Originally Posted by Neal

Well that turned up some things,


Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.


Also give me a new winpfind log please.

Hi Neal
Downloaded vundofix. tried to get scan going in normal mode. no go.
went in savfe(f8). did run scan. scan came back with no infection message.
at that point did run hijack. after finish lloked at posting and realized that my clock was set to 12312000 and time to 2352.
copied both hijack and test log to different folder. and rebooted. date that came out was 12312000 and time 2348. set time 348 AM. did copy hijack log to take to work and since i had at that point hijack in different folder tried to run from there woud not run. flash hijack screen and explporer did end each time. went into programs and found that all programs are flagged as new install. also every few minutes message comes up that i am offline and to work off line. Sorry missed the end of your message and did not run winpfind. will get that done tonight.
here is hijack log (date shows as 2000 and time almost midnight)
Logfile of HijackThis v1.99.1
Scan saved at 23:40, on 00-12-31
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldnet.att.net/ie4/search/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.attwireless.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.attwireless.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.elderscrolls.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Worldnet Service
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AVG7_CC] h:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "H:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Adobe Photo Downloader] "H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Propel Accelerator] "h:\Program Files\AT&T Worldnet Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] h:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WrCtrl] "h:\Program Files\Kerio\WinRoute Firewall\WrCtrl.exe"
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = H:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = H:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - H:\Program Files\AT&T\WnClient\Programs\AnyWho.exe (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{F34894FD-513A-4F60-A21C-15AF72553396}: NameServer = 204.127.129.3 12.102.244.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - h:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - h:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - h:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - h:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Mass Effect(TM) Xbox 360 - Unknown owner - C:\WINDOWS\System32\dllcache\mfxbox.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - h:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - h:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINDOWS\system\winlogon.exe
O23 - Service: Kerio WinRoute Firewall (WinRoute) - Kerio Technologies - h:\Program Files\Kerio\WinRoute Firewall\winroute.exe

thanks Walter

Here is what I need you to do next, there is Vundo infection!



Please download VundoFix to your desktop.

* Double-click VundoFix.exe to run it.
* Put a check next to "Run VundoFix as a task."
* You will receive a message saying vundofix will close and re-open in a minute or less. Click "OK".
* When VundoFix re-opens, click the "Scan for Vundo" button.
* Once it's done scanning, click the "Remove Vundo" button.
* If it says "No infected files were found", right-click the blank listbox (white box) in the main VundoFix window.
* Select "Add More Files?" from the menu that comes up. This will open a new VundoFix window that says "Paste files into the boxes below:"


* In the top/first field, copy and paste the path to the dll: C:\WINDOWS\system32\jkkli.dll

* In the next/second field, copy and paste the path to the reversed file: C:\WINDOWS\system32\ilkkj.*



* Click the "Add Files" button.
* Click the "Close Window" button.
* Click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click "YES".
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click "OK".
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.


New winpfind log when you get the chance.

Originally Posted by Neal

Here is what I need you to do next, there is Vundo infection!



Please download VundoFix to your desktop.

* Double-click VundoFix.exe to run it.
* Put a check next to "Run VundoFix as a task."
* You will receive a message saying vundofix will close and re-open in a minute or less. Click "OK".
* When VundoFix re-opens, click the "Scan for Vundo" button.
* Once it's done scanning, click the "Remove Vundo" button.
* If it says "No infected files were found", right-click the blank listbox (white box) in the main VundoFix window.
* Select "Add More Files?" from the menu that comes up. This will open a new VundoFix window that says "Paste files into the boxes below:"


* In the top/first field, copy and paste the path to the dll: C:\WINDOWS\system32\jkkli.dll

* In the next/second field, copy and paste the path to the reversed file: C:\WINDOWS\system32\ilkkj.*



* Click the "Add Files" button.
* Click the "Close Window" button.
* Click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click "YES".
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click "OK".
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.


New winpfind log when you get the chance.

Hi Neal
1 booted to save mode. all files are set to show.
2.Ran vunddofix.
3. rebooted to normal. Still no go to any AV sites and AVG woud not run.Reboted to save mode.
4 ran avg. one back door cleaned.
5 ran ewido. one infection.
6 went into explorer checked for ijk* and jk* in both system32 and on entire system. none found.
7 ran winp and hijack and vundofix.
8 did go back normal. tried to run AVG and hijack both no good. tried to go on web to some sites( bit def, panda, mcafee, kaspersky, symantek, zone alarm, avg and few more) each time winow would close.
here are logs from voundo, winp,ewido and hijack.
Wahat is the next step. Sorry that I am answering on next day but access to AV in DAL is blocked(I can get to any other forums on DAL). Did signon this morning and ran AVG. No infections. Did not have time to run EWIDO.
VUNDOFIX

VundoFix V5.1.7

Checking Java version...

Scan started at 12:14:43 AM 10/26/2006

Listing files found while scanning....

No infected files were found.


VundoFix V5.1.7

Checking Java version...

Scan started at 21:35:53 06-10-26

Listing files found while scanning....

No infected files were found.


VundoFix V5.1.7

Checking Java version...

Scan started at 19:55:27 06-10-27

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V5.1.7

Checking Java version...

Scan started at 20:03:51 06-10-27

Listing files found while scanning....

No infected files were found.


Beginning removal...

Beginning removal...

