Vx2, and SahAgent, and Recycle Bin oh my! (Resolved)

**irishredsc** · 09-12-2004

Hi there,

I'm hoping someone can help me out with this. I've been getting popups, and redirects since Dec 1. I update and run Ad-ware, Spy-bot, and McAfee daily. My firewall is up, why in the hell am I still getting this stuff!

I found sevral redirects, vx2 and sahagent on my computer and there is a hidden file in my recycle bin that I can't delete. Help.

Cat

Here is my log:

Logfile of HijackThis v1.98.2
Scan saved at 11:43:38 AM, on 12/9/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\Norton Ghost

2003\GhostStartService.exe
C:\Program Files\Network Associates\Common

Framework\FrameworkService.exe
C:\Program Files\Network

Associates\VirusScan\mcshield.exe
C:\Program Files\Network

Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Symantec\Norton Ghost

2003\GhostStartTrayApp.exe
C:\Program Files\Roxio\Easy CD Creator

6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator

6\AudioCentral\RxMon.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Network

Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common

Framework\UpdaterUI.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 7.

exe
C:\WINDOWS\System32\CTF\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\winsecure.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\Lavasoft\Ad-Aware SE

Personal\Ad-Aware.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Cat\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet

Explorer\SearchURL,(Default) = about:blank
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) -

{87766247-311C-43B4-8499-3D5FEC94A183} -

C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) -

{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Search Toolbar -

{339BB23F-A864-48C0-A59F-29EA915965EC} -

C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SoundFusion] RunDll32

cwaprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SensKbd]

C:\WINDOWS\SAMSUNG\SensKbd\SensKbd.exe
O4 - HKLM\..\Run: [IgfxTray]

C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds]

C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program

Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program

Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program

Files\Symantec\Norton Ghost

2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program

Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program

Files\Roxio\Easy CD Creator

6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program

Files\Roxio\Easy CD Creator

6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program

Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program

Files\Network Associates\VirusScan\SHSTAT.EXE"

/STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program

Files\Network Associates\Common

Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 7.

exe
O4 - HKLM\..\Run: [CTFMon]

C:\WINDOWS\System32\CTF\ctfmon.exe
O4 - HKLM\..\Run: [InternetSpy]

C:\WINDOWS\system32\1055\Internet

Spy\InternetSpy.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program

Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsecure]

C:\WINDOWS\System32\winsecure.exe
O4 - HKLM\..\Run: [7F7k36W] ssdtil.exe
O4 - HKLM\..\Run: [WinTools]

C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS]

C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [ipmontr]

C:\WINDOWS\System32\ipmontr.exe
O4 - HKCU\..\Run: [MooqRWaqg] htulv1.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program

Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk =

C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Install Pending Files.LNK =

C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk =

C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: nhuynt.exe
O8 - Extra context menu item: E&xport to Microsoft

Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP:

c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP:

c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP:

c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP:

c:\windows\system32\calsp.dll
O16 - DPF: Yahoo! Chat -

http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c

381/chat.cab
O16 - DPF: Yahoo! Literati -

http://download.games.yahoo.com/games/clients/y/tt3_

x.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} -

file://c:\counter.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498}

(Yahoo! Audio Conferencing) -

http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v

45/yacscom.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71}

(RdxIE Class) -

http://software-dl.real.com/18eca71ebc0b9013bd20/net

zip/RdxIE601.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455}

(ExentInf Class) -

http://us.games2.yimg.com/download.games.yahoo.com/g

ames/play/client/exentctl_0_0_0_2.ocx
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048}

(Microsoft Office XP Professional Step by Step

Interactive) - file://C:\Program Files\Microsoft

Interactive Training\O10C\mitm0026.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C}

(Ofoto Upload Manager Class) -

http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axof

upld.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35}

(RunExeActiveX.RunExe) -

hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61}

(HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061001/housec

all.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB}

(Wwlaunch Control) -

http://mirror.worldwinner.com/games/shared/wwlaunch.

cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717}

(Cubis Control) -

http://mirror.worldwinner.com/games/v55/cubis/cubis.

cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1}

(StartFirstControl.CheckFirst) -

hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94}

(compid Class) -

http://support.gateway.com/support/serialharvest/gwC

ID.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB}

(iTunesDetector Class) -

http://ax.phobos.apple.com.edgesuite.net/detection/I

TDetector.cab

**owen** · 09-12-2004

Hello,
Please download LSPFix from here. Unzip it and run LSPFix.exe.

