could be under the C:\Documents and Settings\All Users\Favorites folder, instead under your user name.
You should first disable System Restore, as you are going to delete some files, and you do not want SR putting them back.
Have all browsers closed and remove these.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.pchudwmmzdbwtsajfwmaktst...HKnqB8PYF1H.htm
O2 - BHO: (no name) - {AC3F9041-D4AB-0696-3DFA-A60257009FCC} - C:\PROGRA~1\COALIN~1\mathfast.exe (file missing)
O2 - BHO: (no name) - {F7FC65E7-4975-02CE-6BC3-BDE493D50700} - C:\DOCUME~1\DAR~1.RPP\APPLIC~1\COALIN~1\mathfast.e xe
O4 - HKLM\..\Run: [win_upd2.exe] C:\WINDOWS\System32\WINdirect.exe
O4 - HKLM\..\Run: [mfetafcb] C:\WINDOWS\mfetafcb.exe
O4 - HKLM\..\Run: [dupeonlineinfoflap] C:\Documents and Settings\All Users\Application Data\Keep Grey Dupe Online\2Default.exe
O4 - HKLM\..\Run: [user win bits real] C:\Documents and Settings\All Users\Application Data\Okay love user win\Tray Bib.exe
O4 - HKCU\..\Run: [win_upd2.exe] C:\WINDOWS\System32\WINdirect.exe
O4 - HKCU\..\Run: [Htm license] C:\DOCUME~1\DAR~1.RPP\APPLIC~1\TIMEPL~1\Aim Open.exe
O4 - Global Startup: admap.lnk = C:\admap.bat

Reboot, and delete these files and folders.
C:\admap.bat
C:\WINDOWS\System32\WINdirect.exe
C:\WINDOWS\mfetafcb.exe
C:\PROGRA~1\COALIN~1 or C:\Program Files\Coalin...
C:\Documents and Settings\DAR~1.RPP\Application Data\COALIN~1
C:\Documents and Settings\All Users\Application Data\Keep Grey Dupe Online
C:\Documents and Settings\All Users\Application Data\Okay love user win
C:\Documents and Settings\DAR~1.RPP\Application Data\TIMEPL~1

You'll note that some if the folder names have a "~1 ", this is a shorter and confusing way to show (dos 8.3 names) instead of the full name, but you have enough beginning letters to find them.

 

I tried looking there too. No luck.

Will these links go away when I edit the register?

 

Thanks a lot.

That seems to have fixed all the problems. I really appreciate the help (and your epertise)

 

Thanks for loooking at this.

MKP62 showed me how to fix it.

 

Glad to hear it is running. To help you find those links, do a Search for "*.URL" without the quotes, and be sure to search the entire drive. This will bring up all your favorites, including the ones you do not want.