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\jkkli.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Beginning removal...

Beginning removal...

VundoFix V5.1.7

Checking Java version...

Scan started at 20:31:40 06-10-27

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V5.1.7

Checking Java version...

Scan started at 20:46:34 06-10-27

Listing files found while scanning....

No infected files were found.


Beginning removal...

Beginning removal...

Beginning removal...

VundoFix V5.1.7

Checking Java version...

Scan started at 22:08:57 06-10-27

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V5.1.7

Checking Java version...

Scan started at 8:45:54 AM 10/28/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...
WINPFIND
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/29/2002 5:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 8/29/2002 5:00:00 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/29/2002 5:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 9/28/2006 5:06:52 AM 778656 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 9/28/2006 5:06:52 AM 778656 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 9/28/2006 5:06:52 AM 778656 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 9/28/2006 5:06:52 AM 778656 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/25/2006 10:57:24 PM RHS 60593 C:\WINDOWS\system\winlogon.exe
9/28/2006 1148 PM HS 40973 C:\WINDOWS\system32\qommnki.dll
9/30/2006 12:13:10 PM H 46913 C:\WINDOWS\system32\Wnccdctl.log
10/30/2006 5:23:20 AM H 1024 C:\WINDOWS\system32\config\software.LOG
9/16/2006 1:02:58 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DA T.LOG
9/16/2006 1:02:58 AM H 262144 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
9/16/2006 1:02:58 AM H 1024 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
10/21/2006 4:06:26 AM RHS 95232 C:\WINDOWS\system32\dllcache\mfxbox.exe
9/16/2006 1:15:22 AM RHS 3934 C:\WINDOWS\system32\drivers\HP_DT170A-ABA A384X_YC_Pavi_QMXK343_E34NAheBLU2_4_IA7N8X-LA_SASUSTeK Computer INC._V1.xx_B3.12_T040831_WXH1_L409_M1024_J80_7AMD_ 8Athlon XP 2800+_92.08_110DE006E_N10DE0066_P_Z11C1044C_K90050 010_A10DE006A_U10DE0067_G10DE0181.MRK
9/15/2006 10:05:34 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\1ec14b7b-5ce2-413c-bbda-0f0c68fb2d83
10/27/2006 7:52:08 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\9d659556-d7fa-42b9-8975-502a9efdda2b
9/16/2006 1:05:56 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\9e9da261-fd8d-4cd5-baa0-e4e1b6d142c1
9/16/2006 1:05:56 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\bd89f925-c22a-4064-9c95-be5482897b46
9/16/2006 1:05:56 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\e50a488c-09ab-46c4-bad8-134bdb55cfb9

Checking for CPL files...
Microsoft Corporation 8/29/2002 5:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 6/27/2003 10:40:32 PM 8606208 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/29/2002 5:00:00 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 4/7/2003 8:14:30 AM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 2/20/2003 3:42:34 PM 229487 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
12/10/2005 2:06:00 AM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 10/3/2003 2:14:30 PM 314880 C:\WINDOWS\SYSTEM32\QuickTime.cpl
SiSoftware 1/29/2005 5:10:02 PM 53248 C:\WINDOWS\SYSTEM32\SanCpl.cpl
Softex, Inc 2/21/2003 5:06:04 AM 32768 C:\WINDOWS\SYSTEM32\scurecpl.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Intel Corporation 4/7/2003 8:14:30 AM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFi les\igfxcpl.cpl
Realtek Semiconductor Corp. 6/27/2003 10:40:32 PM 8606208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0010\DriverFi les\ALSNDMGR.CPL
NVIDIA Corporation 5/3/2003 12:19:00 AM 143360 C:\WINDOWS\SYSTEM32\ReinstallBackups\0012\DriverFi les\nvtuicpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/23/2006 6:19:08 PM 901 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
10/1/2006 8:31:16 PM 1615 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
8/23/2003 6:53:32 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
8/23/2003 7:58:42 AM 1879 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
9/30/2006 12:54:08 PM 1595 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
10/15/2006 8:44:22 AM 1769 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk
8/23/2003 8:25:14 AM 675 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
9/30/2006 12:54:08 PM 780 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
9/29/2006 7:34:32 PM 626 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/22/2003 11:46:38 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
8/23/2003 8:02:04 AM 504 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
8/23/2003 6:53:32 AM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini
8/28/2003 9:19:16 PM 844 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk

Checking files in %USERPROFILE%\Application Data folder...
8/22/2003 11:46:38 PM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
AT&T CSM7.0 = AT&T CSM7.0
AT&T CSM8.2 = AT&T CSM8.2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AV G7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = h:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ew ido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = h:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Of fline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Op en With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Op en With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\OP ShellE
{CCFE56EE-C7DE-44EE-A160-4553A5A912C9} = C:\Program Files\Softex\OmniPass\opshelle.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Sy mantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = c:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Wi nZip
{E0D79304-84BE-11CE-9641-444553540000} = H:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a 2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = h:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers\Symantec.Norton.Antivirus.IEC ontextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = c:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = H:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = h:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\OPShellE
{CCFE56EE-C7DE-44EE-A160-4553A5A912C9} = C:\Program Files\Softex\OmniPass\opshelle.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = H:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= H:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Adobe PDF Reader Link Helper = H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{0F660F64-F4C9-477F-8529-44181B717472}
CSMHelperObj Class = H:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{1D6A3F68-7D29-4A19-B5F9-095D232C46CD}
= C:\WINDOWS\System32\jkkli.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}
= C:\Program Files\Microsoft Money\System\mnyside.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= H:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{656EC4B7-072B-4698-B504-2A414C1F0037}
IE_PopupBlocker Class = h:\Program Files\AT&T Worldnet Accelerator\prpl_IePopupBlocker.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{68676EFE-9B30-4EBD-B842-7ED9B3460C53}
= C:\WINDOWS\System32\qommnki.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = c:\Program Files\Norton AntiVirus\NavShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{8F4902B6-6C04-4ade-8052-AA58578A21BD}
hp view = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
= :
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP View : c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : c:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{0264505A-6793-44E0-AC75-9DCE3B13185C}
ButtonText = AnyWho : H:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
ButtonText = MoneySide :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : c:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
hpsysdrv c:\windows\system\hpsysdrv.exe
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
CamMonitor c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
HP Software Update "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
HPHUPD05 c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HPHmon05 C:\WINDOWS\System32\hphmon05.exe
StorageGuard "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
AVG7_CC h:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Adobe Photo Downloader "H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
Propel Accelerator "h:\Program Files\AT&T Worldnet Accelerator\trayctl.exe" /STARTUPLAUNCH
KBD C:\HP\KBD\KBD.EXE
PS2 C:\WINDOWS\system32\ps2.exe
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnceEx]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
SpybotSD TeaTimer h:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
WrCtrl "h:\Program Files\Kerio\WinRoute Firewall\WrCtrl.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
navapsvc 2


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE -h
item Kodak EasyShare software
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE -h
item Kodak EasyShare software

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Kodak\KODAKS~1\7288971\Program\KODAKS~ 1.EXE
item Kodak software updater
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Kodak\KODAKS~1\7288971\Program\KODAKS~ 1.EXE
item Kodak software updater

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus Organizer EasyClip.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus Organizer EasyClip.lnk
backup C:\WINDOWS\pss\Lotus Organizer EasyClip.lnkCommon Startup
location Common Startup
command H:\Lotus\organize\easyclip.exe
item Lotus Organizer EasyClip
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus Organizer EasyClip.lnk
backup C:\WINDOWS\pss\Lotus Organizer EasyClip.lnkCommon Startup
location Common Startup
command H:\Lotus\organize\easyclip.exe
item Lotus Organizer EasyClip

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus QuickStart.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus QuickStart.lnk
backup C:\WINDOWS\pss\Lotus QuickStart.lnkCommon Startup
location Common Startup
command H:\Lotus\wordpro\ltsstart.exe
item Lotus QuickStart
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus QuickStart.lnk
backup C:\WINDOWS\pss\Lotus QuickStart.lnkCommon Startup
location Common Startup
command H:\Lotus\wordpro\ltsstart.exe
item Lotus QuickStart

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SmartCenter.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus SmartCenter.lnk
backup C:\WINDOWS\pss\Lotus SmartCenter.lnkCommon Startup
location Common Startup
command H:\Lotus\smartctr\SMARTCTR.EXE
item Lotus SmartCenter
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus SmartCenter.lnk
backup C:\WINDOWS\pss\Lotus SmartCenter.lnkCommon Startup
location Common Startup
command H:\Lotus\smartctr\SMARTCTR.EXE
item Lotus SmartCenter

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SuiteStart.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus SuiteStart.lnk
backup C:\WINDOWS\pss\Lotus SuiteStart.lnkCommon Startup
location Common Startup
command H:\Lotus\smartctr\SUITEST.EXE
item Lotus SuiteStart
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus SuiteStart.lnk
backup C:\WINDOWS\pss\Lotus SuiteStart.lnkCommon Startup
location Common Startup
command H:\Lotus\smartctr\SUITEST.EXE
item Lotus SuiteStart

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup C:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup
location Common Startup
command H:\PROGRA~1\MICROS~1\Office\1033\OLFSNT40.EXE
item Symantec Fax Starter Edition Port
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup C:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup
location Common Startup
command H:\PROGRA~1\MICROS~1\Office\1033\OLFSNT40.EXE
item Symantec Fax Starter Edition Port

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\UPDATE~1\137903\Program\BACKWE~1.EXE -startup
item Updates from HP
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\UPDATE~1\137903\Program\BACKWE~1.EXE -startup
item Updates from HP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HP Organize.lnk
path C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup C:\WINDOWS\pss\HP Organize.lnkStartup
location Startup
command C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\DISPLA~1.EXE "-application" "core.hp.main/application.xml" "-appname" "eLife"
item HP Organize
path C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup C:\WINDOWS\pss\HP Organize.lnkStartup
location Startup
command C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\DISPLA~1.EXE "-application" "core.hp.main/application.xml" "-appname" "eLife"
item HP Organize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Lotus SmartSuite 9.6 - English Registration.lnk
path C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Lotus SmartSuite 9.6 - English Registration.lnk
backup C:\WINDOWS\pss\Lotus SmartSuite 9.6 - English Registration.lnkStartup
location Startup
command H:\LOTUS\REGISTER\remind32.exe
item Lotus SmartSuite 9.6 - English Registration
path C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Lotus SmartSuite 9.6 - English Registration.lnk
backup C:\WINDOWS\pss\Lotus SmartSuite 9.6 - English Registration.lnkStartup
location Startup
command H:\LOTUS\REGISTER\remind32.exe
item Lotus SmartSuite 9.6 - English Registration

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DL L
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\ActiveDesktop

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\Associations

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\Explorer\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\System
DisableRegistryTools 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\System32\Userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OPXPGina
= C:\Program Files\Softex\OmniPass\opxpgina.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qommnki
= qommnki.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/30/2006 5:26:58 AM
EWIDO

C:\WINDOWS\system32\x.exe -> Backdoor.VanBot.w : Cleaned with backup (quarantined).
C:\WINDOWS\system\winlogon.exe -> Backdoor.VanBot.w : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).