1) When LSPFix has started, put a checkmark in "I know what I am doing"
2) In the Keep column, select all calsp.dll entries and click the arrow to move them into the remove column.
3) Click the Finish button to remove them.

Then Boot into Safe Mode

Delete the following files:
c:\windows\system32\calsp.dll

Reboot and post a fresh Hijack This log (if you made the odd spacing and formatting of the log, please don't do so next time, it makes it harder to read)
[QUOTE]

**irishredsc** · 09-12-2004

Ok, did that. Here's the log:

Logfile of HijackThis v1.98.2
Scan saved at 3:24:50 PM, on 12/9/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\kwiykr.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\SAMSUNG\SensKbd\SensKbd.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 7.exe
C:\WINDOWS\System32\CTF\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Network Associates\VirusScan\SCAN32.EXE
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\EarthLink TotalAccess\MailClnt.exe
C:\Documents and Settings\Cat\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwaprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SensKbd] C:\WINDOWS\SAMSUNG\SensKbd\SensKbd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 7.exe
O4 - HKLM\..\Run: [CTFMon] C:\WINDOWS\System32\CTF\ctfmon.exe
O4 - HKLM\..\Run: [InternetSpy] C:\WINDOWS\system32\1055\Internet Spy\InternetSpy.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsecure] C:\WINDOWS\System32\winsecure.exe
O4 - HKLM\..\Run: [7F7k36W] ssdtil.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [ipmontr] C:\WINDOWS\System32\ipmontr.exe
O4 - HKCU\..\Run: [MooqRWaqg] htulv1.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/18eca71e...p/RdxIE601.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_2.ocx
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/B...1/axofupld.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://mirror.worldwinner.com/games/v55/cubis/cubis.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/s...vest/gwCID.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab

**owen** · 09-12-2004

How to remove Wintools infections.

Disable System restore as per the instructions here.
Reboot into safe mode - How do I boot into "Safe" mode?
Click on "Start" => "Control Panel" => "Administrative Tools" => "Services".
Look for a service called "Wintools for IE Service" => Double-click it to open, then click on the Stop button and change the "Startup type" to Disabled. Do not worry if the service is not listed.
Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "WtoolsA.exe", "WToolsS.exe" and "WSup.exe". If you find the files, click on them, and then click End Process => Exit the Task Manager.
Go into "Add/Remove Programs" in the "Control Panel" and look for any Wintools entry. Uninstall it.
Open a command prompt by clicking on "Start" => "Run" and type in "cmd" and click on "OK". At the prompt, type regsvr32 /u /s "C:\Program Files\Toolbar\toolbar.dll" (Quotation marks must be typed in on the preceeding command) then <ENTER>.
Type exit to close the command prompt window.
Delete the following directories:
- C:\Program Files\Common Files\WinTools
- C:\Program Files\Toolbar
Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":
- R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
  O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
  O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
Reenable System restore as per the instructions here.
Reboot and sign in as per normal and post a new HijackThis log for further review. We still have a bit more to do.

