MSN Messenger message: imdownloads + my email address

**lurla** · 20-11-2005

ok. i got this message from a friend on msn, that said 'is this you?' and it had a website, www imdownloads com/profile and my address, or something similar... I, like an idiot, clicked on it, because this person is someone i know, and didnt figure was sending me viruses! it took me to a blank page, and saved to my desktop.. I STILL didnt think anything of it, until i got the SAME message from someone else on my list, with the EXACT same message... this person never msgs me... so i was suspicious. Then another person on my list msged me to ask me about the msg (he was gettin the same one)...

So AFTER i smacked myself a few times for being such a bonehead, i ran adaware (which picked up a Registry violation) and spybot... and nothing weird was goin on... but now my main page keeps trying to change and everytime I try to get hijackthis to run, my monitor blinks as if i had just restarted!!

Please help!

edited to remove potentially harmful url link!

**Neal** · 20-11-2005

Try running these online scans:

http://www.pandasoftware.com/products/activescan.htm

http://housecall60.trendmicro.com/en...rp.asp?id=scan

Get the stinger here:
http://vil.nai.com/vil/stinger/

Download it to another computer if need be, and bring it to the affected computer on floppy disk.

It will kill the top 53 virus files if any are found there

Please download, install, update and scan your system with the free version of Ewido trojan scanner: www.ewido.net/en/download/

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

3. From the main ewido screen, click on UPDATE in the left menu, then click the Start update button.

4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run.

5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread, along with a new HijackThis log.

Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Now try a hijackthis log.

**lurla** · 23-11-2005

ok. i have a problem. My computer is not letting me go to any of these sites... except the houscalls one, and it wont update.. says it cant overwrite files?... i get 'this page is not available" for the rest. I dont know where to get the stinger because my sister has a laptop and there is no cd writer on it and it wont send through msn messenger, and email wont work to send it either!

**Neal** · 24-11-2005

Click on stinger link, you don't have to burn it if you don't need to.

Can you post a hijackthis log?

Create a new folder in your C: Drive
Name it C:\HJT or HijackThis and move the HijackThis.exe file in it.
It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
This way you can undo any changes if something goes wrong

Download the new version of hijackthis here:

http://majorgeeks.com/download3155.html

* Download finditnt2000xp.zip
* Unzip the contents of finditnt2000xp.zip to a convenient location.
* Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
* A command prompt will open and it will search your computer for malicious files.
* Once it has finished a Notepad window will pop up with output.txt.
* Copy the entire contents of output.txt into your next post.
* DON'T delete/modify any files yet

Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile for me to see.

Thanks

**lurla** · 24-11-2005

it still wont let me use hijack this... i get as far as the menu screen and it closes and the screen blinks! here is the other stuff..

Stinger cleaned Qhosts.apd trojan

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Shyla\My Documents\downloaded\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is FCA5-B813

Directory of C:\WINDOWS\System32

11/23/2005 04:53 PM <DIR> vtkkfvrnv
11/19/2005 10:12 PM 2 netstat.com
11/19/2005 10:12 PM 2 taskkill.com
10/31/2005 01:50 PM <DIR> dllcache
02/25/2005 04:53 PM 0 cpooe.log
02/13/2005 07:10 AM 7,471 eliff.log
01/30/2005 12:52 PM 7,471 eikes.dat
01/27/2005 02:49 PM 3,547 diwrc.dat
01/18/2005 12:05 PM 3,547 estsl.txt
01/06/2005 10:50 PM 3,547 bidpx.log
12/30/2004 01:53 PM 3,547 stxao.dat
06/28/2004 10:38 PM 0 mcc.exe
06/28/2004 10:38 PM 0 d2kpax.exe
06/28/2004 10:38 PM 0 d2kpax.dll
06/28/2004 10:38 PM 0 bridge.dll
06/28/2004 10:38 PM 0 a.exe
06/28/2004 10:38 PM 0 jac.dll
06/28/2004 10:38 PM 0 msxslab.dll
04/05/2004 11:42 PM <DIR> Microsoft
16 File(s) 29,134 bytes
3 Dir(s) 15,516,213,248 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is FCA5-B813