::Report end


HIJACK
Logfile of HijackThis v1.99.1
Scan saved at 5:39:23 AM, on 10/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.elderscrolls.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Worldnet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - H:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll (file missing)
O2 - BHO: (no name) - {1D6A3F68-7D29-4A19-B5F9-095D232C46CD} - C:\WINDOWS\System32\jkkli.dll (file missing)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - h:\Program Files\AT&T Worldnet Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: (no name) - {68676EFE-9B30-4EBD-B842-7ED9B3460C53} - C:\WINDOWS\System32\qommnki.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AVG7_CC] h:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Propel Accelerator] "h:\Program Files\AT&T Worldnet Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] h:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WrCtrl] "h:\Program Files\Kerio\WinRoute Firewall\WrCtrl.exe"
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = H:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = H:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - H:\Program Files\AT&T\WnClient\Programs\AnyWho.exe (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: qommnki - C:\WINDOWS\SYSTEM32\qommnki.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - h:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - h:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - h:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - h:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Mass Effect(TM) Xbox 360 - Unknown owner - C:\WINDOWS\System32\dllcache\mfxbox.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - h:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - h:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINDOWS\system\winlogon.exe
O23 - Service: Kerio WinRoute Firewall (WinRoute) - Kerio Technologies - h:\Program Files\Kerio\WinRoute Firewall\winroute.exe

THanks Walter

We need to do vundofix again looks like for a different file now:


* Double-click VundoFix.exe to run it.
* Put a check next to "Run VundoFix as a task."
* You will receive a message saying vundofix will close and re-open in a minute or less. Click "OK".
* When VundoFix re-opens, click the "Scan for Vundo" button.
* Once it's done scanning, click the "Remove Vundo" button.
* If it says "No infected files were found", right-click the blank listbox (white box) in the main VundoFix window.
* Select "Add More Files?" from the menu that comes up. This will open a new VundoFix window that says "Paste files into the boxes below:"




* In the top/first field, copy and paste the path to the dll: C:\WINDOWS\system32\qommnki.dll


* In the next/second field, copy and paste the path to the reversed file: C:\WINDOWS\system32\iknmmoq.*



* Click the "Add Files" button.
* Click the "Close Window" button.
* Click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click "YES".
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click "OK".
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Originally Posted by Neal

We need to do vundofix again looks like for a different file now:


* Double-click VundoFix.exe to run it.
* Put a check next to "Run VundoFix as a task."
* You will receive a message saying vundofix will close and re-open in a minute or less. Click "OK".
* When VundoFix re-opens, click the "Scan for Vundo" button.
* Once it's done scanning, click the "Remove Vundo" button.
* If it says "No infected files were found", right-click the blank listbox (white box) in the main VundoFix window.
* Select "Add More Files?" from the menu that comes up. This will open a new VundoFix window that says "Paste files into the boxes below:"

* In the top/first field, copy and paste the path to the dll: C:\WINDOWS\system32\qommnki.dll


* In the next/second field, copy and paste the path to the reversed file: C:\WINDOWS\system32\iknmmoq.*



* Click the "Add Files" button.
* Click the "Close Window" button.
* Click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click "YES".
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click "OK".
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Hi Neal
Last night did search to find if I have any variant gomm*. did 2 searches one for gomm* and other for reverse iknmm*. search did not find them on any of 3 drives. also manually checked in system32. (all files are enabled.) At that point did run Vundo. did paste both paths but nothing hit. Did run AV and ewido in safe mode. Few days ago did play with AVG. set schedurer to run at 4:00 am. Still can not go into AVG in normal mode. But scheduler did start AVG. Did run in normal mode for over a hour and found about 20 infections. Last night and today at this point system started to be verrrry slowwwww. click on anything and responds 5 secons later. Today did go into task manager it is going at 100% with only av scan and task mgr as only jobs. Did go into a running process and there is showing opxpapp.exe running and using 3.5m and numbers changing constantly.
This morning using explorer iin C:\programs found folder called backweb do not recall loading anything like this. it is not showing in programs. going to control pannel it is not listed in add/delete. Forgot to take flash pen to work so do not have any logs.
Thanks for your patience Walter

Do me a favor please.


Right click hijackthis.exe, select rename, rename it to bunny.exe and post a log from the newly named hijackthis.exe Sometimes malware will hide and renameing hijackthis.exe will show some infections not showing.


Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5

Re-hide after we are done


As far as that file you searched for I believe that letter is a q instead of a g. Hunt for that and delete from safe mode if needed.


opxpapp.exe has to do with OmniPass a legit program.



1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Originally Posted by Neal

Do me a favor please.


