browser redirect and sluggish startup; HT log added in Security Cleanup

browser redirect and sluggish startup; HT log added in Security Cleanup http://www.dslreports.com/forum/r20389409 en Fri, 25 Jul 2008 20:36:41 EDT Fri, 25 Jul 2008 20:36:41 EDT Re: browser redirect and sluggish startup; HT log added http://www.dslreports.com/forum/remark,20438270 bcastner : Look again. You want the JRE, Type SE, not any other type. (It is the fifth choice on the site). Click the "Download" button. Set the scroll box choices to "Windows" and "Multi-Language." The "Offline Installation" download choice you will then see as an offering is a complete download of the update, requiring no communication during its installation with Sun. Do not check the box, just click the light blue link below the description of the Offline choice to start the download. The download is 15.21 MB in size.

When finished, follow my earlier instructions on running this, and deleting older versions.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20438270 Tue, 06 May 2008 03:32:12 EDT Re: browser redirect and sluggish startup; HT log added http://www.dslreports.com/forum/remark,20438175 RandallW : I downloaded the first file ( the JNLP type ), which then tries download the large executable; the download attempt barfs at %5, then retries 20 times ( by default setup ).]]> http://www.dslreports.com/forum/remark,20438175 Tue, 06 May 2008 02:34:12 EDT Re: browser redirect and sluggish startup; HT log added http://www.dslreports.com/forum/remark,20422129 bcastner : Go to »java.sun.com/javase/downloads/index.jsp

Locate: Download Java Runtime Environment (JRE) 6 Update 6

Without checking the box, click on jre-6u6-windows-i586-p.exe directly underneath Windows Offline Installation
SAVE it to your desktop, do not RUN it.

When the download is complete, close all browser windows and double-click on the saved file (jre-6u6-windows-i586-p.exe) to install the update. Be patient: It may take five (5) minutes or more for the installation to complete.
UNCHECK the option to install Google Toolbar if you don't want it. Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

Open Control Panel > Add/Remove Programs:
Uninstall anything that says Sun Java, Java JRE, or similar except Java TM 6 Update 6 which you just installed.
Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java. Delete any subfolders except the subfolder jre1.6.0_06 which was just created by the installation above.

Do NOT delete C:\Program Files\JavaVM --
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20422129 Fri, 02 May 2008 16:01:33 EDT Re: browser redirect and sluggish startup; HT log added http://www.dslreports.com/forum/remark,20421290 RandallW : The Sun website is not user intuitive, so I wasn't able to find an update for Java. I do not have a full version of Acrobat; just free Adobe Reader. Everything else was done.]]> http://www.dslreports.com/forum/remark,20421290 Fri, 02 May 2008 13:06:34 EDT Re: browser redirect and sluggish startup; HT log added http://www.dslreports.com/forum/remark,20412003 bcastner : 1. Run MBAM once again, just as we did previously.
I will not need a log file from this session.
Uninstall MBAM when done using Add or Remove Programs.

2. Open a new Notepad session - (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from below into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

• Disconnect from the Internet.
• Disable your Antivirus. If the Antivirus software you use has any Script Blocking features, be certain to disable these as well.
Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any Disclaimers to start the fix.
Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown in this little picture:

I will not need a log from this Combofix session.

Open Acrobat if you have the Full Version installed Click Help and run the Upgrade applet found there. If no update is offered: Use the Preferences, Internet submenu of Acrobat and uncheck to integrate with your Browser. Close Acrobat.
Whether you had the Full Version of Acrobat or not, download and install Adobe Reader 8.1.1 and use this as the integrated PDF Reader insider your browser: »www.adobe.com/products/acrobat/r···ep2.html

Clean-up & Prevention:

• Right click "My Computer", Properties, and then click the System Restore tab. Checkmark the box at the top to stop System Restore on all drives. Click the "Apply" button. Agree to the deletion of old Restore Points. Then uncheck the box at the top and again click the "Apply" button. Finally, click the "OK" button. This will create a new Restore Point reflecting your clean system state.

• Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.
(If we have renamed this file, please use the current name for the program in this instruction.)

• Run ATF Cleaner

, and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.

• Use Control Panel, Add or Remove Programs, and Uninstall any entry related to an On-Line scanner we may have used.
If you find any files or folders created during this cleanup operation remaining, please feel free to delete them.

• Please update your Version of Adobe Reader to the current release of 8.1.12
• Consider updating your Sun Java version at the Sun web site to the current version of 1.06.5

• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.

• If I asked you to Disable something like TeaTimer or another malware blocker, please go ahead an re-enable them if you wish.

• Download and install Comodo BOClean (free):

• Download, install, and keep updated Spyware Blaster (free):

• Download, install, and keep updated SpyBot S&D (free) if you have not yet done so:
Tutorial:

• Download, install, and keep updated AdAware 2007 by Lavasoft (free), if you have not done so:
Tutorial:

• Refer to my first set of instructions above, and reconfigure Hidden Files and Folders to your choosing.

Best wishes.
Bill Castner

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20412003 Wed, 30 Apr 2008 16:39:25 EDT Re: browser redirect and sluggish startup; HT log added http://www.dslreports.com/forum/remark,20410746 RandallW : Combofix log:

ComboFix 08-04-26.5 - RandallW 2008-04-29 17:21:08.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.80 [GMT -7:00]
Running from: C:\Documents and Settings\RandallW\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\RandallW\Desktop\CFscript.txt
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]