Directory of C:\WINDOWS\System32

11/23/2005 04:53 PM <DIR> vtkkfvrnv
11/19/2005 10:12 PM 2 taskkill.com
11/19/2005 10:12 PM 2 netstat.com
10/31/2005 01:50 PM <DIR> dllcache
07/21/2005 04:32 PM 8,628 CMMGR32.GID
02/25/2005 04:53 PM 0 cpooe.log
02/13/2005 07:10 AM 7,471 eliff.log
01/30/2005 12:52 PM 7,471 eikes.dat
01/27/2005 02:49 PM 3,547 diwrc.dat
01/18/2005 12:05 PM 3,547 estsl.txt
01/06/2005 10:50 PM 3,547 bidpx.log
12/30/2004 01:53 PM 3,547 stxao.dat
11/24/2004 12:31 AM 581 ws249832.ocx
06/28/2004 10:38 PM 0 mcc.exe
06/28/2004 10:38 PM 0 d2kpax.exe
06/28/2004 10:38 PM 0 d2kpax.dll
06/28/2004 10:38 PM 0 bridge.dll
06/28/2004 10:38 PM 0 jac.dll
06/28/2004 10:38 PM 0 a.exe
06/28/2004 10:38 PM 0 msxslab.dll
04/05/2004 08:06 PM 488 logonui.exe.manifest
04/05/2004 08:06 PM 488 WindowsLogon.manifest
04/05/2004 08:06 PM 749 wuaucpl.cpl.manifest
04/05/2004 08:06 PM 749 sapi.cpl.manifest
04/05/2004 08:06 PM 749 cdplayer.exe.manifest
04/05/2004 08:06 PM 749 nwc.cpl.manifest
04/05/2004 08:06 PM 749 ncpa.cpl.manifest
25 File(s) 43,064 bytes
2 Dir(s) 15,516,209,152 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is FCA5-B813

Directory of C:\WINDOWS\System32

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is FCA5-B813

Directory of C:\WINDOWS\System32

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
"YPC 3.2.0"="Yahoo! Parental Controls"

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c, 00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c, 6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c, 6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c, 6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c, 6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEven t"
"Logoff"="UnregisterTicketExpiredNotificationEvent "
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
netstat.com Sat Nov 19 2005 10:12:28p ..SH. 2 0.00 K
taskkill.com Sat Nov 19 2005 10:12:28p ..SH. 2 0.00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 4 bytes 0.00 K

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\pav.sig: .aspack
C:\WINDOWS\system32\pav.sig: :.aspackze
C:\WINDOWS\system32\pav.sig: .aspack.text
C:\WINDOWS\system32\pav.sig: H.aspack.text
C:\WINDOWS\system32\pav.sig: .aspack.text
C:\WINDOWS\system32\pav.sig: 4.aspack
C:\WINDOWS\system32\pav.sig: F<SW.aspack
C:\WINDOWS\system32\pav.sig: [.aspack
C:\WINDOWS\system32\pav.sig: .aspack0
C:\WINDOWS\system32\pav.sig: .aspack
C:\WINDOWS\system32\pav.sig: .aspack
C:\WINDOWS\system32\pav.sig: H@.aspack.text
C:\WINDOWS\system32\pav.sig: AsPack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"csrss"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"SHS" = ""C:\Program Files\Rogers\SelfHealing\SHS.exe" /background" ["Rogers Cable"]
"Update Manager" = ""C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background" ["Rogers Cable Communications Inc. "]
"Yahoo! Pager" = ""C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet" ["Yahoo! Inc."]
"ares" = ""C:\Program Files\Ares\Ares.exe" -h" ["Ares Development Group"]
"csrss" = (empty string)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"csrss" = (value not set)

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Share-to-Web Upload Folder"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]
"{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}" = "PhotoToys"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\phototoys.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "load" = "C:\WINDOWS\System32\vtkkfvrnv\csrss.exe" [null data]
INFECTION WARNING! "run" = "C:\WINDOWS\System32\vtkkfvrnv\csrss.exe" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Shyla\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"

Startup items in "Shyla" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\Shyla\Start Menu\Programs\Startup
"csrss" -> shortcut to: "" [file not found]
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "ninemsn" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0. dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Rogers Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo!"]

Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

Missing lines (compared with English-language version):
HIJACK WARNING! "blank" = "http://awebfind.biz/" [file not found]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe" ["America Online, Inc."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monito rs\
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 26 seconds, including 6 seconds for message boxes)

**Neal** · 25-11-2005

Sure wished i could see a hijackthis log, maybe after the below. I found some bad guys running around in those logs.