Right click hijackthis.exe, select rename, rename it to bunny.exe and post a log from the newly named hijackthis.exe Sometimes malware will hide and renameing hijackthis.exe will show some infections not showing.


Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5

Re-hide after we are done


As far as that file you searched for I believe that letter is a q instead of a g. Hunt for that and delete from safe mode if needed.


opxpapp.exe has to do with OmniPass a legit program.



1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Hi Neal
Sorry about Vondu. did rerun using Q not G and did get hit on qomm*. It is gone now. Still can not get into any AV folders or sites.
Downloaded combofix. will run it tonight and post tomorow
since I can not get into dal av forum also(can get to any other). All posting are done at work and then any changes same day or next.
Here are vondu and hijack logs.

VUndo log

VundoFix V5.1.7

Checking Java version...

Scan started at 12:14:43 AM 10/26/2006

Listing files found while scanning....

No infected files were found.


VundoFix V5.1.7

Checking Java version...

Scan started at 21:35:53 06-10-26

Listing files found while scanning....

No infected files were found.


VundoFix V5.1.7

Checking Java version...

Scan started at 19:55:27 06-10-27

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V5.1.7

Checking Java version...

Scan started at 20:03:51 06-10-27

Listing files found while scanning....

No infected files were found.


Beginning removal...

Beginning removal...

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\jkkli.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Beginning removal...

Beginning removal...

VundoFix V5.1.7

Checking Java version...

Scan started at 20:31:40 06-10-27

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V5.1.7

Checking Java version...

Scan started at 20:46:34 06-10-27

Listing files found while scanning....

No infected files were found.


Beginning removal...

Beginning removal...

Beginning removal...

VundoFix V5.1.7

Checking Java version...

Scan started at 22:08:57 06-10-27

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V5.1.7

Checking Java version...

Scan started at 8:45:54 AM 10/28/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V5.1.7

Checking Java version...

Scan started at 6:05:31 AM 11/11/2006

Listing files found while scanning....


VundoFix V5.1.7

Checking Java version...

Scan started at 3:58:03 AM 11/2/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

Beginning removal...

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\WINDOWS\System32\qommnki.dll
C:\WINDOWS\System32\qommnki.dll Has been deleted!

Performing Repairs to the registry.
Done!
hijack
Logfile of HijackThis v1.99.1
Scan saved at 5:37:09 AM, on 11/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.elderscrolls.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Worldnet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - H:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll (file missing)
O2 - BHO: (no name) - {1D6A3F68-7D29-4A19-B5F9-095D232C46CD} - C:\WINDOWS\System32\jkkli.dll (file missing)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - h:\Program Files\AT&T Worldnet Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: (no name) - {68676EFE-9B30-4EBD-B842-7ED9B3460C53} - C:\WINDOWS\System32\qommnki.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AVG7_CC] h:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Propel Accelerator] "h:\Program Files\AT&T Worldnet Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] h:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WrCtrl] "h:\Program Files\Kerio\WinRoute Firewall\WrCtrl.exe"
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = H:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = H:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - H:\Program Files\AT&T\WnClient\Programs\AnyWho.exe (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - h:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - h:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - h:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - h:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Mass Effect(TM) Xbox 360 - Unknown owner - C:\WINDOWS\System32\dllcache\mfxbox.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - h:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - h:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINDOWS\system\winlogon.exe
O23 - Service: Kerio WinRoute Firewall (WinRoute) - Kerio Technologies - h:\Program Files\Kerio\WinRoute Firewall\winroute.exe

Thanks Walter

Originally Posted by Neal

Do me a favor please.


Right click hijackthis.exe, select rename, rename it to bunny.exe and post a log from the newly named hijackthis.exe Sometimes malware will hide and renameing hijackthis.exe will show some infections not showing.


Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5

Re-hide after we are done


As far as that file you searched for I believe that letter is a q instead of a g. Hunt for that and delete from safe mode if needed.


opxpapp.exe has to do with OmniPass a legit program.



1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Hi Neal
reran vundo and log is in other post
combofix log
Owner - 06-11-03 5:14:23.00 Service Pack 1
ComboFix 06.10.19 - Running from: "H:\TEMP"

((((((((((((((((((((((((((((((( Files Created from 2006-10-03 to 2006-11-03 ))))))))))))))))))))))))))))))))))