FILE ::
c:\docume~1\randallw\applic~1\intern~1\Bike Team Anti.exe
C:\Documents and Settings\RandallW\Application Data\internaldb41.dat
C:\Documents and Settings\RandallW\Start Menu\Programs\StartupKERclink.lnk
C:\jfsADi.exe
C:\QqBMmT.exe
C:\WINDOWS\6459SFL2.ocx
C:\WINDOWS\BM2bfe5c27.xml
C:\WINDOWS\fetchuserid.exe
C:\WINDOWS\hcwemMON.exe
C:\WINDOWS\O498NP3Q.ocx
C:\WINDOWS\QR40374O.ocx
C:\WINDOWS\system32\bliixwbb.ini
C:\WINDOWS\system32\JIPE1H35.ocx
C:\WINDOWS\system32\onnmp.bak
C:\WINDOWS\system32\prdyak.exe
C:\WINDOWS\Tasks\AA66FD7B91857723.job
C:\WINDOWS\unins000.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\RandallW\Application Data\internaldb41.dat
C:\jfsADi.exe
C:\PROGRA~1\Coupons
C:\PROGRA~1\Coupons\Coupons.com.url
C:\PROGRA~1\Coupons\uninstall.exe
C:\PROGRA~1\Coupons\Uninstall\IRIMG1.JPG
C:\PROGRA~1\Coupons\Uninstall\IRIMG2.JPG
C:\PROGRA~1\Coupons\Uninstall\IRIMG3.JPG
C:\PROGRA~1\Coupons\Uninstall\IRIMG4.JPG
C:\PROGRA~1\Coupons\Uninstall\IRIMG5.JPG
C:\PROGRA~1\Coupons\Uninstall\IRIMG6.JPG
C:\PROGRA~1\Coupons\Uninstall\IRIMG7.JPG
C:\PROGRA~1\Coupons\Uninstall\IRIMG8.JPG
C:\PROGRA~1\Coupons\Uninstall\uninstall.dat
C:\PROGRA~1\Coupons\Uninstall\uninstall.xml
C:\QqBMmT.exe
C:\WINDOWS\6459SFL2.ocx
C:\WINDOWS\BM2bfe5c27.xml
C:\WINDOWS\fetchuserid.exe
C:\WINDOWS\hcwemMON.exe
C:\WINDOWS\O498NP3Q.ocx
C:\WINDOWS\QR40374O.ocx
C:\WINDOWS\system32\bliixwbb.ini
C:\WINDOWS\system32\JIPE1H35.ocx
C:\WINDOWS\system32\prdyak.exe
C:\WINDOWS\Tasks\AA66FD7B91857723.job
C:\WINDOWS\unins000.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.

