Hope this isn't posted twice

**Moose-like person** · 22-04-2008

I posted a hijackthis log earlier but do not see it on this forum so I guess I botched it somehow. Trying again now- please excuse me ( newbie) if I did it wrong. These popups virus warnings and slowdowns are driving us crazy! Thanks in advance for your help.
I never use Internet Explorer; always Firefox. If I could, I'd take IE totally off of my computer.

-----------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:41:57 PM, on 4/21/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\csrcs.exe
C:\WINDOWS\system32\csrcs.exe
C:\WINDOWS\system\smscg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winmgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\spools.exe
C:\Program Files\NetProject\scit.exe
C:\Program Files\MUSICMATCH\MUSICMATCH

Jukebox\mm_tray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\windows\system\temp2.exe
C:\WINDOWS\System32\BluetoothAuthorizationAgent.ex e
C:\svchost.exe
C:\Noey's Programs\SpySweeper 2.2 folderWebroot\Spy

Sweeper\SpySweeper.exe
C:\WINDOWS\System32\mprui.exe
C:\WINDOWS\System32\mdm.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\NetProject\scm.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\delextra.exe
c:\delextra.exe
c:\delextra.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\delextra.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search

Page = <none>
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection

Wizard,ShellNext = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C

9082467} - C:\WINDOWS\SYSTEM32\MSDXM.OCX
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray

.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32

\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program

Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common

Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program

Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All

Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [nlysfunc.exe] C:\WINDOWS\System32

\nlysfunc.exe
O4 - HKLM\..\Run: [AKVCMIS] C:\WINDOWS\AKVCMIS.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system

32\dumprep 0 -k
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program

Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Windows Networking Monitoring] C:

\WINDOWS\System32\mdm.exe
O4 - HKLM\..\Run: [temp2] C:\windows\system\temp2.exe
O4 - HKLM\..\Run: [WPlayer] C:\windows\WPlayer.exe
O4 - HKLM\..\Run: [Advanced DHTML Enable] C:

\windows\system\nadlocop.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32

\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and

Settings\Moose\cftmon.exe
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:

\WINDOWS\System32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [svchost] C:\\svchost.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Noey's

Programs\SpySweeper 2.2 folderWebroot\Spy

Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [mprui] C:\WINDOWS\System32\mprui.exe
O4 - HKCU\..\Run: [Windows Networking Monitoring] C:

\WINDOWS\System32\mdm.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32

\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and

Settings\Moose\cftmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program

Files\NetProject\scit.exe
O4 - HKUS\S-1-5-18\..\Run: [Windows Networking

Monitoring] C:\WINDOWS\System32\mdm.exe (User

'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32

\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and

Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows Networking

Monitoring] C:\WINDOWS\System32\mdm.exe (User 'Default

user')
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-

00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet

Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB}

(BrowseFolderPopup Class) - http://download.mcafee.com/

molbin/Shared/MGBrwFld.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} -

http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B}

(PWMediaSendControl Class) - http://216.249.24.143/code/

PWActiveXImgCtl.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (

InstallShield International Setup Player) - http://www.

installengine.com/engine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3}

(CamImage Class) - http://cmmonline.emc.uq.edu.au/activex

/AxisCamControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{171D1AD4-AFF6

-4F6E-9367-1068D55CD372}: NameServer = 69.19.189.116

69.19.189.118
O17 - HKLM\System\CCS\Services\Tcpip\..\{D06E1EE0-A96B

-4B54-BEA6-EDB2A7716F35}: NameServer = 204.189.12.