**irishredsc** · 10-12-2004

Logfile of HijackThis v1.98.2
Scan saved at 6:14:29 PM, on 12/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\SAMSUNG\SensKbd\SensKbd.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 7.exe
C:\WINDOWS\System32\CTF\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\winsecure.exe
C:\WINDOWS\system32\kwiykr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Network Associates\VirusScan\SCAN32.EXE
C:\Program Files\EarthLink TotalAccess\MailClnt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Cat\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwaprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SensKbd] C:\WINDOWS\SAMSUNG\SensKbd\SensKbd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 7.exe
O4 - HKLM\..\Run: [CTFMon] C:\WINDOWS\System32\CTF\ctfmon.exe
O4 - HKLM\..\Run: [InternetSpy] C:\WINDOWS\system32\1055\Internet Spy\InternetSpy.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsecure] C:\WINDOWS\System32\winsecure.exe
O4 - HKLM\..\Run: [7F7k36W] ssdtil.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe /auto
O4 - HKCU\..\Run: [ipmontr] C:\WINDOWS\System32\ipmontr.exe
O4 - HKCU\..\Run: [MooqRWaqg] htulv1.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/18eca71e...p/RdxIE601.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_2.ocx
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/B...1/axofupld.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://mirror.worldwinner.com/games/v55/cubis/cubis.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/s...vest/gwCID.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab

**owen** · 11-12-2004

Could you please download DLL Compare from here.

Click Run Locate.com.

When it says Completed scan, click Compare at the bottom. Let it do its thing.

Click Make a Log of what was found.

The logfile will be created and is called log.txt. It will be located in the same location as the DLLCompare file.

Paste the log back here. We are getting there.

**irishredsc** · 12-12-2004

Thank you for all the help Owen. It is greatly appreciated. Here is the Dll compare log:

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\axstream.dll Sun Dec 5 2004 6:12:50p ..S.R 225,723 220.43 K
C:\WINDOWS\SYSTEM32\cjyptui.dll Fri Dec 10 2004 3:59:18p ..S.R 225,033 219.76 K
C:\WINDOWS\SYSTEM32\dxrgres.dll Sun Dec 5 2004 9:55:48p ..S.R 225,723 220.43 K
C:\WINDOWS\SYSTEM32\fp4203~1.dll Fri Dec 10 2004 6:26:02p ..S.R 225,276 219.99 K
C:\WINDOWS\SYSTEM32\fsclient.dll Sat Dec 4 2004 10:13:08a ..S.R 225,459 220.17 K
C:\WINDOWS\SYSTEM32\i8420i~1.dll Fri Dec 10 2004 6:10:10p ..S.R 225,281 220.00 K
C:\WINDOWS\SYSTEM32\ir00l5~1.dll Sun Dec 5 2004 2:19:06p ..S.R 225,459 220.17 K
C:\WINDOWS\SYSTEM32\ir2ml5~1.dll Mon Dec 6 2004 9:28:54a ..S.R 225,723 220.43 K
C:\WINDOWS\SYSTEM32\ktn0l7~1.dll Thu Dec 9 2004 11:23:10p ..S.R 224,845 219.57 K
C:\WINDOWS\SYSTEM32\l6n4lg~1.dll Sat Dec 11 2004 3:12:44p ..S.R 225,033 219.76 K
C:\WINDOWS\SYSTEM32\lv8209~1.dll Thu Dec 2 2004 5:42:02p ..S.R 224,630 219.36 K
C:\WINDOWS\SYSTEM32\lvjo09~1.dll Tue Dec 7 2004 7:54:44p ..S.R 223,736 218.49 K
C:\WINDOWS\SYSTEM32\m8820i~1.dll Tue Dec 7 2004 4:17:42p ..S.R 224,010 218.76 K
C:\WINDOWS\SYSTEM32\malvm6.dll Tue Dec 7 2004 8:13:42a ..S.R 222,850 217.63 K
C:\WINDOWS\SYSTEM32\mlxmlr.dll Wed Dec 8 2004 7:39:22p ..S.R 224,845 219.57 K
C:\WINDOWS\SYSTEM32\mpmefilt.dll Tue Dec 7 2004 10:42:32p ..S.R 224,845 219.57 K
C:\WINDOWS\SYSTEM32\njhtml.dll Fri Dec 3 2004 8:31:50p ..S.R 224,339 219.08 K
C:\WINDOWS\SYSTEM32\rbschap.dll Thu Dec 2 2004 10:20:02p ..S.R 224,795 219.52 K
C:\WINDOWS\SYSTEM32\sjlwid.dll Wed Dec 8 2004 2:25:54p ..S.R 225,545 220.26 K
C:\WINDOWS\SYSTEM32\soclogon.dll Tue Dec 7 2004 2:09:42p ..S.R 224,010 218.76 K
C:\WINDOWS\SYSTEM32\szfrcdlg.dll Sat Dec 4 2004 5:48:34p ..S.R 225,993 220.70 K
C:\WINDOWS\SYSTEM32\u2rulc~1.dll Thu Dec 9 2004 9:40:44a ..S.R 223,121 217.89 K
C:\WINDOWS\SYSTEM32\vboy.dll Wed Dec 8 2004 8:01:08p ..S.R 225,545 220.26 K
C:\WINDOWS\SYSTEM32\wcpui.dll Fri Dec 10 2004 6:26:02p ..S.R 225,033 219.76 K
C:\WINDOWS\SYSTEM32\whaspi32.dll Fri Dec 10 2004 9:18:04a ..S.R 225,033 219.76 K
C:\WINDOWS\SYSTEM32\wphtcpip.dll Sat Dec 11 2004 8:17:32p ..S.R 225,276 219.99 K
________________________________________________