2008-04-26 16:02 . 2008-04-26 16:02 d-------- C:\Documents and Settings\RandallW\Application Data\Malwarebytes
2008-04-26 15:58 . 2008-04-26 15:59 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 15:58 . 2008-04-26 15:58 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-26 02:07 . 2008-04-26 16:51 d-------- C:\Program Files\EsetOnlineScanner
2008-04-24 23:48 . 2008-04-24 23:48 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-22 22:08 . 2008-04-22 22:08 d-------- C:\Documents and Settings\RandallW\Application Data\Grisoft
2008-04-22 21:34 . 2008-04-22 21:34 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-22 21:34 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-22 21:10 . 2008-04-22 21:10 d-------- C:\Program Files\Windows Defender
2008-04-22 15:59 . 2008-04-22 15:59 d-------- C:\Program Files\Trend Micro
2008-04-20 16:11 . 2008-04-27 20:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-20 16:11 . 2008-04-20 16:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-15 13:27 . 2001-08-17 22:36 94,720 --a------ C:\WINDOWS\system32\umaxud32.dll
2008-04-15 13:27 . 2001-08-17 22:36 94,720 --a--c--- C:\WINDOWS\system32\dllcache\umaxud32.dll
2008-04-15 13:27 . 2001-08-17 22:36 69,632 --a------ C:\WINDOWS\system32\umaxu12.dll
2008-04-15 13:27 . 2001-08-17 22:36 69,632 --a--c--- C:\WINDOWS\system32\dllcache\umaxu12.dll
2008-04-15 13:27 . 2001-08-17 22:36 50,688 --a------ C:\WINDOWS\system32\umaxscan.dll
2008-04-15 13:27 . 2001-08-17 22:36 50,688 --a--c--- C:\WINDOWS\system32\dllcache\umaxscan.dll
2008-04-15 13:27 . 2008-04-15 13:31 136 --a------ C:\WINDOWS\ppdrv.ini
2008-04-13 00:56 . 2008-04-13 01:02 d-------- C:\Program Files\Norton AntiVirus
2008-04-13 00:55 . 2008-04-13 00:57 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-13 00:55 . 2008-04-13 00:57 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-04-13 00:54 . 2008-04-21 10:03 d-------- C:\Program Files\Symantec
2008-04-11 15:30 . 2008-04-11 15:30 d--h----- C:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-04-11 15:30 . 2008-04-11 15:30 d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-04-11 15:30 . 2007-04-15 22:00 215,040 --a------ C:\WINDOWS\system32\CNMLM8V.DLL
2008-04-11 15:29 . 2008-04-11 15:29 d--h----- C:\Program Files\CanonBJ
2008-03-30 17:17 . 2008-03-24 09:58 920,304 --a------ C:\WINDOWS\system32\WindowsXP-KB905519-x86-ENU.exe
2008-03-29 00:27 . 2008-03-24 09:58 920,304 --a------ C:\WINDOWS\WindowsXP-KB905519-x86-ENU.exe
2008-03-22 01:45 . 2001-08-23 12:06 36,864 --a------ C:\WINDOWS\system32\CNMCP0W.EXE
2008-03-20 00:32 . 2008-04-29 14:13 d-------- C:\Program Files\yEnc32
2008-03-19 22:53 . 2001-08-28 16:00 94,720 --a------ C:\WINDOWS\system32\CNMLM0W.DLL
2008-03-19 22:53 . 2001-08-28 16:00 5,632 --a------ C:\WINDOWS\system32\CNMVS0W.DLL
2008-03-15 17:50 . 2008-03-15 17:50 d-------- C:\Program Files\SystemRequirementsLab
2008-03-04 14:39 . 2004-08-04 01:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-03-04 14:39 . 2001-08-17 23:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-03-04 14:39 . 2001-08-17 23:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-03-04 14:39 . 2001-08-17 23:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-03-04 14:39 . 2001-08-17 23:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-03-04 14:39 . 2001-08-17 13:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-03-04 14:39 . 2004-08-04 01:56 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2008-03-04 14:39 . 2001-08-17 23:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-03-04 14:37 . 2001-08-17 14:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-03-04 14:36 . 2001-08-17 13:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-03-04 14:35 . 2001-08-17 15:56 147,200 --a--c--- C:\WINDOWS\system32\dllcache\smidispb.dll
2008-03-04 14:34 . 2001-08-17 23:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-03-04 14:33 . 2001-08-17 14:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-03-04 14:32 . 2004-08-04 01:56 259,328 --a--c--- C:\WINDOWS\system32\dllcache\perm3dd.dll
2008-03-04 14:31 . 2001-08-17 15:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-03-04 14:30 . 2004-08-03 23:31 132,695 --a--c--- C:\WINDOWS\system32\dllcache\netwlan5.sys
2008-03-04 14:29 . 2001-08-17 13:50 320,384 --a--c--- C:\WINDOWS\system32\dllcache\mgaum.sys
2008-03-04 14:28 . 2001-08-17 14:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-03-04 14:27 . 2004-08-04 01:56 152,576 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
2008-03-04 14:26 . 2001-08-17 14:28 542,879 --a--c--- C:\WINDOWS\system32\dllcache\hsf_msft.sys
2008-03-04 14:25 . 2001-08-17 15:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-03-04 14:24 . 2001-08-17 13:17 629,952 --a--c--- C:\WINDOWS\system32\dllcache\eqn.sys
2008-03-04 14:23 . 2001-08-17 13:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-03-04 14:22 . 2001-08-17 23:36 614,429 --a--c--- C:\WINDOWS\system32\dllcache\digiview.exe
2008-03-04 14:21 . 2001-08-17 13:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-03-04 14:20 . 2001-08-17 15:05 314,752 --a--c--- C:\WINDOWS\system32\dllcache\camdro21.sys
2008-03-04 14:19 . 2001-08-17 14:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-03-04 14:18 . 2001-08-17 15:55 382,592 --a--c--- C:\WINDOWS\system32\dllcache\atidrab.dll
2008-03-04 14:17 . 2001-08-17 14:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-03-04 14:16 . 2001-08-17 15:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 22:45 4,741 ----a-w C:\WINDOWS\compaq.reg
2008-04-27 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-27 03:55 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-25 06:51 --------- d-----w C:\Program Files\Lavasoft
2008-04-23 04:43 --------- d-----w C:\Program Files\DivX
2008-04-14 01:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-13 07:57 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-04-13 07:57 10,563 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-04-11 22:38 --------- d-----w C:\Program Files\Canon
2008-03-22 02:49 --------- d-----w C:\Program Files\Replay Music
2008-03-22 02:45 --------- d-----w C:\Program Files\Math ActivityMaker-Primary
2008-03-22 02:43 --------- d-----w C:\Program Files\Math ActivityMaker- Skills
2008-03-22 02:43 --------- d-----w C:\Program Files\Math ActivityMaker- Fractions
2008-03-21 16:53 --------- d-----w C:\Program Files\Java
2008-03-07 04:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 04:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 04:32 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2004-05-09 06:55 4,571,136 ------w C:\Documents and Settings\GameSpot DLX Secure Delivery\chordtrainersetup.exe
2004-02-11 18:52 2,989,381 ------w C:\Documents and Settings\GameSpot DLX Secure Delivery\oaw2102.zip
2003-07-31 17:03 3,188 ----a-w C:\Program Files\dvdxcopy301.nfo
2003-01-12 01:52 457 ----a-w C:\Program Files\INSTALL.LOG
2004-06-17 03:58 56 --sha-r C:\WINDOWS\system32\5A50D87783.sys
2004-10-12 06:42 11,270 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-21 16:53 1,592,642 --sha-w C:\WINDOWS\system32\onnmp.bak1
2003-08-05 05:25 220 --sha-w C:\WINDOWS\system32\ss.drv
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C1CE040-5D65-422E-84C6-EFD6EEFCFA93}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{259274E6-3FEB-5341-BD13-A1A07A9AD77A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B76EB42-6211-417E-9A5D-EA8233C749EB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2CB8C4B2-9DAF-4263-818E-835A955224D1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-C1EA-F165BB85A330}]
2007-10-13 19:48 1909248 --a------ C:\PROGRA~1\mypoints\mypoints.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-04-13 01:00 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-CEC4-75A487FD6484}]
2007-10-13 19:48 1909248 --a------ C:\PROGRA~1\mypoints\mypoints.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF27A651-36B9-4264-848E-87911D600D4B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6C97034-AD95-4205-8055-CAED72E7282A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4E7BD74F-2B8D-469E-C1EA-F165BB85A330}"= "C:\PROGRA~1\mypoints\mypoints.dll" [2007-10-13 19:48 1909248]
"{A057A204-BACC-4D26-CEC4-75A487FD6484}"= "C:\PROGRA~1\mypoints\mypoints.dll" [2007-10-13 19:48 1909248]

[HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-c1ea-f165bb85a330}]
[HKEY_CLASSES_ROOT\mypoints.MYPOINTS]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-cec4-75a487fd6484}]
[HKEY_CLASSES_ROOT\mypoints.MYPOINTS]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4E7BD74F-2B8D-469E-C1EA-F165BB85A330}"= C:\PROGRA~1\mypoints\mypoints.dll [2007-10-13 19:48 1909248]
"{A057A204-BACC-4D26-CEC4-75A487FD6484}"= C:\PROGRA~1\mypoints\mypoints.dll [2007-10-13 19:48 1909248]

[HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-c1ea-f165bb85a330}]
[HKEY_CLASSES_ROOT\mypoints.MYPOINTS]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-cec4-75a487fd6484}]
[HKEY_CLASSES_ROOT\mypoints.MYPOINTS]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 17:25 94208]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"@"="C:\Program Files\Internet Explorer\iexplore.exe" [2004-08-04 00:56 93184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPQEASYACC"="C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 15:01 32768]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2004-07-26 05:21 705808]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-10 15:36 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-02-20 21:20 77824]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-11-13 15:43 98304]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 07:51 442455]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 18:01 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 18:50 1603152]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 18:47 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2008-02-06 23:49 718704]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25 6731312]
"BM2bfe5c27"="C:\WINDOWS\system32\jwhhvurp.dll" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUmJDuS]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.PIXL"= pclepixl.dll
"VIDC.NTN1"= Nuvision.ax
"VIDC.YV12"= vvlcodec.dll
"mixer"= APTRRNTm.dll
"wave"= APTRRNTm.dll
"VIDC.PIM1"= pclepim1.dll
"vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax
"MSVideo"= lvfwwdmt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccPxySvc"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