Print these instructions out or make a new text document and save to desktop

Go into add/remove program and remove:(IF FOUND)

Ares
awebfind

Make sure you can see hidden files.
In Windows XP
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Download and install these tools:
Run the tools from safe mode explained below

Download the Intermute stand-alone version of CWShredder from here: cwshredder.net/bin/CWShredder.exe
Install it and check for updates then exit, we will use it later.

Download CCleaner from here:
http://www.majorgeeks.com/download4191.html
or here:
http://www.filehippo.com/download_ccleaner.html

don't run the tool just yet please.
Install it. The windows tab should be opened in the upper left of the program. Click analyze and then click run cleaner. Just use the windows tab that is up front by default.

1.Uncheck "Cookies" under "Internet Explorer".

2.If you are running Firefox: ,then click on the "Applications" tab and uncheck "Cookies" under "Firefox".

Use from safe mode only
Download the Killbox.
Unzip it to the desktop

Double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line C:\WINDOWS\System32\vtkkfvrnv\csrss.exe in the "Full Path of File to Delete" box in Killbox:

Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.

How to reboot into safe mode to run the above tools:

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Do the below after the above, if you have trouble with the above then do the trojan scan first from safe mode if possible.

Then try to install and run this trojan scanner

Please download, install, update and scan your system with the free version of Ewido trojan scanner: www.ewido.net/en/download/

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

3. From the main ewido screen, click on UPDATE in the left menu, then click the Start update button.

4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run.

5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread, along with a new HijackThis log.

Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Try to post a hijackthis log now

**lurla** · 25-11-2005

ok..i managed to get the hijackthis to work this time.. heres the edwido scan and hijackthis log!

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:06:50 AM, 11/25/2005
+ Report-Checksum: A8BF9C8D

+ Scan result:

HKLM\SOFTWARE\Classes\bustmo.ozlg\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\bustmo.ozlg.88\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\\ -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0B936818-A83D-004A-625A-757B4D758CC6} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\eitte.yjhsvj\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\eitte.yjhsvj.89\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\fxrcor.hlwoe\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\fxrcor.hlwoe.99\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8A94C367-815A-4D4F-A6B6-D4EB877A126C} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8A94C367-815A-4D4F-A6B6-D4EB877A126C}\TypeLib\\ -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\llape.oudkwr\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\llape.oudkwr.86\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\pusvl.njaiie\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\pusvl.njaiie.413\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\tvmgceg.bwhkn\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\tvmgceg.bwhkn.59\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{CED445E2-8C78-4F40-87D7-F7FB6F1B6791} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\ugioo.nigy\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ugioo.nigy.453\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\xkjuve.haugz\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\xkjuve.haugz.2\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\zmwljk.pukmbd\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\zmwljk.pukmbd.7\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\WinDH -> Spyware.DealHelper : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Polic ies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
C:\custered.exe -> TrojanProxy.Ranky : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S5I1QXYN\54161268[1].exe -> TrojanProxy.Ranky : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S5I1QXYN\optimize[1].exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@adopt.euroclick[1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@e-2dj6wfkoujc5ecp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@e-2dj6wfl4cjdzshp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@e-2dj6wfl4ojcpkco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@e-2dj6wfmisldjego.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@e-2dj6wjlisgd5chp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@e-2dj6wjloepczeco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Shyla\Cookies\shyla@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\msvidconf.exe -> TrojanProxy.Fireby.c : Cleaned with backup
C:\WINDOWS\ALCHUNIN.EXE:detzxw -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\app.ico:aujbmy -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\app.ico:jolpir -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\Ascd_tmp.ini:sruhsl -> Backdoor.Small.dc : Cleaned with backup
C:\WINDOWS\aucfg.ini:lanmmh -> Backdoor.Small.dc : Cleaned with backup
C:\WINDOWS\aucfg.ini:vltrlt -> Backdoor.Small.dc : Cleaned with backup
C:\WINDOWS\AuHCcup1.ini:lkenvn -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\capwnwi.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\cdplayer.ini:llhzso -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\clock.avi:mpnozn -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\clock.avi:swokqr -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\control.ini:kxzqsb -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\diug3002hd.dat:csioug -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
C:\WINDOWS\eekha.txt:vjmehh -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\eimhh.dat:fbmwwv -> Backdoor.Small.dc : Cleaned with backup
C:\WINDOWS\explorer.scf:nyrvxp -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\explorer.scf