2006-10-30 05:59 688,180 --a------ C:\WINDOWS\system32\ssqrp.dll
2006-10-26 04:32 2,944 --a------ C:\WINDOWS\system32\mbmiodrvr.sys
2006-10-25 23:33 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2006-10-25 23:33 7,483 --a------ C:\clean.bat
2006-10-25 23:33 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2006-10-25 23:33 38,400 --a------ C:\WINDOWS\system32\moveex.exe
2006-10-15 08:44 98,304 --a------ C:\WINDOWS\system32\MSMD8w.dll
2006-10-15 08:44 73,601 --a------ C:\WINDOWS\system32\MSMD4W.dll
2006-10-15 08:44 72,584 --a------ C:\WINDOWS\system32\MSMCFw.dll
2006-10-15 08:44 67,522 --a------ C:\WINDOWS\system32\MSMD9W.dll
2006-10-15 08:44 62,947 --a------ C:\WINDOWS\system32\MSMC1W.dll
2006-10-15 08:44 62,462 --a------ C:\WINDOWS\system32\MSMCEw.dll
2006-10-15 08:44 41,733 --a------ C:\WINDOWS\system32\MSMB1W.dll
2006-10-15 08:44 38,215 --a------ C:\WINDOWS\system32\MSM8BW.dll
2006-10-15 08:44 35,906 --a------ C:\WINDOWS\system32\MSMC9W.dll
2006-10-15 08:44 35,906 --a------ C:\WINDOWS\system32\MSMA7W.dll
2006-10-15 08:44 35,589 --a------ C:\WINDOWS\system32\MSMWUD12.dll
2006-10-15 08:44 35,589 --a------ C:\WINDOWS\system32\MSMWUD10.dll
2006-10-15 08:44 35,563 --a------ C:\WINDOWS\system32\MSMWUD.dll
2006-10-15 08:44 35,246 --a------ C:\WINDOWS\system32\MSMBDW.dll
2006-10-15 08:44 34,720 --a------ C:\WINDOWS\system32\MSMB0W.dll
2006-10-15 08:44 30,565 --a------ C:\WINDOWS\system32\MSMWUD15.dll
2006-10-15 08:44 30,565 --a------ C:\WINDOWS\system32\MSMWUD13.dll
2006-10-15 08:44 30,053 --a------ C:\WINDOWS\system32\MSMWUD11.dll
2006-10-15 08:44 30,030 --a------ C:\WINDOWS\system32\MSMWUD7.dll
2006-10-15 08:44 30,013 --a------ C:\WINDOWS\system32\MSMWUD9.dll
2006-10-15 08:44 208,896 --a------ C:\WINDOWS\system32\MSME5w.dll
2006-10-15 08:44 208,896 --a------ C:\WINDOWS\system32\MSM08w.dll
2006-10-15 08:44 204,800 --a------ C:\WINDOWS\system32\MSME6w.dll
2006-10-15 08:44 192,512 --a------ C:\WINDOWS\system32\MSME4W.dll
2006-10-15 08:44 184,320 --a------ C:\WINDOWS\system32\MSM0CW.dll
2006-10-15 08:44 176,128 --a------ C:\WINDOWS\system32\MSM0Bw.dll
2006-10-15 08:44 176,128 --a------ C:\WINDOWS\system32\MSM0Aw.dll
2006-10-15 08:44 126,976 --a------ C:\WINDOWS\system32\MSM13w.dll
2006-10-15 08:44 118,784 --a------ C:\WINDOWS\system32\MiiRTS8822.dll
2006-10-15 08:44 114,688 --a------ C:\WINDOWS\system32\MSM17W.dll
2006-10-15 08:44 106,496 --a------ C:\WINDOWS\system32\MSM1CW.dll
2006-10-15 08:43 7,680 --a------ C:\WINDOWS\system32\drivers\Onsreged.sys
2006-10-15 08:43 60,928 --a------ C:\WINDOWS\system32\drivers\Smplscsi.sys
2006-10-15 08:43 285,216 --a------ C:\WINDOWS\system32\drivers\Onsio.sys
2006-10-15 08:43 15,396 --a------ C:\WINDOWS\system32\Msmusd5.dll
2006-10-15 08:43 13,962 --a------ C:\WINDOWS\system32\Msmusd6.dll
2006-10-15 08:41 14,208 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2006-10-15 08:37 344,064 --a------ C:\WINDOWS\system32\mpg_hvd.dll
2006-10-15 08:37 24,576 C:\WINDOWS\system32Ulead Photo Explorer.scr
2006-10-15 08:35 22,528 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2006-10-15 08:35 12,499 --a------ C:\WINDOWS\system32\Msmusd7.dll
2006-10-08 04:51 967 --a------ C:\WINDOWS\ScUnin.pif
2006-10-08 04:51 94,208 --a------ C:\WINDOWS\ScUnin.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))