R0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys [2002-11-28 03:43]
R1 bpfinder;BACKPACK Finder;C:\WINDOWS\system32\DRIVERS\bpfinder.sys [2003-09-29 09:36]
R1 tvtool;tvtool;C:\Program Files\TVTool 8 base\tvtool.sys [1996-04-03 11:33]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 PGPsdkDriver;PGPsdkDriver;C:\WINDOWS\System32\drivers\PGPsdk.sys [2005-07-27 14:23]
R3 bpflt;BACKPACK Filter;C:\WINDOWS\system32\DRIVERS\bpflt.sys [2003-09-29 09:37]
R3 bpusbflt;BACKPACK USB Filter;C:\WINDOWS\system32\DRIVERS\bpusbflt.sys [2004-06-23 13:13]
S3 bppccard;BACKPACK PC Card;C:\WINDOWS\system32\DRIVERS\bppccard.sys [2003-09-29 09:40]
S3 bppnpdrv;BACKPACK Driver;C:\WINDOWS\system32\DRIVERS\bppnpdrv.sys [2003-09-29 09:57]
S3 bpusbdrv;BACKPACK USB 1 Cable;C:\WINDOWS\system32\DRIVERS\bpusbdrv.sys [2003-09-29 09:59]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 JumpShot;Lexar Media USB Compact Flash Driver;C:\WINDOWS\system32\DRIVERS\LEXAR2K.SYS [2001-10-19 14:57]
S3 NUVision;Pinnacle LINX;C:\WINDOWS\system32\DRIVERS\NUVision.sys [2000-07-16 11:52]
S3 SUNPLUS;SightCAM PC-100p;C:\WINDOWS\system32\Drivers\SPIXNEW.SYS []
S3 USB28xxBGA;WinTV HVR-900;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2007-01-29 22:20]
S3 USB28xxOEM;WinTV OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2007-01-29 22:19]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - "E:\Toaw-CW\opart CW.exe" autorun

.
Contents of the 'Scheduled Tasks' folder
"2008-04-27 23:27:22 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-13 08:11:39 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - RandallW.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-04-29 17:38:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-29 17:51:56
ComboFix-quarantined-files.txt 2008-04-30 00:51:42
ComboFix2.txt 2008-04-28 00:43:22

Pre-Run: 14,708,826,112 bytes free
Post-Run: 14,797,406,208 bytes free

283

==========================================

ESET scan log:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3064 (20080429)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=ab020ffaac84eb4ca2845adea54587e8
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-04-30 12:44:56
# local_time=2008-04-30 05:44:56 (-0800, Pacific Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=690404
# found=0
# scan_time=13633]]> http://www.dslreports.com/forum/remark,20410746 Wed, 30 Apr 2008 12:57:10 EDT Re: browser redirect and sluggish startup; HT log added http://www.dslreports.com/forum/remark,20403866 bcastner : 1. Right-click on the header of the Code box below, where on the right side it says: "Copy to clipboard":

Folder::C:\PROGRA~1\CASHSU~1C:\PROGRA~1\Coupons File::C:\WINDOWS\system32\JIPE1H35.ocxC:\WINDOWS\QR40374O.ocxC:\WINDOWS\O498NP3Q.ocxC:\WINDOWS\6459SFL2.ocxC:\WINDOWS\system32\bliixwbb.iniC:\WINDOWS\BM2bfe5c27.xmlC:\jfsADi.exeC:\QqBMmT.exeC:\WINDOWS\fetchuserid.exeC:\WINDOWS\unins000.exeC:\Documents and Settings\RandallW\Application Data\internaldb41.datC:\WINDOWS\system32\onnmp.bakC:\WINDOWS\Tasks\AA66FD7B91857723.jobc:\docume~1\randallw\applic~1\intern~1\Bike Team Anti.exeC:\Documents and Settings\RandallW\Start Menu\Programs\StartupKERclink.lnkC:\WINDOWS\hcwemMON.exeC:\WINDOWS\system32\prdyak.exe Registry::[-HKLM\~\startupfolder\C:^Documents and Settings^RandallW^Start Menu^Programs^Startup^KERclink.lnk][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CashSurfers CashBar Navigator][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hcwemMON][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lforb][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

Open a new Notepad session - (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

• Disconnect from the Internet.
• Disable your Antivirus. If the Antivirus software you use has any Script Blocking features, be certain to disable these as well.
Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any Disclaimers to start the fix.
Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown in this little picture:

When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
•!• A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

2. Eset NOD32 scanner
Go here to run an online scannner from ESET: »www.eset.eu/online-scanner
Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Checked, and the option "Scan unwanted applications" is also Checked.
• Click Scan.
• Wait for the scan to finish.
• :!: Re-enable your Anvirisus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. We will need this later.

Post back the contents of C:\Combofix.txt, and the ESET scan results -- C:\Program Files\EsetOnlineScanner\log.txt.

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20403866 Tue, 29 Apr 2008 07:24:14 EDT Re: browser redirect and sluggish startup; HT log added http://www.dslreports.com/forum/remark,20397100 randyw01 : Combofix log:

ComboFix 08-04-26.5 - RandallW 2008-04-27 16:04:47.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.123 [GMT -7:00]
Running from: C:\Documents and Settings\RandallW\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\RandallW\Desktop\CFscript.txt
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dllcache\spoolsv.exe
.
---- Previous Run -------
.
C:\Program Files\download plugin
C:\Temp\fse
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\command.pif
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\uninsticn.exe
C:\WINDOWS\system32\update.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GDIW2K
-------\Legacy_NPF
-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

