MSN virus

**HereFishie** · 17-04-2007

((((((((((((((((((((((((((((((( Files Created from 2007-03-16 to 2007-04-16 ))))))))))))))))))))))))))))))))))

2007-04-16 20:02 774,543 ---hs---- C:\WINDOWS\system32\oqtwa.bak2
2007-04-16 20:02 123,972 --a------ C:\WINDOWS\system32\hnomejfq.dll
2007-04-16 20:01 123,972 --a------ C:\WINDOWS\system32\smfiulhf.dll
2007-04-15 22:18 <DIR> d-------- C:\DOCUME~1\Owner\DoctorWeb
2007-04-15 18:58 772,124 ---hs---- C:\WINDOWS\system32\oqtwa.bak1
2007-04-15 00:11 <DIR> d-------- C:\Program Files\Common Files\Java
2007-04-14 20:47 <DIR> d-------- C:\VundoFix Backups
2007-04-14 15:07 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-04-14 02:07 3,310 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-13 00:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-04-12 01:17 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-11 23:45 <DIR> d-------- C:\Program Files\CCleaner
2007-04-11 20:01 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Uniblue
2007-04-11 07:54 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Opera
2007-04-10 23:32 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-04-10 23:31 <DIR> d--hs---- C:\WINDOWS\Q2hlcnlsIE1hc3NleQ
2007-04-09 19:27 26,694 --------- C:\WINDOWS\system32\qomnnnk.dll
2007-04-09 19:26 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-03-23 15:11 127,034 -r------- C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2007-03-16 23:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-03-16 23:36 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-03-16 23:36 <DIR> d-------- C:\Program Files\Common Files\Kodak

**VopThis** · 19-04-2007

Sorry for my delayed response.

Please investigate what files may be present in the following DIRECTORY:
C:\WINDOWS\Q2hlcnlsIE1hc3NleQ

Go to a command window - START>RUN>type CMD and then enter.
Cut & Paste each of the following lines individually:

DIR C:\WINDOWS\Q2hlcnlsIE1hc3NleQ /B>showfiles.txt
NOTEPAD showfiles.txt

Report those NOTEPAD results in your next post.

Try deleting the FILES, in SAFE MODE, if necessary:
C:\WINDOWS\system32\oqtwa.bak2
C:\WINDOWS\system32\oqtwa.bak1

Submit the following FILES to VirusTotal and report back their analysis:
C:\WINDOWS\system32\hnomejfq.dll
C:\WINDOWS\system32\smfiulhf.dll

You have a new resistant file that we need to upload to the maker of the Vundofix. This could help others and us greatly. After you do this we will safely remove this infection.
This will only take a few minutes of your time.

Please go to this Site.
Fill out the form
Where it says Topic where file was requested paste this link in:

http://www.d-a-l.com/help/showthread.php?t=50761
Where it says browse paste these in the spaces provided.

C:\WINDOWS\system32\qomnnnk.dll
anything else that VirusTotal reports as vundo/virtumod
Then click send

Thanks - now let's get rid of it.
-------------------------------

Use this tool for Vundo if you don't already have it. You can delete any others you have tried.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste the 2 entries below into the top 2 boxes
- C:\WINDOWS\system32\qomnnnk.dll
- optional second entry, if identified
Click Add Files and Click Close Window
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Also, run combofix again and post the revised portion for the segment last reported.

**HereFishie** · 19-04-2007

Originally Posted by VopThis

Sorry for my delayed response.

Please investigate what files may be present in the following DIRECTORY:
C:\WINDOWS\Q2hlcnlsIE1hc3NleQ

Go to a command window - START>RUN>type CMD and then enter.
Cut & Paste each of the following lines individually:

DIR C:\WINDOWS\Q2hlcnlsIE1hc3NleQ /B>showfiles.txt
NOTEPAD showfiles.txt

Report those NOTEPAD results in your next post.

No problem... we all have lives I know that

Since that post, I should mention that I have uninstalled AVG and installed my ISp provider antivirus software which is provided thru F-Secure.

