Trojan Generic3.GII Problem(s)

Hi,
I have been spending a considerable amount of time on a friends computer (Windows Xp) cleaning out infections like "Smitfraud-C Toolbar888 and Virtumonde" etc...I have manage to win each and every battle except one. AVG keeps finding "Trojan Generic3.GII showing the path as C:\Windows\System32\bhkabhk.dll "...Located the BHO which is:2A904E40-731D-4881-83FB=04EFDEE88C3B...

I tried to delete the BHO and it will not delete, and when I try to delete the file in System32 it will not delete...Both attempts were made in Normal Mode as well as in Safe Mode with hidden files & folders and hide protected file system unchecked...System Restore has even been turned off...

I have downloaded Smitfruad fix and the Virtumonde fix along with AVG, Spybot, SpySweeper, XCleaner, Trojan remover, AdawareSE, Spyware Blaster, Spyware Guard and AVG Anti-Spyware along with a few others and have ran most of them in both modes still with no luck...

The computer is running excellent and I have absolutely no problems with the exception of this one...I have also done all the house cleaning on cookies, temps, etc as well as maintenance...I could live with just the AVG detection but a pop up keeps appearing on screen constantly from AVG...I uninstalled and reinstalled it incase it had become infected and so far it has not made a difference...Any assistance will be once again appreciated...Thank you.

 

Hi Master.

Lets get a HijackThis! log file and see what else is lurking.

Download HijackThis! SetUp from here. Save the file to your desktop.

Double-click the HijackThis! SetUp icon to begin the installation. Follow the prompts for the default install location of:'C:\Program Files\HijackThis'. Tick the 'Create a desktop' button when the option appears. Select next, then allow HijackThis! to start.

Then press the [Scan] button. You will notice the [Scan] button will turn into a [Save Log] button. Click the [Save Log] button and notepad will open up with the contents of the scan. Right-click in the saved log, and select 'copy'. Then proceed to your original thread, unless otherwise instructed and click the '[Reply]' button and paste the saved contents to be reviewed. Do not make any modifications to the log or perform any 'fixes' until told to do so.

 

Logfile of HijackThis v1.99.1
Scan saved at 7:46:27 PM, on 3/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\EarthLink 5.0\etoolbar.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O2 - BHO: (no name) - {2A904E40-731D-4881-83FB-04EFDEE88C3B} - C:\WINDOWS\system32\bhkabhk.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe "
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108584393156
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FA9669A-37D8-4C9E-B3CF-D6DFBC83A48A}: NameServer = 85.255.114.107,85.255.112.133
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: igmzfjhr - C:\WINDOWS\SYSTEM32\bhkabhk.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: Service - Unknown owner - C:\WINDOWS\System32\Service.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

Hi Master Green

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum.

Then please do this.

Please download FixWareout from here:
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log

Please post the 3 logs here.

Thanks
Geri

 

SDFix: Version 1.70

Run by Owner - Sun 03/11/2007 / 0:21:54.51

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Service

Path:
C:\WINDOWS\System32\Service.exe

Service Deleted



Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\AEGLAAAA.EXE - Deleted
C:\WINDOWS\SYSTEM32\GLGHAAAA.EXE - Deleted
C:\WINDOWS\SYSTEM32\SDRXAAAA.EXE - Deleted
C:\WINDOWS\SYSTEM32\SMTAUAAA.EXE - Deleted
C:\WINDOWS\SYSTEM32\SYQAVFVW.EXE - Deleted
C:\WINDOWS\SYSTEM32\SYXJSIHY.EXE - Deleted
C:\WINDOWS\SYSTEM32\VJBFODFB.EXE - Deleted
C:\WINDOWS\system32\eraseme_37577.exe - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\kernel32.exe - Deleted
C:\WINDOWS\system32\MSIEHelper.dll - Deleted
C:\WINDOWS\system32\setup_16201.exe - Deleted
C:\WINDOWS\system32\TFTP1148 - Deleted
C:\WINDOWS\system32\TFTP1676 - Deleted
C:\WINDOWS\system32\TFTP1776 - Deleted
C:\WINDOWS\system32\TFTP208 - Deleted
C:\WINDOWS\system32\TFTP2432 - Deleted
C:\WINDOWS\system32\TFTP2488 - Deleted
C:\WINDOWS\system32\TFTP2528 - Deleted
C:\WINDOWS\system32\TFTP2604 - Deleted
C:\WINDOWS\system32\TFTP2780 - Deleted
C:\WINDOWS\system32\TFTP3512 - Deleted
C:\WINDOWS\system32\TFTP3676 - Deleted
C:\WINDOWS\system32\TFTP3732 - Deleted
C:\WINDOWS\system32\TFTP3824 - Deleted
C:\WINDOWS\system32\TFTP3952 - Deleted
C:\WINDOWS\system32\TFTP4004 - Deleted
C:\WINDOWS\system32\TFTP416 - Deleted
C:\WINDOWS\system32\TFTP660 - Deleted
C:\WINDOWS\Temp\win*.tmp - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\gah32.exe "= "C:\\WINDOWS\\gah32.exe:*:Enabled:Server "
"C:\\gah32.exe "= "C:\\gah32.exe:*:Enabled:Server "
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\win8.tmp.exe "= "C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\win8.tmp.exe:*:Enabled:win8.tmp "