28980-04-03 02:41 . 28980-04-03 02:41 3,120 --a------ C:\WINDOWS\system32\JIPE1H35.ocx
28980-04-03 02:41 . 28980-04-03 02:41 3,120 --a------ C:\WINDOWS\QR40374O.ocx
28980-04-03 02:41 . 28980-04-03 02:41 3,120 --a------ C:\WINDOWS\O498NP3Q.ocx
28980-04-03 02:41 . 28980-04-03 02:41 3,120 --a------ C:\WINDOWS\6459SFL2.ocx
2008-04-26 16:02 . 2008-04-26 16:02 d-------- C:\Documents and Settings\RandallW\Application Data\Malwarebytes
2008-04-26 15:58 . 2008-04-26 15:59 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 15:58 . 2008-04-26 15:58 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-26 02:07 . 2008-04-26 16:51 d-------- C:\Program Files\EsetOnlineScanner
2008-04-24 23:48 . 2008-04-24 23:48 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-24 22:03 . 2008-04-24 22:04 1,509,099 --ahs---- C:\WINDOWS\system32\bliixwbb.ini
2008-04-24 21:59 . 2008-04-26 15:57 109,756 --a------ C:\WINDOWS\BM2bfe5c27.xml
2008-04-22 22:08 . 2008-04-22 22:08 d-------- C:\Documents and Settings\RandallW\Application Data\Grisoft
2008-04-22 21:34 . 2008-04-22 21:34 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-22 21:34 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-22 21:10 . 2008-04-22 21:10 d-------- C:\Program Files\Windows Defender
2008-04-22 15:59 . 2008-04-22 15:59 d-------- C:\Program Files\Trend Micro
2008-04-20 16:11 . 2008-04-20 16:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-20 16:11 . 2008-04-20 16:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-15 13:27 . 2001-08-17 22:36 94,720 --a------ C:\WINDOWS\system32\umaxud32.dll
2008-04-15 13:27 . 2001-08-17 22:36 94,720 --a--c--- C:\WINDOWS\system32\dllcache\umaxud32.dll
2008-04-15 13:27 . 2001-08-17 22:36 69,632 --a------ C:\WINDOWS\system32\umaxu12.dll
2008-04-15 13:27 . 2001-08-17 22:36 69,632 --a--c--- C:\WINDOWS\system32\dllcache\umaxu12.dll
2008-04-15 13:27 . 2001-08-17 22:36 50,688 --a------ C:\WINDOWS\system32\umaxscan.dll
2008-04-15 13:27 . 2001-08-17 22:36 50,688 --a--c--- C:\WINDOWS\system32\dllcache\umaxscan.dll
2008-04-15 13:27 . 2008-04-15 13:31 136 --a------ C:\WINDOWS\ppdrv.ini
2008-04-13 00:56 . 2008-04-13 01:02 d-------- C:\Program Files\Norton AntiVirus
2008-04-13 00:55 . 2008-04-13 00:57 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-13 00:55 . 2008-04-13 00:57 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-04-13 00:54 . 2008-04-21 10:03 d-------- C:\Program Files\Symantec
2008-04-11 15:30 . 2008-04-11 15:30 d--h----- C:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-04-11 15:30 . 2008-04-11 15:30 d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-04-11 15:30 . 2007-04-15 22:00 215,040 --a------ C:\WINDOWS\system32\CNMLM8V.DLL
2008-04-11 15:29 . 2008-04-11 15:29 d--h----- C:\Program Files\CanonBJ
2008-03-30 17:17 . 2008-03-24 09:58 920,304 --a------ C:\WINDOWS\system32\WindowsXP-KB905519-x86-ENU.exe
2008-03-29 00:27 . 2008-03-24 09:58 920,304 --a------ C:\WINDOWS\WindowsXP-KB905519-x86-ENU.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 00:24 4,741 ----a-w C:\WINDOWS\compaq.reg
2008-04-27 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-27 04:48 --------- d-----w C:\Program Files\yEnc32
2008-04-27 03:55 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-25 06:51 --------- d-----w C:\Program Files\Lavasoft
2008-04-23 04:43 --------- d-----w C:\Program Files\DivX
2008-04-14 01:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-13 07:57 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-04-13 07:57 10,563 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-04-11 22:38 --------- d-----w C:\Program Files\Canon
2008-04-02 19:45 --------- d-----w C:\Program Files\Coupons
2008-03-22 02:49 --------- d-----w C:\Program Files\Replay Music
2008-03-22 02:45 --------- d-----w C:\Program Files\Math ActivityMaker-Primary
2008-03-22 02:43 --------- d-----w C:\Program Files\Math ActivityMaker- Skills
2008-03-22 02:43 --------- d-----w C:\Program Files\Math ActivityMaker- Fractions
2008-03-21 16:53 --------- d-----w C:\Program Files\Java
2008-03-16 00:50 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-03-10 03:14 635 ----a-w C:\jfsADi.exe
2008-03-07 04:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 04:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 04:32 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-03-06 08:36 635 ----a-w C:\QqBMmT.exe
2008-02-13 05:30 7,680 ----a-w C:\WINDOWS\fetchuserid.exe
2008-02-11 23:26 691,545 ----a-w C:\WINDOWS\unins000.exe
2006-07-10 02:09 0 ----a-w C:\Documents and Settings\RandallW\Application Data\internaldb41.dat
2004-05-09 06:55 4,571,136 ------w C:\Documents and Settings\GameSpot DLX Secure Delivery\chordtrainersetup.exe
2004-02-11 18:52 2,989,381 ------w C:\Documents and Settings\GameSpot DLX Secure Delivery\oaw2102.zip
2003-07-31 17:03 3,188 ----a-w C:\Program Files\dvdxcopy301.nfo
2003-01-12 01:52 457 ----a-w C:\Program Files\INSTALL.LOG
2004-06-17 03:58 56 --sha-r C:\WINDOWS\system32\5A50D87783.sys
2004-10-12 06:42 11,270 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-21 16:53 1,592,642 --sha-w C:\WINDOWS\system32\onnmp.bak1
2003-08-05 05:25 220 --sha-w C:\WINDOWS\system32\ss.drv
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-C1EA-F165BB85A330}]
2007-10-13 19:48 1909248 --a------ C:\PROGRA~1\mypoints\mypoints.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-04-13 01:00 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-CEC4-75A487FD6484}]
2007-10-13 19:48 1909248 --a------ C:\PROGRA~1\mypoints\mypoints.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4E7BD74F-2B8D-469E-C1EA-F165BB85A330}"= C:\PROGRA~1\mypoints\mypoints.dll [2007-10-13 19:48 1909248]
"{A057A204-BACC-4D26-CEC4-75A487FD6484}"= C:\PROGRA~1\mypoints\mypoints.dll [2007-10-13 19:48 1909248]

[HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-c1ea-f165bb85a330}]
[HKEY_CLASSES_ROOT\mypoints.MYPOINTS]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-cec4-75a487fd6484}]
[HKEY_CLASSES_ROOT\mypoints.MYPOINTS]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 17:25 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPQEASYACC"="C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 15:01 32768]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2004-07-26 05:21 705808]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-10 15:36 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-02-20 21:20 77824]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-11-13 15:43 98304]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 07:51 442455]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 18:01 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 18:50 1603152]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 18:47 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2008-02-06 23:49 718704]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25 6731312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.PIXL"= pclepixl.dll
"VIDC.NTN1"= Nuvision.ax
"VIDC.YV12"= vvlcodec.dll
"mixer"= APTRRNTm.dll
"wave"= APTRRNTm.dll
"VIDC.PIM1"= pclepim1.dll
"vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax
"MSVideo"= lvfwwdmt.dll

[HKLM\~\startupfolder\C:^Documents and Settings^RandallW^Start Menu^Programs^Startup^KERclink.lnk]
backup=C:\WINDOWS\pss\KERclink.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CashSurfers CashBar Navigator]
C:\PROGRA~1\CASHSU~1\Cashbar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hcwemMON]
--a------ 2007-03-29 18:22 61440 C:\WINDOWS\hcwemMON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lforb]
--a------ 2006-07-09 19:06 127488 C:\WINDOWS\system32\prdyak.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccPxySvc"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

R0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys [2002-11-28 03:43]
R1 bpfinder;BACKPACK Finder;C:\WINDOWS\system32\DRIVERS\bpfinder.sys [2003-09-29 09:36]
R1 tvtool;tvtool;C:\Program Files\TVTool 8 base\tvtool.sys [1996-04-03 11:33]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 PGPsdkDriver;PGPsdkDriver;C:\WINDOWS\System32\drivers\PGPsdk.sys [2005-07-27 14:23]
R3 bpflt;BACKPACK Filter;C:\WINDOWS\system32\DRIVERS\bpflt.sys [2003-09-29 09:37]
R3 bpusbflt;BACKPACK USB Filter;C:\WINDOWS\system32\DRIVERS\bpusbflt.sys [2004-06-23 13:13]
S3 bppccard;BACKPACK PC Card;C:\WINDOWS\system32\DRIVERS\bppccard.sys [2003-09-29 09:40]
S3 bppnpdrv;BACKPACK Driver;C:\WINDOWS\system32\DRIVERS\bppnpdrv.sys [2003-09-29 09:57]
S3 bpusbdrv;BACKPACK USB 1 Cable;C:\WINDOWS\system32\DRIVERS\bpusbdrv.sys [2003-09-29 09:59]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 JumpShot;Lexar Media USB Compact Flash Driver;C:\WINDOWS\system32\DRIVERS\LEXAR2K.SYS [2001-10-19 14:57]
S3 NUVision;Pinnacle LINX;C:\WINDOWS\system32\DRIVERS\NUVision.sys [2000-07-16 11:52]
S3 SUNPLUS;SightCAM PC-100p;C:\WINDOWS\system32\Drivers\SPIXNEW.SYS []
S3 USB28xxBGA;WinTV HVR-900;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2007-01-29 22:20]
S3 USB28xxOEM;WinTV OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2007-01-29 22:19]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - "E:\Toaw-CW\opart CW.exe" autorun

.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 00:00:00 C:\WINDOWS\Tasks\AA66FD7B91857723.job"
- c:\docume~1\randallw\applic~1\intern~1\Bike Team Anti.exe
"2008-04-27 23:27:22 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-13 08:11:39 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - RandallW.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-04-27 17:25:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\compaq\Easy Access Button Support\CPQEADM.exe
C:\Compaq\EAKDRV\EAUSBKBD.exe
C:\PROGRA~1\compaq\EASYAC~1\BttnServ.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
.
**************************************************************************
.
Completion time: 2008-04-27 17:43:14 - machine was rebooted [RandallW]
ComboFix-quarantined-files.txt 2008-04-28 00:42:22

Pre-Run: 14,642,917,376 bytes free
Post-Run: 14,996,099,072 bytes free

242

=============================================

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:24:31 PM, on 4/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MyPoints Toolbar - {4E7BD74F-2B8D-469E-C1EA-F165BB85A330} - C:\PROGRA~1\mypoints\mypoints.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: PrintMe - {97387E2B-B2FA-4E4A-A607-F3B5C134F71C} - C:\Program Files\EFI\PrintMeToolbar\htpmcap.dll
O2 - BHO: MYPOINTS - {A057A204-BACC-4D26-CEC4-75A487FD6484} - C:\PROGRA~1\mypoints\mypoints.dll
O3 - Toolbar: PrintMe - {97387E2B-B2FA-4E4A-A607-F3B5C134F71C} - C:\Program Files\EFI\PrintMeToolbar\htpmcap.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted IP range: 192.168.1.81
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - »www.worldwinner.com/games/v46/sc···ubes.cab
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} (Mines Control) - »www.worldwinner.com/games/v41/mi···ines.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - »support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - »www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - »www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam Control) - »www.worldwinner.com/games/v47/sk···lgam.cab
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - »https://www.peoplepc.com/ppcos/ISP60/Dow···webi.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - »www.worldwinner.com/games/v46/sh···ader.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - »www.rovion.com/Controls/Rovion.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - »us.chat1.yimg.com/us.yimg.com/i/···scom.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - »www.worldwinner.com/games/v48/br···kout.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - »www.worldwinner.com/games/v50/pool/pool.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - »www.worldwinner.com/games/v43/ji···gsaw.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - »www.symantec.com/techsupp/asa/ss···tlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - »www.symantec.com/techsupp/asa/ss···tlsr.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - »download.mcafee.com/molbin/share···sctl.cab
O16 - DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} (WWHearts Control) - »www.worldwinner.com/games/v52/ww···arts.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - »www.worldwinner.com/games/v63/bj···/bja.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - »www.worldwinner.com/games/v46/be···eled.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - »www.worldwinner.com/games/v49/bl···werx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »www.update.microsoft.com/microso···79311687
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - »www.worldwinner.com/games/v41/fr···cell.cab
O16 - DPF: {6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89} - »ip.135mp3.com/135mp3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - »www.update.microsoft.com/microso···79299890
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - »chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - »www.worldwinner.com/games/shared···unch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - »www.worldwinner.com/games/v46/wo···mojo.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - »www.worldwinner.com/games/v57/cu···ubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - »www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} (WwLuxor Control) - »www.worldwinner.com/games/v49/lu···uxor.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - »www.worldwinner.com/games/v67/sw···apit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - »www.worldwinner.com/games/v41/ha···gman.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - »www.worldwinner.com/games/v42/ti···city.cab
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} (Royal Control) - »www.worldwinner.com/games/v45/ro···oyal.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - »download.mcafee.com/molbin/share···dmgr.cab
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - »www.worldwinner.com/games/v50/di···dash.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - »www.worldwinner.com/games/v43/pa···aint.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - »www.live365.com/players/play365.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - »www.worldwinner.com/games/v47/fa···feud.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - »www.worldwinner.com/games/v44/go···fsol.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - »www.worldwinner.com/games/v47/ww···ades.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - »tools.ebayimg.com/eps/activex/EP···1-32.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 14042 bytes]]> http://www.dslreports.com/forum/remark,20397100 Sun, 27 Apr 2008 21:34:37 EDT Re: browser redirect and sluggish startup; HT log added http://www.dslreports.com/forum/remark,20394071 bcastner : Delete Combofix.exe from your Desktop.