2006-11-11 06:08 -------- d-------- C:\Program Files\a-squared Free
2006-11-02 05:36 -------- d-------- C:\Program Files\Hijackthis
2006-10-31 22:24 -------- d-------- C:\Program Files\ESET
2006-10-31 22:11 -------- d-------- C:\Program Files\Belarc
2006-10-26 20:39 -------- d-------- C:\Program Files\Motherboard Monitor 5
2006-10-25 23:35 -------- d-------- C:\Program Files\HaxFix
2006-10-21 19:20 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-10-16 19:15 -------- d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2006-10-16 02:46 -------- d-------- C:\Program Files\Easy Internet signup
2006-10-15 08:43 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-15 08:43 -------- d-------- C:\Program Files\Microtek
2006-10-15 08:40 -------- d--h----- C:\Program Files\WindowsUpdate
2006-10-14 23:44 -------- d-------- C:\Documents and Settings\Owner\Application Data\Help
2006-10-08 04:42 -------- d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2006-10-02 04:34 -------- d-------- C:\Program Files\Google
2006-10-02 04:34 -------- d-------- C:\Documents and Settings\Owner\Application Data\Google
2006-09-30 20:51 325632 --a------ C:\WINDOWS\system32\EAREMOVE.EXE
2006-09-30 20:51 132608 --a------ C:\WINDOWS\system32\EAEXEC.EXE
2006-09-30 20:49 -------- d--h----- C:\Program Files\Uninstall Information
2006-09-30 16:32 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-09-30 16:04 12800 --a------ C:\WINDOWS\system32\wing32.dll
2006-09-30 14:01 -------- d-------- C:\Documents and Settings\Owner\Application Data\Real
2006-09-30 14:00 -------- d-------- C:\Program Files\Media Player Classic
2006-09-30 13:58 -------- d-------- C:\Program Files\Common Files\Real
2006-09-30 13:58 -------- d-------- C:\Program Files\Common Files
2006-09-30 13:57 -------- d-------- C:\Program Files\Adobe
2006-09-30 13:51 -------- d-------- C:\Documents and Settings\Owner\Application Data\Kerio
2006-09-30 13:47 -------- d-------- C:\Program Files\Common Files\Adobe
2006-09-30 13:40 -------- d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2006-09-30 13:15 -------- d-------- C:\Program Files\Snapshot Viewer
2006-09-30 13:15 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-30 12:53 -------- d-------- C:\Program Files\Common Files\System
2006-09-30 12:21 -------- d-------- C:\Documents and Settings\Owner\Application Data\Microsoft Web Folders
2006-09-29 23:40 143380 --a------ C:\WINDOWS\system32\pnujrmfg.exe
2006-09-29 20:21 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-29 20:17 -------- d-------- C:\Program Files\Norton AntiVirus
2006-09-29 20:12 3603 --a------ C:\WINDOWS\viassary-hp.reg
2006-09-28 22:54 -------- d-------- C:\Program Files\Kodak
2006-09-28 22:54 -------- d-------- C:\Program Files\Common Files\Kodak
2006-09-28 05:06 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-23 18:36 -------- d-------- C:\Program Files\Borland
2006-09-23 18:31 -------- d-------- C:\Program Files\Windows Media Components
2006-09-23 18:30 -------- d-------- C:\Program Files\directx
2006-09-23 17:42 -------- d-------- C:\Program Files\Common Files\Visio Shared
2006-09-23 17:41 -------- d-------- C:\Program Files\Common Files\WexTech Shared
2006-09-23 17:41 -------- d-------- C:\Program Files\Common Files\Lhspf
2006-09-23 17:40 -------- d-------- C:\Documents and Settings\Owner\Application Data\Visio
2006-09-23 17:14 -------- d-------- C:\Program Files\Microsoft Office
2006-09-23 17:03 -------- d-------- C:\Program Files\microsoft frontpage
2006-09-23 16:47 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-09-23 16:47 -------- d-------- C:\Program Files\Common Files\Designer
2006-09-18 03:52 -------- d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2006-09-17 19:53 -------- d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-09-17 19:47 4992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-09-17 19:47 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-09-17 19:47 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-09-17 19:47 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-09-17 19:47 -------- d-------- C:\Program Files\Grisoft
2006-09-16 05:14 -------- d-------- C:\Program Files\Web Publish
2006-09-16 05:07 -------- d-------- C:\Program Files\Canon Creative
2006-09-16 01:13 -------- d-------- C:\Program Files\Java Web Start
2006-09-16 01:13 -------- d-------- C:\Program Files\Java
2006-09-16 01:11 -------- d-------- C:\Program Files\Encarta Online
2006-09-16 01:11 -------- d-------- C:\Program Files\ArcSoft
2006-09-16 00:57 -------- d-------- C:\Program Files\Windows NT
2006-09-16 00:57 -------- d-------- C:\Program Files\Windows Media Player
2006-09-16 00:57 -------- d-------- C:\Program Files\Outlook Express
2006-09-16 00:57 -------- d-------- C:\Program Files\NetMeeting
2006-09-16 00:57 -------- d-------- C:\Program Files\Movie Maker
2006-09-16 00:57 -------- d-------- C:\Program Files\Messenger
2006-09-16 00:57 -------- d-------- C:\Program Files\Internet Explorer
2006-09-16 00:57 -------- d-------- C:\Program Files\Common Files\Services