1,295 items found: 1,295 files (26 H/S), 0 directories.
Total of file sizes: 266,438,955 bytes 254.09 M

Administrator Account = True

--------------------End log---------------------

**owen** · 12-12-2004

Download the Pocket Killbox from here.

Unzip it and run the program.

Put a check in the Delete on Reboot box.

Enter each of these lines into the white box one by one and then press the red X button. If firsts asks to confirm the deletion after each entry is added and the red X is pressed, you need to click yes, but it also asks if you want to Reboot. Click No each time until the last entries been entered.

C:\WINDOWS\SYSTEM32\axstream.dll
C:\WINDOWS\SYSTEM32\cjyptui.dll
C:\WINDOWS\SYSTEM32\dxrgres.dll
C:\WINDOWS\SYSTEM32\fp4203~1.dll
C:\WINDOWS\SYSTEM32\fsclient.dll
C:\WINDOWS\SYSTEM32\i8420i~1.dll
C:\WINDOWS\SYSTEM32\ir00l5~1.dll
C:\WINDOWS\SYSTEM32\ir2ml5~1.dll
C:\WINDOWS\SYSTEM32\ktn0l7~1.dll
C:\WINDOWS\SYSTEM32\l6n4lg~1.dll
C:\WINDOWS\SYSTEM32\lv8209~1.dll
C:\WINDOWS\SYSTEM32\lvjo09~1.dll
C:\WINDOWS\SYSTEM32\m8820i~1.dll
C:\WINDOWS\SYSTEM32\malvm6.dll
C:\WINDOWS\SYSTEM32\mlxmlr.dll
C:\WINDOWS\SYSTEM32\mpmefilt.dll
C:\WINDOWS\SYSTEM32\njhtml.dll
C:\WINDOWS\SYSTEM32\rbschap.dll
C:\WINDOWS\SYSTEM32\sjlwid.dll
C:\WINDOWS\SYSTEM32\soclogon.dll
C:\WINDOWS\SYSTEM32\szfrcdlg.dll
C:\WINDOWS\SYSTEM32\u2rulc~1.dll
C:\WINDOWS\SYSTEM32\vboy.dll
C:\WINDOWS\SYSTEM32\wcpui.dll
C:\WINDOWS\SYSTEM32\whaspi32.dll
C:\WINDOWS\SYSTEM32\wphtcpip.dll

When KillBox has rebooted your system, post a fresh log here (DLLCompare and Hijack This).