1. Open HijackThis again, System scan only. Checkmark these items:

O2 - BHO: (no name) - {1C1CE040-5D65-422E-84C6-EFD6EEFCFA93} - C:\WINDOWS\system32\ssqRjkjI.dll (file missing)
O2 - BHO: (no name) - {259274E6-3FEB-5341-BD13-A1A07A9AD77A} - (no file)
O2 - BHO: (no name) - {2B76EB42-6211-417E-9A5D-EA8233C749EB} - (no file)
O2 - BHO: (no name) - {2CB8C4B2-9DAF-4263-818E-835A955224D1} - C:\WINDOWS\system32\qoMfghIY.dll (file missing)
O2 - BHO: {3041db1d-901b-ee6a-2004-aeb134d85913} - {31958d43-1bea-4002-a6ee-b109d1bd1403} - C:\WINDOWS\system32\dkebwlpm.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O2 - BHO: (no name) - {F6C97034-AD95-4205-8055-CAED72E7282A} - (no file)
O4 - HKLM\..\Run: [28cd6fbb] rundll32.exe "C:\WINDOWS\system32\antpboyd.dll",b
O20 - Winlogon Notify: gdiwxp - gdiwxp.dll (file missing)
O20 - Winlogon Notify: c - vtUmJDuS.dll (file missing)

Click "Fix checked" and when the log panel clears exit HijackThis.

2. Download -- but do not yet run -- ComboFix©

Download this file -- to your Desktop -- [/b]from any of these sources:

Right-click on the header of the Code box below, where on the right side it says: "Copy to clipboard":

File::C:\WINDOWS\system32\antpboyd.dllC:\WINDOWS\system32\dkebwlpm.dll Registry::[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gdiwxp] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gdiwxp] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3041db1d-901b-ee6a-2004-aeb134d85913}] [-HKEY_CLASSES_ROOT\AppID\dkebwlpm.dll] [-HKEY_CLASSES_ROOT\AppID\{3041db1d-901b-ee6a-2004-aeb134d85913}] [-HKEY_CLASSES_ROOT\CLSID\{3041db1d-901b-ee6a-2004-aeb134d85913}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3041db1d-901b-ee6a-2004-aeb134d85913}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C1CE040-5D65-422E-84C6-EFD6EEFCFA93][-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{259274E6-3FEB-5341-BD13-A1A07A9AD77A}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B76EB42-6211-417E-9A5D-EA8233C749EB}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2CB8C4B2-9DAF-4263-818E-835A955224D1}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6C97034-AD95-4205-8055-CAED72E7282A}]

When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
•!• A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
• Let Combofix run to completion. Do not assume at any point it has locked or frozen. It should take between twenty minutes to one hour to complete. You can reboot if it has not finished after one hour.

3. Run HijackThis again, and save the log file.

Submit to the Forum:
• The contents of C:\Combofix.txt;
• The new HijackThis log.

Note: There is no purpose served in running the ESET online scan repeatedly. The results you returned above are all Quarantined items, including from the Combofix qauarantine.

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20394071 Sun, 27 Apr 2008 06:27:06 EDT Re: browser redirect and sluggish startup; HT log added http://www.dslreports.com/forum/remark,20393593 randyw01 : I performed an ESET cleaning before I went to bed last night, which was before I read your cleaning instructions ( which I got to around noon ).

ATF Cleaner was installed and ran without problem.

I used HijackThis to fix all the entries you listed, even though some of them were there from voluntary installation.

Combofix ran for about 20 minutes, then became stuck trying to eliminate a file in system32; I had to restart the computer. Since the instructions said to not run Combofix more than once I moved to the next step. Since it didn't seem to finish correctly there is no log file saved.

MalwareBytes was installed and ran without problem.

ESET online scanner was run again.

======================================

MalwareBytes log:
Malwarebytes' Anti-Malware 1.11
Database version: 687

Scan type: Quick Scan
Objects scanned: 50944
Time elapsed: 27 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 23
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 7
Files Infected: 32

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\antpboyd.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\wvUoLeBR.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e6d9f1de-0d9c-4286-8779-37c51068eae9} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e6d9f1de-0d9c-4286-8779-37c51068eae9} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a6c54318-5ac7-477d-b0a7-49af5189300c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a6c54318-5ac7-477d-b0a7-49af5189300c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{70522fa0-4656-11d5-b0e9-0050dac24e8f} (Adware.iWon) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{70522fa1-4656-11d5-b0e9-0050dac24e8f} (Adware.iWon) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{70522fa2-4656-11d5-b0e9-0050dac24e8f} (Adware.iWon) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a6c54318-5ac7-477d-b0a7-49af5189300c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM2bfe5c27 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\wvuolebr -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\wvuolebr -> Delete on reboot.