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\gah32.exe "= "C:\\WINDOWS\\gah32.exe:*:Enabled:Server "
"C:\\gah32.exe "= "C:\\gah32.exe:*:Enabled:Server "


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\e71bf1e24fe2c6e94f08da7e8353e0de\BIT4.tmp
C:\WINDOWS\system32\uttss.tmp
C:\WINDOWS\system32\vtrlkdpq.tmp

Finished

 

Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "0mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "2mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}CDA4826A8440-BDFA-A914-CBAF-EF435262{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}28D71F2E689F-F248-2DC4-7CD0-72EA1777{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "hckmd" Deleted
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.

C:\WINDOWS\system32\dmkch.exe 57861 07/16/2003


Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "C:\\WINDOWS\\System32\\igfxtray.exe "
"HotKeysCmds "= "C:\\WINDOWS\\System32\\hkcmd.exe "
"PCMService "= "\ "C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\" "
"ConMgr.exe "= "\ "C:\\Program Files\\EarthLink 5.0\\ConMgr.exe\" "
"AVG7_CC "= "\ "C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe\" /STARTUP "
"LXCFCATS "= "rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCFtime.dll,_RunDLLEntry@16 "
"!AVG Anti-Spyware "= "\ "C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "
"WinPatrol "= "\ "C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe\" "
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

 

Logfile of HijackThis v1.99.1
Scan saved at 12:52:41 AM, on 3/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EarthLink 5.0\etoolbar.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O2 - BHO: (no name) - {2A904E40-731D-4881-83FB-04EFDEE88C3B} - C:\WINDOWS\system32\bhkabhk.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe "
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108584393156
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FA9669A-37D8-4C9E-B3CF-D6DFBC83A48A}: NameServer = 85.255.114.107,85.255.112.133
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: igmzfjhr - C:\WINDOWS\SYSTEM32\bhkabhk.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

Hi Master Green

OK, things are looking better.

Lets submit this file.

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan "box on the top of the page:
  
  • C:\WINDOWS\system32\dmkch.exe
• Click on the submit button
  
• Please post the results in your next reply.

Now lets run this,

Please download VundoFix.exe to your desktop

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please post the Jotti log, vundo log and a new HJT log.

Geri

 

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: dmkch.exe
Status: INFECTED/MALWARE
MD5 6b59979f8edbffd6fb29e7214449a06a
Packers detected: PE-CRYPT.POLYCRYPTA

Scanner results
Scan taken on 11 Mar 2007 10:46:03 (GMT)
AntiVir Found TR/Dldr.DNSChanger.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Peed.Gen
ClamAV Found nothing
Dr.Web Found Trojan.DownLoader.18512
F-Prot Antivirus Found Possibly a new variant of W32/new-malware!Maximus
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan.Win32.Small.fb
NOD32 Found probably a variant of Win32/Small.FB (probable variant)
Norman Virus Control Found nothing
Panda Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Trojan.DownLoader.18512

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 15Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who donated in the past, and some people who prefer to remain anonymous... many thanks to all!

Statistics
Last file scanned at least one scanner reported something about: Fun.exe (MD5: b08d5bcf9ad464b2591eaf135ac6e5f4, size: 671744 bytes), detected by:

Scanner Malware name
AntiVir X
ArcaVir Worm.Vb.G
Avast X
AVG Antivirus Worm/VB.ANG
BitDefender Win32.Worm.Codung.A
ClamAV X
Dr.Web Win32.HLLM.Generic.414
F-Prot Antivirus X
F-Secure Anti-Virus Email-Worm.Win32.generic
Fortinet X
Kaspersky Anti-Virus Email-Worm.Win32.generic
NOD32 probably unknown NewHeur_PE
Norman Virus Control W32/VBWorm.MSG
Panda Antivirus X
VirusBuster X
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.





Frequently asked questions - Feedback - Privacy policy



Page generated by JTPL

Copyright © 2004-2007 Jordi Bosveld <jotti@jotti.org>

 

VundoFix V6.3.15

Checking Java version...