**irishredsc** · 16-12-2004

Hi Owen,

Here is the Dllcompare:

C:\WINDOWS\SYSTEM32\aza0l5~1.dll Sun Dec 12 2004 11:46:54p ..S.R 225,276 219.99 K
C:\WINDOWS\SYSTEM32\d4j0le~1.dll Thu Dec 16 2004 5:42:42p ..S.R 224,666 219.40 K
C:\WINDOWS\SYSTEM32\k8800i~1.dll Tue Dec 14 2004 6

36p ..S.R 225,901 220.61 K
C:\WINDOWS\SYSTEM32\khdhu.dll Mon Dec 13 2004 8:03:12p ..S.R 225,033 219.76 K
C:\WINDOWS\SYSTEM32\l42s0e~1.dll Mon Dec 13 2004 11:08:00p ..S.R 225,033 219.76 K
C:\WINDOWS\SYSTEM32\m0rm0a~1.dll Wed Dec 15 2004 11:02:22p ..S.R 223,107 217.88 K
C:\WINDOWS\SYSTEM32\m8820i~1.dll Tue Dec 7 2004 4:17:42p ..S.R 224,010 218.76 K
C:\WINDOWS\SYSTEM32\wuspdmod.dll Mon Dec 13 2004 8:24:54a ..S.R 225,033 219.76 K

Here is the HijackThis log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SCAN32.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\kwiykr.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\SAMSUNG\SensKbd\SensKbd.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 7.exe
C:\WINDOWS\System32\CTF\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\winsecure.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Cat\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwaprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SensKbd] C:\WINDOWS\SAMSUNG\SensKbd\SensKbd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 7.exe
O4 - HKLM\..\Run: [CTFMon] C:\WINDOWS\System32\CTF\ctfmon.exe
O4 - HKLM\..\Run: [InternetSpy] C:\WINDOWS\system32\1055\Internet Spy\InternetSpy.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsecure] C:\WINDOWS\System32\winsecure.exe
O4 - HKLM\..\Run: [7F7k36W] ssdtil.exe
O4 - HKCU\..\Run: [ipmontr] C:\WINDOWS\System32\ipmontr.exe
O4 - HKCU\..\Run: [MooqRWaqg] htulv1.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/18eca71e...p/RdxIE601.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_2.ocx
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/B...1/axofupld.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://mirror.worldwinner.com/games/v55/cubis/cubis.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/s...vest/gwCID.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab

Thank you.

**owen** · 17-12-2004

Download the Pocket Killbox from here.

Unzip it and run the program.

Put a check in the Delete on Reboot box.

Enter each of these lines into the white box one by one and then press the red X button. If firsts asks to confirm the deletion after each entry is added and the red X is pressed, you need to click yes, but it also asks if you want to Reboot. Click No each time until the last entries been entered.

C:\WINDOWS\SYSTEM32\aza0l5~1.dll
C:\WINDOWS\SYSTEM32\d4j0le~1.dll
C:\WINDOWS\SYSTEM32\k8800i~1.dll
C:\WINDOWS\SYSTEM32\khdhu.dll
C:\WINDOWS\SYSTEM32\l42s0e~1.dll
C:\WINDOWS\SYSTEM32\m0rm0a~1.dll
C:\WINDOWS\SYSTEM32\m8820i~1.dll
C:\WINDOWS\SYSTEM32\wuspdmod.dll
C:\WINDOWS\SYSTEM32\guard.tmp

When KillBox has rebooted your system, post a fresh log here.

Vx2, and SahAgent, and Recycle Bin oh my! (Resolved)

Vx2, and SahAgent, and Recycle Bin oh my! (Resolved)

Similar Threads

Possible malware affecting Recycle Bin

Recycle Bin Problem

Recycle bin problem

Windows is in my recycle bin!!!

where's my recycle bin gone?