26,204.189.12.22
O17 - HKLM\System\CS1\Services\Tcpip\..\{171D1AD4-AFF6

-4F6E-9367-1068D55CD372}: NameServer = 69.19.189.116

69.19.189.118
O23 - Service: acw0q72kp1eikfukiwcfhrig - Unknown owner -

C:\WINDOWS\system32\csrcs.exe
O23 - Service: kplduo7y77oz5nzpagscrcbkblb - Unknown

owner - C:\WINDOWS\system32\csrcs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark

International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Task Scheduler (Schedule) - Unknown owner -

C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: ServiceHost32 - Unknown owner - C:

\WINDOWS\System32\ServiceHost32.exe
O23 - Service: System Managment Controler (SMSCGISVC) -

Unknown owner - C:\WINDOWS\system\smscg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone

Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Windows Security Center - Unknown owner -

C:\WINDOWS\system32\winmgr.exe

--
End of file - 6326 bytes

**VopThis** · 22-04-2008

Please ensure that you do not use word wrap while posting any logs - it make the listings highly unreadable.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log.

Please also provide any new current observations.

**Moose-like person** · 24-04-2008

Here is the latest in the ongoing battle to reclaim my computer. Thanks for your help. I appreciate it. I didn't realize word wrap was checked. I have no idea what it reads like when checked, but it is now UN-checked.
Went to a friend's computer with cable modem ( would have taken 5 hrs. with the iinfection raging on this one to get it on this one ) and put the software on a little flash drive.

*******************

RSDFix report:

SDFix: Version 1.173
Run by Moose on Wed 04/23/2008 at 08:17 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Moose\Desktop\SDFix

Checking Services :

Name :
acw0q72kp1eikfukiwcfhrig
kplduo7y77oz5nzpagscrcbkblb

Path :
"C:\WINDOWS\system32\csrcs.exe"
"C:\WINDOWS\system32\csrcs.exe"

acw0q72kp1eikfukiwcfhrig - Deleted
kplduo7y77oz5nzpagscrcbkblb - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper
Restoring Default Schedule Service Path

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\ADKRID~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\ATSBEL~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\BIPCNMH.BMP - Deleted
C:\WINDOWS\SYSTEM32\DKRMLSJ.BMP - Deleted
C:\WINDOWS\SYSTEM32\EDKJIT.BMP - Deleted
C:\WINDOWS\SYSTEM32\EHONMP~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\EPCFQH~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\FMTOJE~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\GFADSN~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\HORAT.BMP - Deleted
C:\WINDOWS\SYSTEM32\JIDKN.BMP - Deleted
C:\WINDOWS\SYSTEM32\JQDKRM~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\LGNMPO~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\PCJAHC~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\QTORQT~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\SFELON~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\TOBEDC~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\MDM.EXE - Deleted
C:\Program Files\NetProject\scit.exe - Deleted
C:\Program Files\NetProject\scm.exe - Deleted
C:\Program Files\NetProject\scu.exe - Deleted
C:\DOCUME~1\Moose\LOCALS~1\Temp\zfe2.exe - Deleted
C:\delextra.exe - Deleted
C:\mstn.exe - Deleted
C:\s32.exe - Deleted
C:\svchost.exe - Deleted
C:\winlogon.exe - Deleted
C:\WINDOWS\hosts - Deleted
C:\WINDOWS\system\delnew.exe - Deleted
C:\WINDOWS\system\helper.exe - Deleted
C:\WINDOWS\system\nadlocop.exe - Deleted
C:\WINDOWS\system\run.exe - Deleted
C:\WINDOWS\system\smscg.exe - Deleted
C:\WINDOWS\system\temp2.exe - Deleted
C:\WINDOWS\system32\csrcs.exe - Deleted
C:\WINDOWS\system32\drivers\etc\hosts.bho - Deleted
C:\WINDOWS\system32\drivers\hosts - Deleted
C:\WINDOWS\system32\winmgr.exe - Deleted
C:\WINDOWS\WPlayer.exe - Deleted
C:\WINDOWS\system32\drivers\spools.exe - Deleted

Folder C:\Program Files\NetProject - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 20:33:47
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

Remaining Files :

File Backups: - C:\DOCUME~1\Moose\Desktop\SDFix\backups\backups.zi p

Files with Hidden Attributes :