Sun Java not detected
Scan started at 3:53:16 PM 3/8/2007

Listing files found while scanning....

C:\Program Files\VSAdd-in\VSAdd-in.dll
C:\WINDOWS\system32\anrofrda.exe
C:\WINDOWS\system32\asmwckdu.exe
C:\WINDOWS\System32\awvvu.dll
C:\WINDOWS\system32\bskwjbji.dll
C:\WINDOWS\system32\ddcywxx.dll
C:\WINDOWS\system32\dvwyfpsu.ini
C:\WINDOWS\system32\eeeoyctp.exe
C:\WINDOWS\system32\hktqsbvn.dll
C:\WINDOWS\system32\ijbjwksb.ini
C:\WINDOWS\System32\kjllm.bak1
C:\WINDOWS\System32\kjllm.bak2
C:\WINDOWS\System32\kjllm.ini
C:\WINDOWS\System32\kjllm.ini2
C:\WINDOWS\System32\kjllm.tmp
C:\WINDOWS\system32\kxbcfoqs.exe
C:\WINDOWS\System32\lmhqkftu.dll
C:\WINDOWS\System32\mlljk.dll
C:\WINDOWS\system32\nvbsqtkh.ini
C:\WINDOWS\System32\oiswbpgs.dll
C:\WINDOWS\system32\onuqeput.ini
C:\WINDOWS\system32\oybdovxe.exe
C:\WINDOWS\System32\ssttu.dll
C:\WINDOWS\system32\tupequno.dll
C:\WINDOWS\system32\uspfywvd.dll
C:\WINDOWS\System32\uvvwa.bak1
C:\WINDOWS\System32\uvvwa.bak2
C:\WINDOWS\System32\uvvwa.ini
C:\WINDOWS\system32\winhdn32.dll
C:\WINDOWS\system32\xqkcslrl.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\anrofrda.exe
C:\WINDOWS\system32\anrofrda.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\asmwckdu.exe
C:\WINDOWS\system32\asmwckdu.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\bskwjbji.dll
C:\WINDOWS\system32\bskwjbji.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcywxx.dll
C:\WINDOWS\system32\ddcywxx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dvwyfpsu.ini
C:\WINDOWS\system32\dvwyfpsu.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\eeeoyctp.exe
C:\WINDOWS\system32\eeeoyctp.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\hktqsbvn.dll
C:\WINDOWS\system32\hktqsbvn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ijbjwksb.ini
C:\WINDOWS\system32\ijbjwksb.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\kjllm.bak1
C:\WINDOWS\System32\kjllm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\kjllm.bak2
C:\WINDOWS\System32\kjllm.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\kjllm.ini
C:\WINDOWS\System32\kjllm.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\kjllm.ini2
C:\WINDOWS\System32\kjllm.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\kjllm.tmp
C:\WINDOWS\System32\kjllm.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\kxbcfoqs.exe
C:\WINDOWS\system32\kxbcfoqs.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\nvbsqtkh.ini
C:\WINDOWS\system32\nvbsqtkh.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\onuqeput.ini
C:\WINDOWS\system32\onuqeput.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\oybdovxe.exe
C:\WINDOWS\system32\oybdovxe.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\tupequno.dll
C:\WINDOWS\system32\tupequno.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uspfywvd.dll
C:\WINDOWS\system32\uspfywvd.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\uvvwa.bak1
C:\WINDOWS\System32\uvvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\uvvwa.bak2
C:\WINDOWS\System32\uvvwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\uvvwa.ini
C:\WINDOWS\System32\uvvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\winhdn32.dll
C:\WINDOWS\system32\winhdn32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xqkcslrl.exe
C:\WINDOWS\system32\xqkcslrl.exe Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.15

Checking Java version...

Sun Java not detected
Scan started at 5:51:37 AM 3/11/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

 

Logfile of HijackThis v1.99.1
Scan saved at 6:11:31 AM, on 3/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EarthLink 5.0\etoolbar.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O2 - BHO: (no name) - {2A904E40-731D-4881-83FB-04EFDEE88C3B} - C:\WINDOWS\system32\bhkabhk.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe "
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108584393156
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FA9669A-37D8-4C9E-B3CF-D6DFBC83A48A}: NameServer = 85.255.114.107,85.255.112.133
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: igmzfjhr - C:\WINDOWS\SYSTEM32\bhkabhk.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

Hi

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\system32\bhkabhk.dll
  
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please Post a new HJT log.