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run]
"SpybotSD TeaTimer"="h:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"WrCtrl"="\"h:\\Program Files\\Kerio\\WinRoute Firewall\\WrCtrl.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.ex e"
"CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\\\Unload\\hpqcmon.exe"
"HP Software Update"="\"c:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\""
"HPHUPD05"="c:\\Program Files\\Hewlett-Packard\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.ex e"
"StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"AVG7_CC"="h:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc. exe /STARTUP"
"Adobe Photo Downloader"="\"H:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"Propel Accelerator"="\"h:\\Program Files\\AT&T Worldnet Accelerator\\trayctl.exe\" /STARTUPLAUNCH"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runonceex]
@=""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"AVG7_Run"="h:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw. exe /RUNONCE"
"SVC Hosts"="svchosts.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="h:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw. exe /RUNONCE"
"SVC Hosts"="svchosts.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{68676EFE-9B30-4EBD-B842-7ED9B3460C53}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\polic ies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak EasyShare software.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak EasyShare software.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKE~1\\bin\\EAS YSH~1.EXE -h"
"item"="Kodak EasyShare software"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak software updater.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak software updater.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKS~1\\7288971\ \Program\\KODAKS~1.EXE "
"item"="Kodak software updater"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus Organizer EasyClip.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Lotus Organizer EasyClip.lnk"
"backup"="C:\\WINDOWS\\pss\\Lotus Organizer EasyClip.lnkCommon Startup"
"location"="Common Startup"
"command"="H:\\Lotus\\organize\\easyclip.exe "
"item"="Lotus Organizer EasyClip"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus QuickStart.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Lotus QuickStart.lnk"
"backup"="C:\\WINDOWS\\pss\\Lotus QuickStart.lnkCommon Startup"
"location"="Common Startup"
"command"="H:\\Lotus\\wordpro\\ltsstart.exe "
"item"="Lotus QuickStart"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SmartCenter.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Lotus SmartCenter.lnk"
"backup"="C:\\WINDOWS\\pss\\Lotus SmartCenter.lnkCommon Startup"
"location"="Common Startup"
"command"="H:\\Lotus\\smartctr\\SMARTCTR.EXE "
"item"="Lotus SmartCenter"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SuiteStart.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Lotus SuiteStart.lnk"
"backup"="C:\\WINDOWS\\pss\\Lotus SuiteStart.lnkCommon Startup"
"location"="Common Startup"
"command"="H:\\Lotus\\smartctr\\SUITEST.EXE "
"item"="Lotus SuiteStart"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Symantec Fax Starter Edition Port.lnk"
"backup"="C:\\WINDOWS\\pss\\Symantec Fax Starter Edition Port.lnkCommon Startup"
"location"="Common Startup"
"command"="H:\\PROGRA~1\\MICROS~1\\Office\\1033\\O LFSNT40.EXE "
"item"="Symantec Fax Starter Edition Port"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Updates from HP.lnk"
"backup"="C:\\WINDOWS\\pss\\Updates from HP.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\UPDATE~1\\137903\\Program \\BACKWE~1.EXE -startup"
"item"="Updates from HP"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HP Organize.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\HP Organize.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Organize.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\HEWLET~1\\HPORGA~1\\bin\\ DISPLA~1.EXE \"-application\" \"core.hp.main/application.xml\" \"-appname\" \"eLife\""
"item"="HP Organize"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Lotus SmartSuite 9.6 - English Registration.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\Lotus SmartSuite 9.6 - English Registration.lnk"
"backup"="C:\\WINDOWS\\pss\\Lotus SmartSuite 9.6 - English Registration.lnkStartup"
"location"="Startup"
"command"="H:\\LOTUS\\REGISTER\\remind32.exe "
"item"="Lotus SmartSuite 9.6 - English Registration"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"navapsvc"=dword:00000002

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job

Completion time: 06-11-03 5:14:55.29
C:\ComboFix.txt ... 06-11-03 05:14
C:\ComboFix2.txt ... 06-10-27 21:23
C:\ComboFix3.txt ... 06-10-25 23:38
hijack log
Logfile of HijackThis v1.99.1
Scan saved at 5:20:50 AM, on 11/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\Userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.elderscrolls.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Worldnet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - H:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll (file missing)
O2 - BHO: (no name) - {1D6A3F68-7D29-4A19-B5F9-095D232C46CD} - C:\WINDOWS\System32\jkkli.dll (file missing)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - h:\Program Files\AT&T Worldnet Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: (no name) - {68676EFE-9B30-4EBD-B842-7ED9B3460C53} - C:\WINDOWS\System32\qommnki.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AVG7_CC] h:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Propel Accelerator] "h:\Program Files\AT&T Worldnet Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] h:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WrCtrl] "h:\Program Files\Kerio\WinRoute Firewall\WrCtrl.exe"
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = H:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = H:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - H:\Program Files\AT&T\WnClient\Programs\AnyWho.exe (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - h:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - h:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - h:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - h:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Mass Effect(TM) Xbox 360 - Unknown owner - C:\WINDOWS\System32\dllcache\mfxbox.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - h:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - h:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINDOWS\system\winlogon.exe
O23 - Service: Kerio WinRoute Firewall (WinRoute) - Kerio Technologies - h:\Program Files\Kerio\WinRoute Firewall\winroute.exe

Thanks Walter

Originally Posted by Neal

Do me a favor please.


Right click hijackthis.exe, select rename, rename it to bunny.exe and post a log from the newly named hijackthis.exe Sometimes malware will hide and renameing hijackthis.exe will show some infections not showing.


Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5

Re-hide after we are done

As far as that file you searched for I believe that letter is a q instead of a g. Hunt for that and delete from safe mode if needed.


opxpapp.exe has to do with OmniPass a legit program.



1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Hi Neal
Over the weekend did copy and rename Hijack. Renamed hijackworks fine in save mode. In "normal' mode renamed hijack screen flashes for a second and is gone. Unable to run renamed hijack in regular mode.
Question I have full set of disks that were cut when I did buy the box(8 cd)'s. Over the weekend did copy all my data(or 90% of it) to Sd cards, flash sticks and some cd's. ( total 8G)
If I boot using 8 CD's system will go back to original condition when I did purchase it. I do have all CD's for all programs and most fixes to them.
Performing destructive reload will it cure/get rid of virus? Since I will be booting from CD and as a first step both C and Drives are deleted and reload from CD's starts.
I realize that I will have lotsa fun reloading all cd and then dumping all my files back.
Also for the hell of it did uninstall AVG and tried to reinstall it in safe moode. Goes thru all motions of installing AV but when I go into explorer I have empty folder. Deliberatly put it on differnt drive and only folder did show up.
Thanks Walter