Thu 29 Aug 2002 91,136 A.SH. --- "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
Mon 31 Mar 2008 56,323 ..SH. --- "C:\WINDOWS\SYSTEM32\a.exe"
Fri 22 Sep 2006 33,792 ..SHR --- "C:\WINDOWS\SYSTEM32\ServiceHost32.exe"
Tue 8 Apr 2008 84,116 ..SHR --- "C:\WINDOWS\SYSTEM32\usnscv.exe"
Tue 13 Mar 2007 74 A..H. --- "C:\******** ***********\C******* ***********\Cute ftp\cuteftp.sys" <-----(web site name deleted for security purposes)
Wed 10 Dec 2003 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 25 Mar 2008 56,323 A.SH. --- "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP919\A0413610.exe"
Wed 4 Oct 2006 3,072,000 A..H. --- "C:\Documents and Settings\Moose\Application Data\U3\temp\Launchpad Removal.exe"
Thu 16 Jan 2003 357 A..H. --- "C:\Documents and Settings\Moose\Local Settings\Application Data\BVRP Software\Modem On Hold\MoHlog.bak"

Finished!

**********************

It went smoothly. Then, I ran Hijackthis again and got this new log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:30 PM, on 4/23/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\BluetoothAuthorizationAgent.ex e
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Noey's Programs\SpySweeper 2.2 folderWebroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <none>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\MSDXM.OCX
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [nlysfunc.exe] C:\WINDOWS\System32\nlysfunc.exe
O4 - HKLM\..\Run: [AKVCMIS] C:\WINDOWS\AKVCMIS.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [temp2] C:\windows\system\temp2.exe
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\System32\BluetoothAuthorizationAgent.ex e
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Noey's Programs\SpySweeper 2.2 folderWebroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [mprui] C:\WINDOWS\System32\mprui.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://cmmonline.emc.uq.edu.au/activ...CamControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{171D1AD4-AFF6-4F6E-9367-1068D55CD372}: NameServer = 69.19.189.116 69.19.189.118
O17 - HKLM\System\CCS\Services\Tcpip\..\{D06E1EE0-A96B-4B54-BEA6-EDB2A7716F35}: NameServer = 204.189.12.26,204.189.12.22
O17 - HKLM\System\CS1\Services\Tcpip\..\{171D1AD4-AFF6-4F6E-9367-1068D55CD372}: NameServer = 69.19.189.116 69.19.189.118
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ServiceHost32 - Unknown owner - C:\WINDOWS\System32\ServiceHost32.exe
O23 - Service: System Managment Controler (SMSCGISVC) - Unknown owner - C:\WINDOWS\system\smscg.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Windows Security Center - Unknown owner - C:\WINDOWS\system32\winmgr.exe (file missing)

--
End of file - 4854 bytes

**************************
Before I got online tonight I downloaded AVG 7.5 and ran it, finding 10 problems, one of which is now quarantined. The quarantined item reads as follows: C:WINDOWS/system32/imprui/.exe
Infected with downloader.small.us
The rest were tracking cookies and adware stuff.
The computer's performance is now nearly normal again.
The remaining thing is this large yellow square that is on the desktop reading,
" Warning! Spyware detected on your computer. Install an antivirus or spyware remover to clean your computer."
Irritating, but not affecting performance, as far as I can tell.

**VopThis** · 24-04-2008

* Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked , and click Remove Selected.
When disinfection is completed , a log will open in Notepad and you may be prompted to Restart(See Extra Note).
A run log is automatically saved by MBAM and can be viewed by clicking the Logs TAB in MBAM.
Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

**Moose-like person** · 24-04-2008

I did as you instructed and everything worked well.