Geri

 

Logfile of HijackThis v1.99.1
Scan saved at 6:36:28 PM, on 3/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EarthLink 5.0\etoolbar.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O2 - BHO: (no name) - {2A904E40-731D-4881-83FB-04EFDEE88C3B} - C:\WINDOWS\system32\bhkabhk.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe "
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe "
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108584393156
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FA9669A-37D8-4C9E-B3CF-D6DFBC83A48A}: NameServer = 85.255.114.107,85.255.112.133
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: igmzfjhr - C:\WINDOWS\SYSTEM32\bhkabhk.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

HI,
I forgot to mention the "Pending file rename operation registry data has been renamed by external process" did pop up...

The AVG threat for "bhkabhk.dll" continues to pop up even after running Killbox three times (3x) which is why I ran it three times...

 

Hi

Please download Java It needs Java installed, Vundo targets computers that don't have it.
http://www.java.com/en/download/manual.jsp

Then after Java in installed run Vundo fix this way.

• Double-click VundoFix.exe to run it.
  Right click in the white box
  Click on add more files
  * Copy&Paste the 2 entries below into the top 2 boxes
  
  o C:\WINDOWS\system32\bhkabhk.dll
  
  * Click Add Files and Click Close Window
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please rename Hijackthis.exe to Killer.exe

Then please post a new HJT log.

Geri

 

Hi,
I ran Vundofix.exe and it did not find any infections...Below is the new HijackLog and I don't think I renamed it correctly...I was wondering if I should uninstall AVG because all the scans you have requested and I have done are no longer finding anything we should worry about ???

Logfile of HijackThis v1.99.1
Scan saved at 8:45:44 PM, on 3/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EarthLink 5.0\etoolbar.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Killer.exe\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O2 - BHO: (no name) - {2A904E40-731D-4881-83FB-04EFDEE88C3B} - C:\WINDOWS\system32\bhkabhk.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe "
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe "
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108584393156
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FA9669A-37D8-4C9E-B3CF-D6DFBC83A48A}: NameServer = 85.255.114.107,85.255.112.133
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: igmzfjhr - C:\WINDOWS\SYSTEM32\bhkabhk.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

Hi,
I finally corrected the time on the computer...Also, when the threat is detected by AVG it says: C:\Windows\system32\bhkabhk.dll Trojan Horse Generic3.GGI...Wanted to add that as I don't recall bringing that to your attention in any of my previous posts...When I click on it to move it to the vault, it will say it has been succesfully removed and ask to reboot...After rebooting, it continues to pop-up continuously again and again...That is also why I am wondering if the AVG has this file some where and can't release it and maybe uninstalling it will be the answer ???

 

Hi

OK, I'll get TeMerc to come take a look here. You can try the uninstall but I don't think that will have any effect.

There are some things we heed to fix with HJT. So lets do that first. Then you can try the uninstall and I will get ahold of TeMerc to look in

Please post new HJT log after this is done.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {2A904E40-731D-4881-83FB-04EFDEE88C3B} - C:\WINDOWS\system32\bhkabhk.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FA9669A-37D8-4C9E-B3CF-D6DFBC83A48A}: NameServer = 85.255.114.107,85.255.112.133
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
O20 - Winlogon Notify: igmzfjhr - C:\WINDOWS\SYSTEM32\bhkabhk.dll

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Reboot your computer then post the log.

Geri

 

Hi,
After the first scan it showed all the 017 entries gone...So I ran it again and despite the two attempts the 02 and 020 entries remain and the AVG threat detection pop-up continues....Below is a new and third Hijacklog...Please also keep in mind, that this computer has on three different occassions while submitting a HijackLog has rebooted on it's own, may or may not be attributed to what we have been fighting so hard to remove...Otherwise everything is running great...

Logfile of HijackThis v1.99.1
Scan saved at 6:18:11 AM, on 3/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EarthLink 5.0\etoolbar.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Killer.exe\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O2 - BHO: (no name) - {2A904E40-731D-4881-83FB-04EFDEE88C3B} - C:\WINDOWS\system32\bhkabhk.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe "
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe "
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108584393156
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: igmzfjhr - C:\WINDOWS\SYSTEM32\bhkabhk.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

Hi
OK. I was told to try this.
Lets disable Spysweeper

To disable SpySweeper:

Open it, click the Options tab, then the Program Options tab and uncheck load at windows startup.
Then click the shields tab and uncheck home page shield and automatically restore default without notification

Then run KillBox and copy and paste this file to Delete

C:\WINDOWS\system32\bhkabhk.dll

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {2A904E40-731D-4881-83FB-04EFDEE88C3B} - C:\WINDOWS\system32\bhkabhk.dll
O20 - Winlogon Notify: igmzfjhr - C:\WINDOWS\SYSTEM32\bhkabhk.dll

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Now reboot and post a new log.

Geri