As for these instructions provided above?... it said no files found so on to the next set of directions

**HereFishie** · 19-04-2007

Originally Posted by VopThis

Try deleting the FILES, in SAFE MODE, if necessary:
C:\WINDOWS\system32\oqtwa.bak2
C:\WINDOWS\system32\oqtwa.bak1

Submit the following FILES to VirusTotal and report back their analysis:
C:\WINDOWS\system32\hnomejfq.dll
C:\WINDOWS\system32\smfiulhf.dll

Files with oqtwa are gone

VirusTotal reply for hnomejfq.dll

AhnLab-V3 2007.4.19.0 04.18.2007 no virus found
AntiVir 7.3.1.53 04.18.2007 TR/Agent.123952
Authentium 4.93.8 04.18.2007 no virus found
Avast 4.7.981.0 04.18.2007 no virus found
AVG 7.5.0.447 04.18.2007 Adware Generic2.DO
BitDefender 7.2 04.19.2007 no virus found
CAT-QuickHeal 9.00 04.18.2007 Adware.Virtumonde.gen (Not a Virus)
ClamAV devel-20070416 04.18.2007 Trojan.Packed-7
DrWeb 4.33 04.19.2007 Trojan.Virtumod
eSafe 7.0.15.0 04.18.2007 no virus found
eTrust-Vet 30.7.3578 04.19.2007 no virus found
Ewido 4.0 04.18.2007 no virus found
FileAdvisor 1 04.19.2007 no virus found
Fortinet 2.85.0.0 04.19.2007 suspicious
F-Prot 4.3.2.48 04.18.2007 no virus found
F-Secure 6.70.13030.0 04.19.2007 no virus found
Ikarus T3.1.1.5 04.19.2007 no virus found
Kaspersky 4.0.2.24 04.19.2007 no virus found
McAfee 5012 04.18.2007 no virus found
Microsoft 1.2405 04.19.2007 no virus found
NOD32v2 2202 04.18.2007 no virus found
Norman 5.80.02 04.18.2007 Vundo.gen18
Panda 9.0.0.4 04.18.2007 Spyware/Virtumonde
Prevx1 V2 04.19.2007 no virus found
Sophos 4.16.0 04.17.2007 no virus found
Sunbelt 2.2.907.0 04.07.2007 VIPRE.Suspicious
Symantec 10 04.19.2007 no virus found
TheHacker 6.1.6.088 04.09.2007 no virus found
VBA32 3.11.3 04.18.2007 no virus found
VirusBuster 4.3.7:9 04.18.2007 Adware.Vundo.Gen!Pac.8
Webwasher-Gateway 6.0.1 04.19.2007 Trojan.Agent.123952

Aditional Information
File size: 123972 bytes
MD5: 819588fb81bd6c358d08fb678c75186e
SHA1: 21ec4734738db439a21c12076dd9c90a31b5fdf2
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

and for smfiulhf.dll

AhnLab-V3 2007.4.19.0 04.18.2007 no virus found
AntiVir 7.3.1.53 04.19.2007 TR/Agent.123952
Authentium 4.93.8 04.18.2007 no virus found
Avast 4.7.981.0 04.18.2007 no virus found
AVG 7.5.0.447 04.18.2007 Adware Generic2.DO
BitDefender 7.2 04.19.2007 no virus found
CAT-QuickHeal 9.00 04.18.2007 Adware.Virtumonde.gen (Not a Virus)
ClamAV devel-20070416 04.18.2007 Trojan.Packed-7
DrWeb 4.33 04.19.2007 Trojan.Virtumod
eSafe 7.0.15.0 04.18.2007 no virus found
eTrust-Vet 30.7.3578 04.19.2007 no virus found
Ewido 4.0 04.18.2007 no virus found
FileAdvisor 1 04.19.2007 no virus found
Fortinet 2.85.0.0 04.19.2007 suspicious
F-Prot 4.3.2.48 04.18.2007 no virus found
F-Secure 6.70.13030.0 04.19.2007 no virus found
Ikarus T3.1.1.5 04.19.2007 no virus found
Kaspersky 4.0.2.24 04.19.2007 no virus found
McAfee 5012 04.18.2007 no virus found
Microsoft 1.2405 04.19.2007 no virus found
NOD32v2 2202 04.18.2007 no virus found
Norman 5.80.02 04.18.2007 Vundo.gen18
Panda 9.0.0.4 04.18.2007 Spyware/Virtumonde
Prevx1 V2 04.19.2007 no virus found
Sophos 4.16.0 04.17.2007 no virus found
Sunbelt 2.2.907.0 04.14.2007 VIPRE.Suspicious
Symantec 10 04.19.2007 no virus found
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.3 04.18.2007 no virus found
VirusBuster 4.3.7:9 04.18.2007 Adware.Vundo.Gen!Pac.8
Webwasher-Gateway 6.0.1 04.19.2007 Trojan.Agent.123952

Aditional Information
File size: 123972 bytes
MD5: 819588fb81bd6c358d08fb678c75186e
SHA1: 21ec4734738db439a21c12076dd9c90a31b5fdf2
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

VUNDO fix log

VundoFix V6.3.19

Checking Java version...

Scan started at 12:46:48 AM 4/19/2007

Listing files found while scanning....