*******************************************
Malwarebytes' Anti-Malware 1.11
Database version: 599

Scan type: Quick Scan
Objects scanned: 34274
Time elapsed: 5 minute(s), 24 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 25

Memory Processes Infected:
C:\WINDOWS\SYSTEM32\BluetoothAuthorizationAgent.ex e (Trojan.Downloader) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\multimediaCont rols.chl (Trojan.Zlob) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\BluetoothAuthorizationAgent (Trojan.Downloader) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\dynamic toolbar (Adware.2020search) -> No action taken.
C:\Program Files\dynamic toolbar\PWRSWMDA (Adware.2020search) -> No action taken.
C:\Program Files\dynamic toolbar\PWRSWMDA\Cache (Adware.2020search) -> No action taken.

Files Infected:
C:\WINDOWS\SYSTEM32\fqpkrepgjmh.bmp (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\lojqd.bmp (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\ralsnipsn.bmp (Malware.Trace) -> No action taken.
C:\WINDOWS\SYSTEM32\tsbepcjahgf.bmp (Malware.Trace) -> No action taken.
C:\Program Files\dynamic toolbar\PWRSWMDA\Cache\PWRSWMDAauctions.bmp (Adware.2020search) -> No action taken.
C:\Program Files\dynamic toolbar\PWRSWMDA\Cache\PWRSWMDAcoupons.bmp (Adware.2020search) -> No action taken.
C:\Program Files\dynamic toolbar\PWRSWMDA\Cache\PWRSWMDAdvds.bmp (Adware.2020search) -> No action taken.
C:\Program Files\dynamic toolbar\PWRSWMDA\Cache\PWRSWMDAgames.bmp (Adware.2020search) -> No action taken.
C:\Program Files\dynamic toolbar\PWRSWMDA\Cache\PWRSWMDAheart.bmp (Adware.2020search) -> No action taken.
C:\Program Files\dynamic toolbar\PWRSWMDA\Cache\PWRSWMDAlogo.bmp (Adware.2020search) -> No action taken.
C:\Program Files\dynamic toolbar\PWRSWMDA\Cache\PWRSWMDAsearch.bmp (Adware.2020search) -> No action taken.
C:\Program Files\dynamic toolbar\PWRSWMDA\Cache\PWRSWMDAskin.bmp (Adware.2020search) -> No action taken.
C:\Program Files\dynamic toolbar\PWRSWMDA\Cache\PWRSWMDAspacer.bmp (Adware.2020search) -> No action taken.
C:\Program Files\dynamic toolbar\PWRSWMDA\Cache\T10562.tmp (Adware.2020search) -> No action taken.
C:\Program Files\dynamic toolbar\PWRSWMDA\Cache\T12484.tmp (Adware.2020search) -> No action taken.
C:\Program Files\dynamic toolbar\PWRSWMDA\Cache\T12531.tmp (Adware.2020search) -> No action taken.
C:\Program Files\dynamic toolbar\PWRSWMDA\Cache\T13140.tmp (Adware.2020search) -> No action taken.
C:\Program Files\dynamic toolbar\PWRSWMDA\Cache\T15359.tmp (Adware.2020search) -> No action taken.
C:\Program Files\dynamic toolbar\PWRSWMDA\Cache\T18000.tmp (Adware.2020search) -> No action taken.
C:\sysrem.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\SYSTEM32\BluetoothAuthorizationAgent.ex e (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Moose\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Moose\cftmon.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\LocalService\cftmon.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Bear\cftmon.exe (Trojan.Agent) -> No action taken.

************************************************** ****************
(Reboot )
But THEN..... I realized it hadn't gone to update, as I asked it, so I updated, ran it again, and, Voila`..... another batch of bad guys.

Malwarebytes' Anti-Malware 1.11
Database version: 676

Scan type: Quick Scan
Objects scanned: 39729
Time elapsed: 6 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\dssic.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\M8FF6UT8\xwabow[1].html (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Bear\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> No action taken.