kfjjr -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\FeatherTexture.bmp:vfsgcj -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\GetServer.ini:hvzhil -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\hh.exe:kherzs -> Backdoor.Small.dc : Cleaned with backup
C:\WINDOWS\jautoexp.dat:ikdbuk -> Backdoor.Small.dc : Cleaned with backup
C:\WINDOWS\LEXSTAT.INI:mdiryp -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\loadhttp.dll:ddakwy -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\msdfmap.ini:cnrjhv -> Backdoor.Small.dc : Cleaned with backup
C:\WINDOWS\n_inoohi.dat:mdjpv -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\n_ovzdon.dat:iffnu -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\n_ovzdon.dat:kppauv -> Backdoor.Small.dc : Cleaned with backup
C:\WINDOWS\ODBC.INI:bsrpyk -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\oeuninst.exe:xsvupy -> Backdoor.Small.dc : Cleaned with backup
C:\WINDOWS\omall.txt:utcvau -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\optimize.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\WINDOWS\qejez.dat:ycmrws -> Backdoor.Small.dc : Cleaned with backup
C:\WINDOWS\runtsckl.exe

jbrrh -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\runtsckl.exe:ybdacs -> Backdoor.Small.dc : Cleaned with backup
C:\WINDOWS\SynCor.exe:qvwwyd -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\twunk_32.exe:eydfln -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\vmmreg32.dll:yrflak -> Backdoor.Small.dc : Cleaned with backup
C:\WINDOWS\vsapi32.dll:rsxqvv -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\win.ini:laocos -> Backdoor.Small.dc : Cleaned with backup
C:\WINDOWS\winhlp32.exe:rusjx -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winnt256.bmp:elsxag -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\Zapotec.bmp:rocvmp -> Backdoor.Small.dc : Cleaned with backup
C:\WINDOWS\_default.pif:bjqrpk -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:gookz -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\_default.pif:gtoxnd -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\_default.pif:itlvoy -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\_default.pif:llaudt -> Backdoor.Small.dc : Cleaned with backup
C:\WINDOWS\_default.pif:lpqgbd -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\_default.pif:mktklx -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\_default.pif

tvsst -> Backdoor.Small.dc : Cleaned with backup
C:\WINDOWS\_default.pif:ugcfpo -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\_default.pif:vgwaii -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\_default.pif:vsppk -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:vvdrk -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\wm.exe -> Trojan.Crypt.d : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 12:43:28 AM, on 11/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Aliant\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Shyla\My Documents\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/c.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: load=C:\WINDOWS\System32\vtkkfvrnv\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\System32\vtkkfvrnv\csrss.exe, C:\WINDOWS\inetdata\services.exe
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0. dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Aliant\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
O4 - Startup: csrss.lnk = ?
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Net Assistant.lnk = C:\Program Files\Aliant\Net Assistant\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/active...side_web18.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124297154906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124297245109
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/def...jolauncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://sympatico.zone.msn.com/binFra...o.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

**Neal** · 25-11-2005

Now that's what I'm talking about, excellent work, more to do.

Disable SpywareGuard by right clicking the icon down by the clock and select "exit".
This program can hinder HJT fixes.

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Scan with HJT again and put a check next to these items, making sure all browser windows are closed includeing this one so print this or create a new text document on desktop by right clicking an open area select new text document and save it to what ever you like. Now put a check next to these:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/...//www.yahoo.com

F3 - REG:win.ini: load=C:\WINDOWS\System32\vtkkfvrnv\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\System32\vtkkfvrnv\csrss.exe, C:\WINDOWS\inetdata\services.exe

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: csrss.lnk = ?

Make sure nothing is running but hijackthis and click fix checked

Hunt for and delete these folders:if found

C:\WINDOWS\System32\vtkkfvrnv < folder
C:\Program Files\Ares < folder

Reboot normal mode, now try those virus scanners from my previous post. Post panda scan log.

**lurla** · 25-11-2005

ok.. i did the hijackthis fix, but it wouldnt let me fix O4 - Startup: csrss.lnk = ? it said it was running and i needed to shut it down with taskmgr, but when i tried to shut down csrss.exe, it wouldnt let me because it is a critical system process.

I am waiting for instructions before going on to the next scans..
Thanks!