C:\WINDOWS\system32\awtqo.dll
C:\WINDOWS\system32\awxosukb.dll
C:\WINDOWS\system32\cfhkj.bak1
C:\WINDOWS\system32\cfhkj.bak2
C:\WINDOWS\system32\cfhkj.ini
C:\WINDOWS\system32\gpnlqocj.dll
C:\WINDOWS\system32\hnomejfq.dll
C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\jpkampja.dll
C:\WINDOWS\system32\ltiqudca.dll
C:\WINDOWS\system32\oqtwa.ini
C:\WINDOWS\system32\oqtwa.tmp
C:\WINDOWS\system32\smfiulhf.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awxosukb.dll
C:\WINDOWS\system32\awxosukb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cfhkj.bak1
C:\WINDOWS\system32\cfhkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\cfhkj.bak2
C:\WINDOWS\system32\cfhkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\cfhkj.ini
C:\WINDOWS\system32\cfhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\gpnlqocj.dll
C:\WINDOWS\system32\gpnlqocj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hnomejfq.dll
C:\WINDOWS\system32\hnomejfq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\jkhfc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jpkampja.dll
C:\WINDOWS\system32\jpkampja.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ltiqudca.dll
C:\WINDOWS\system32\ltiqudca.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqtwa.ini
C:\WINDOWS\system32\oqtwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqtwa.tmp
C:\WINDOWS\system32\oqtwa.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\qomnnnk.dll
C:\WINDOWS\system32\qomnnnk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\smfiulhf.dll
C:\WINDOWS\system32\smfiulhf.dll Has been deleted!

Performing Repairs to the registry.
Done!

HJT log
Logfile of HijackThis v1.99.1
Scan saved at 1:14:28 AM, on 4/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVI C~1.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsrw.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\PROGRA~1\SHAWSE~1\ANTI-S~1\fsaw.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\rddwoceu.dll (file missing)
O2 - BHO: (no name) - {3DDEF0DA-9D2A-4C68-A8AA-AED0E0AA4B0F} - C:\WINDOWS\system32\awtqo.dll (file missing)
O2 - BHO: (no name) - {4047A18D-0D17-4E0B-80A8-0EC9CA8CEDEc} - C:\WINDOWS\system32\gedqqupd.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A00B303-4F83-4106-8233-EEB1E3E5FA43} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: (no name) - {6809233B-E31B-4D69-8B1B-8E6A03A39702} - C:\WINDOWS\system32\awvtq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {970D022E-A884-4D2A-BB4A-EBC22D2FEBD2} - C:\WINDOWS\system32\qomnnnk.dll (file missing)
O2 - BHO: (no name) - {9BA86DBF-1322-4755-948E-6A1261B0162D} - C:\WINDOWS\system32\jkhfc.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Shaw Secure\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Shaw Secure.lnk = C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Block this popup - C:\Program Files\Shaw Secure\Anti-Spyware\blockpopups.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - https://intuitcanada.ehosts.net/neta.../custappx3.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://fishiemusings.spaces.msn.com/...d/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8300.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1160458773095
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/B...1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/...er/MotUtil.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} - http://www2.incredimail.com/contents...r/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://atwnt333.external.hp.com/bus-...r/SysQuery.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awtqo - C:\WINDOWS\system32\awtqo.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Shaw Secure (BackWeb Plug-in - 3875767) - BackWeb Technologies Inc. - C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVI C~1.EXE
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe (file missing)
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

**VopThis** · 19-04-2007

Delete DIRECTORY:
C:\WINDOWS\Q2hlcnlsIE1hc3NleQ

Run combofix again and post the revised portion for this segment:

((((((((((((((((((((((((((((((( Files Created from 2007-03-15 to 2007-04-15 ))))))))))))))))))))))))))))))))))

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\rddwoceu.dll (file missing)
O2 - BHO: (no name) - {3DDEF0DA-9D2A-4C68-A8AA-AED0E0AA4B0F} - C:\WINDOWS\system32\awtqo.dll (file missing)
O2 - BHO: (no name) - {4047A18D-0D17-4E0B-80A8-0EC9CA8CEDEc} - C:\WINDOWS\system32\gedqqupd.dll (file missing)
O2 - BHO: (no name) - {5A00B303-4F83-4106-8233-EEB1E3E5FA43} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: (no name) - {6809233B-E31B-4D69-8B1B-8E6A03A39702} - C:\WINDOWS\system32\awvtq.dll (file missing)
O2 - BHO: (no name) - {970D022E-A884-4D2A-BB4A-EBC22D2FEBD2} - C:\WINDOWS\system32\qomnnnk.dll (file missing)
O2 - BHO: (no name) - {9BA86DBF-1322-4755-948E-6A1261B0162D} - C:\WINDOWS\system32\jkhfc.dll (file missing)

O20 - Winlogon Notify: awtqo - C:\WINDOWS\system32\awtqo.dll (file missing)

[OPTIONAL 'FIX' - undesired startup]
Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.

POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.

**HereFishie** · 19-04-2007

ok this was the Combofix log... sorry I didn't wait for it to finish last night... it was already 130 am!

((((((((((((((((((((((((((((((( Files Created from 2007-03-19 to 2007-04-19 ))))))))))))))))))))))))))))))))))

2007-04-18 20:20 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\F-Secure
2007-04-18 20:13 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\ispnews
2007-04-18 20:08 70,896 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2007-04-18 20:08 33,584 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2007-04-18 20:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\F-Secure
2007-04-18 19:59 118,842 -r------- C:\WINDOWS\bwUnin-6.3.2.123-3875767L.exe
2007-04-18 19:59 <DIR> d-------- C:\Program Files\Shaw Secure
2007-04-15 22:18 <DIR> d-------- C:\DOCUME~1\Owner\DoctorWeb
2007-04-15 00:11 <DIR> d-------- C:\Program Files\Common Files\Java
2007-04-14 20:47 <DIR> d-------- C:\VundoFix Backups
2007-04-14 15:07 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-04-14 02:07 3,310 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-13 00:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-04-12 01:17 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-11 23:45 <DIR> d-------- C:\Program Files\CCleaner
2007-04-11 20:01 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Uniblue
2007-04-11 07:54 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Opera
2007-04-10 23:32 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-04-10 23:31 <DIR> d--hs---- C:\WINDOWS\Q2hlcnlsIE1hc3NleQ
2007-04-09 19:26 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-03-23 15:11 127,034 -r------- C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe

That directory is not there to delete.
I will do the rest of the actions when I get home from work

**HereFishie** · 20-04-2007

I found that file when I ran it in safe mode so its been deleted now.

"Owner" - 07-04-19 20:44:42 Service Pack 2
ComboFix 07-04-05.Rev3 - Running from: "C:\Documents and Settings\Owner\Desktop\downloads"

((((((((((((((((((((((((((((((( Files Created from 2007-03-19 to 2007-04-19 ))))))))))))))))))))))))))))))))))

2007-04-18 20:20 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\F-Secure
2007-04-18 20:13 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\ispnews
2007-04-18 20:08 70,896 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2007-04-18 20:08 33,584 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2007-04-18 20:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\F-Secure
2007-04-18 19:59 118,842 -r------- C:\WINDOWS\bwUnin-6.3.2.123-3875767L.exe
2007-04-18 19:59 <DIR> d-------- C:\Program Files\Shaw Secure
2007-04-15 22:18 <DIR> d-------- C:\DOCUME~1\Owner\DoctorWeb
2007-04-15 00:11 <DIR> d-------- C:\Program Files\Common Files\Java
2007-04-14 20:47 <DIR> d-------- C:\VundoFix Backups
2007-04-14 15:07 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-04-14 02:07 3,310 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-13 00:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-04-12 01:17 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-11 23:45 <DIR> d-------- C:\Program Files\CCleaner
2007-04-11 20:01 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Uniblue
2007-04-11 07:54 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Opera
2007-04-10 23:32 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-04-09 19:26 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-03-23 15:11 127,034 -r------- C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe

**HereFishie** · 20-04-2007

new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 9:26:12 PM, on 4/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVI C~1.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsrw.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\PROGRA~1\SHAWSE~1\ANTI-S~1\fsaw.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Shaw Secure\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Shaw Secure.lnk = C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Block this popup - C:\Program Files\Shaw Secure\Anti-Spyware\blockpopups.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - https://intuitcanada.ehosts.net/neta.../custappx3.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://fishiemusings.spaces.msn.com/...d/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8300.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1160458773095
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/B...1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/...er/MotUtil.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} - http://www2.incredimail.com/contents...r/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://atwnt333.external.hp.com/bus-...r/SysQuery.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Shaw Secure (BackWeb Plug-in - 3875767) - BackWeb Technologies Inc. - C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVI C~1.EXE
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe (file missing)
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

**VopThis** · 20-04-2007

It would appear that your issues are now resolved. Please advise if anything is still at issue.

**HereFishie** · 20-04-2007

I think you're right. My computer is running faster now and no more popups!

Thank you, thank you, thank you!

Can I now delete all those programs I had to d/l?

MSN virus

Re: MSN virus

Similar Threads

Virus that won't let me open or run any anti-virus software

virus

Virus

Pop Up Virus?

Ive got a Virus