******************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:27 AM, on 4/24/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Noey's Programs\SpySweeper 2.2 folderWebroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <none>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\MSDXM.OCX
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [nlysfunc.exe] C:\WINDOWS\System32\nlysfunc.exe
O4 - HKLM\..\Run: [AKVCMIS] C:\WINDOWS\AKVCMIS.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [temp2] C:\windows\system\temp2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Noey's Programs\SpySweeper 2.2 folderWebroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [mprui] C:\WINDOWS\System32\mprui.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://cmmonline.emc.uq.edu.au/activ...CamControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{171D1AD4-AFF6-4F6E-9367-1068D55CD372}: NameServer = 69.19.189.116 69.19.189.118
O17 - HKLM\System\CCS\Services\Tcpip\..\{D06E1EE0-A96B-4B54-BEA6-EDB2A7716F35}: NameServer = 204.189.12.26,204.189.12.22
O17 - HKLM\System\CS1\Services\Tcpip\..\{171D1AD4-AFF6-4F6E-9367-1068D55CD372}: NameServer = 69.19.189.116 69.19.189.118
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ServiceHost32 - Unknown owner - C:\WINDOWS\System32\ServiceHost32.exe
O23 - Service: System Managment Controler (SMSCGISVC) - Unknown owner - C:\WINDOWS\system\smscg.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Windows Security Center - Unknown owner - C:\WINDOWS\system32\winmgr.exe (file missing)

--
End of file - 4733 bytes

I rebooted and the yellow screen is gone!
YES!
Now, I can go on with the business of life. Thank you a thousand times, until you are better paid, as they say. I plan to make a generous donation to D-A-L just as soon as it is possible.

**VopThis** · 27-04-2008

Sorry for the delays - there is more to do.

O23 - Service: ServiceHost32 - Unknown owner - C:\WINDOWS\System32\ServiceHost32.exe
O23 - Service: System Managment Controler (SMSCGISVC) - Unknown owner - C:\WINDOWS\system\smscg.exe (file missing)
O23 - Service: Windows Security Center - Unknown owner - C:\WINDOWS\system32\winmgr.exe (file missing)

Stop, Disable, and Remove a Service

Go to Start » Run » type: Services.msc » OK.
Scroll down and find this service: (each bracketed or TEXT service name listed above)
Double-click on it.
Under the General tab, click the Stop button.
Then change the Startup Type to Disabled.
Click Apply and then OK.

Run HijackThis.
Click on ’Open the Misc Tools section’.
Click on ’Delete an NT Service’.
Enter (each service name TEXT LABEL without the brackets) into the input BOX (make sure there are NO spaces before or after the name).
Click OK and select NO when asked to reboot.

Read over the following directions. Ask if anything appears unclear to you.

Clean out TEMPORARY FILES procedures:
To clean your temp folder, recycle bin, etc..please download this free tool:

CCleaner http://www.ccleaner.com/downloadbuilds.asp

Install Options:

Don't install any Toolbars, or other programs, should it ask you!
Just uncheck the option of installing the Yahoo toolbar.

It will put a shortcut on your Desktop.

Do not run CCleaner until requested later.

We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

O4 - HKLM\..\Run: [NLYSFUNC.EXE] C:\WINDOWS\System32\nlysfunc.exe
O4 - HKLM\..\Run: [AKVCMIS] C:\WINDOWS\AKVCMIS.exe
O4 - HKLM\..\Run: [TEMP2] C:\windows\system\temp2.exe
O4 - HKCU\..\Run: [MPRUI] C:\WINDOWS\System32\mprui.exe

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.

HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).

Delete TEMPORARY FILES: Now, use CCleaner to hunt down the most common temporary file locations and the temporary file clutter contained therein (and of possible malware hiding places):

Run CCleaner.

FIRST-TIME USE:
Select the ”Options” BUTTON option (top LEFT), ”Advanced” BUTTON, and then UNCHECK the ”Only delete files in Windows Temp Folders older than 48 hours”. Set back to default afterwards.

Select the ”Cleaner” BUTTON option (top LEFT), if not already selected. Use the ”Windows” TAB up front by default.

Uncheck ”Cookies” option (advisable)
Optionally, Uncheck ”Recently Typed URLs” option (potentially still useful)
Click the ”Analyse” button.
Thereafter, click ”Run Cleaner” after you have reviewed what it proposes to clean.

***** Clean out the Recycle Bin for items removed below, ONLY once you have regained the full functional use of your PC.

Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):
-- OR --
Use <Windows+F KEYS> and paste each FULL FILENAME Search PATH line (where available).
-NOTE-----> Windows KEY is located between the <Ctrl and Alt KEYS>.

DELETE FILES:

C:\WINDOWS\System32\nlysfunc.exe
C:\WINDOWS\AKVCMIS.exe
C:\windows\system\temp2.exe
C:\WINDOWS\System32\mprui.exe

POST A REVISED HIJACKTHIS LOG for review:

Reboot.
Post a new HijackThis log.
Provide any feedback commentary as appropriate - how things are now behaving: any new or remaining apparent issues.

**Moose-like person** · 28-04-2008

Hello VOP:
I did as instructed in Services.msc, disabling all three.
These are the three I disabled:
C:\WINDOWS\System32\ServiceHost32.exe
C:\WINDOWS\system\smscg.exe
C:\WINDOWS\system32\winmgr.exe
When I ran HijackThis and tried to enter each of the exe files above in 'delete an NT service'. I got an error message stating that 'this file does not exist in the registry'.
Therefore I could go no further. I did try different permutations, just to see if I was perhaps entering something wrong, but no dice; the files are not there and I was not given the options either to click nor was I asked to re-boot.
Thanks for your time on this; I really do appreciate it. It has been SO enjoyable, having a fast ( well, as fast as dialup CAN be) computer again. I look forward to these further fixes.
Moose-like person

**VopThis** · 29-04-2008

Post a new HijackThis LOG and we can go from there.

**Moose-like person** · 29-04-2008

HijackThis log of 4/29/08:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:14 AM, on 4/29/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Noey's Programs\SpySweeper 2.2 folderWebroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <none>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [nlysfunc.exe] C:\WINDOWS\System32\nlysfunc.exe
O4 - HKLM\..\Run: [AKVCMIS] C:\WINDOWS\AKVCMIS.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [temp2] C:\windows\system\temp2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Noey's Programs\SpySweeper 2.2 folderWebroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [mprui] C:\WINDOWS\System32\mprui.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://cmmonline.emc.uq.edu.au/activ...CamControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{171D1AD4-AFF6-4F6E-9367-1068D55CD372}: NameServer = 69.19.189.116 69.19.189.118
O17 - HKLM\System\CCS\Services\Tcpip\..\{D06E1EE0-A96B-4B54-BEA6-EDB2A7716F35}: NameServer = 204.189.12.26,204.189.12.22
O17 - HKLM\System\CS1\Services\Tcpip\..\{171D1AD4-AFF6-4F6E-9367-1068D55CD372}: NameServer = 69.19.189.116 69.19.189.118
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 4345 bytes

**VopThis** · 29-04-2008

The first part of the fix seems to have been completed. Please complete the second half of my previous instructions to fix the following items:

O4 - HKLM\..\Run: [NLYSFUNC.EXE] C:\WINDOWS\System32\nlysfunc.exe
O4 - HKLM\..\Run: [AKVCMIS] C:\WINDOWS\AKVCMIS.exe
O4 - HKLM\..\Run: [TEMP2] C:\windows\system\temp2.exe
O4 - HKCU\..\Run: [MPRUI] C:\WINDOWS\System32\mprui.exe

Post a revised HijackThis LOG and and any current observations.

Hope this isn't posted twice

Hope this isn't posted twice

Similar Threads

No hope!

Bob Hope on...

I have a big problem I hope you can help

You guys are my last hope...........

Hope this works