Folders Infected:
C:\Program Files\iWon (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonBar (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonBar\History (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonBar\Settings (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\1.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache (Adware.iWon) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\antpboyd.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dyobptna.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUoLeBR.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\RBeLoUvw.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\RBeLoUvw.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonBar\History\search (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\PM3.ico (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\1.bin\IWONSLOT.DLL (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\1.bin\PM3.ICO (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\1.bin\UNINSTALL.INF (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0CAD8EEA (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0CAD963D.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0CAD9840.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0CAD9A44.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0CAD9C19.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0CAD9DDE.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0CAD9FA3.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0CADA168.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0CADA34D.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0CADA59E.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0CADA80F.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0CADA9E4.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0CADAC55.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0CADAE1A.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0CADAFEF.wav (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0CADB202.wav (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0CADB483.wav (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0CADB648.wav (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\268E043E (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\files.ini (Adware.iWon) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\htuqswwx.dll (Trojan.Agent) -> Delete on reboot.
C:\U.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

================================================

ESET log:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3057 (20080426)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=ab020ffaac84eb4ca2845adea54587e8
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-04-27 03:51:07
# local_time=2008-04-26 08:51:07 (-0800, Pacific Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=697440
# found=2
# scan_time=14336
C:\QooBox\Quarantine\C\WINDOWS\system32\vtUmJDuS.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP2\A0000013.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000

===========================================

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:31, on 2008-04-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C1CE040-5D65-422E-84C6-EFD6EEFCFA93} - C:\WINDOWS\system32\ssqRjkjI.dll (file missing)
O2 - BHO: (no name) - {259274E6-3FEB-5341-BD13-A1A07A9AD77A} - (no file)
O2 - BHO: (no name) - {2B76EB42-6211-417E-9A5D-EA8233C749EB} - (no file)
O2 - BHO: (no name) - {2CB8C4B2-9DAF-4263-818E-835A955224D1} - C:\WINDOWS\system32\qoMfghIY.dll (file missing)
O2 - BHO: {3041db1d-901b-ee6a-2004-aeb134d85913} - {31958d43-1bea-4002-a6ee-b109d1bd1403} - C:\WINDOWS\system32\dkebwlpm.dll
O2 - BHO: MyPoints Toolbar - {4E7BD74F-2B8D-469E-C1EA-F165BB85A330} - C:\PROGRA~1\mypoints\mypoints.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: PrintMe - {97387E2B-B2FA-4E4A-A607-F3B5C134F71C} - C:\Program Files\EFI\PrintMeToolbar\htpmcap.dll
O2 - BHO: MYPOINTS - {A057A204-BACC-4D26-CEC4-75A487FD6484} - C:\PROGRA~1\mypoints\mypoints.dll
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O2 - BHO: (no name) - {F6C97034-AD95-4205-8055-CAED72E7282A} - (no file)
O3 - Toolbar: PrintMe - {97387E2B-B2FA-4E4A-A607-F3B5C134F71C} - C:\Program Files\EFI\PrintMeToolbar\htpmcap.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [28cd6fbb] rundll32.exe "C:\WINDOWS\system32\antpboyd.dll",b
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted IP range: 192.168.1.81
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - »www.worldwinner.com/games/v46/sc···ubes.cab
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} (Mines Control) - »www.worldwinner.com/games/v41/mi···ines.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - »support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - »www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - »www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam Control) - »www.worldwinner.com/games/v47/sk···lgam.cab
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - »https://www.peoplepc.com/ppcos/ISP60/Dow···webi.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - »www.worldwinner.com/games/v46/sh···ader.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - »www.rovion.com/Controls/Rovion.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - »us.chat1.yimg.com/us.yimg.com/i/···scom.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - »www.worldwinner.com/games/v48/br···kout.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - »www.worldwinner.com/games/v50/pool/pool.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - »www.worldwinner.com/games/v43/ji···gsaw.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - »www.symantec.com/techsupp/asa/ss···tlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - »www.symantec.com/techsupp/asa/ss···tlsr.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - »download.mcafee.com/molbin/share···sctl.cab
O16 - DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} (WWHearts Control) - »www.worldwinner.com/games/v52/ww···arts.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - »www.worldwinner.com/games/v63/bj···/bja.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - »www.worldwinner.com/games/v46/be···eled.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - »www.worldwinner.com/games/v49/bl···werx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »www.update.microsoft.com/microso···79311687
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - »www.worldwinner.com/games/v41/fr···cell.cab
O16 - DPF: {6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89} - »ip.135mp3.com/135mp3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - »www.update.microsoft.com/microso···79299890
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - »chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - »www.worldwinner.com/games/shared···unch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - »www.worldwinner.com/games/v46/wo···mojo.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - »www.worldwinner.com/games/v57/cu···ubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - »www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} (WwLuxor Control) - »www.worldwinner.com/games/v49/lu···uxor.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - »www.worldwinner.com/games/v67/sw···apit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - »www.worldwinner.com/games/v41/ha···gman.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - »www.worldwinner.com/games/v42/ti···city.cab
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} (Royal Control) - »www.worldwinner.com/games/v45/ro···oyal.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - »download.mcafee.com/molbin/share···dmgr.cab
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - »www.worldwinner.com/games/v50/di···dash.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - »www.worldwinner.com/games/v43/pa···aint.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - »www.live365.com/players/play365.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - »www.worldwinner.com/games/v47/fa···feud.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - »www.worldwinner.com/games/v44/go···fsol.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - »www.worldwinner.com/games/v47/ww···ades.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - »tools.ebayimg.com/eps/activex/EP···1-32.cab
O20 - Winlogon Notify: gdiwxp - gdiwxp.dll (file missing)
O20 - Winlogon Notify: vtUmJDuS - vtUmJDuS.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 14733 bytes]]> http://www.dslreports.com/forum/remark,20393593 Sun, 27 Apr 2008 00:42:02 EDT Re: browser redirect and sluggish startup; HT log added http://www.dslreports.com/forum/remark,20390075 bcastner : Open any .TXT document. This will open in Notepad. Click "Format", and uncheck Word Wrap. Be absolutely certain in all that follows that you never post a log to the Forum in which Word Wrap was active.

First Steps
:!: The following instructions are only for this Forum member. Please do not use these instructions on another computer system. You can seriously damage your system by following the instructions below without guided assistance. You assuredly will make a cleanup of your system more difficult.

TeaTimer is an excellent tool for the prevention of spyware but it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose Yes at the Warning prompt.
• Expand the Tools menu.
• Click Resident.
• Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
• In the File menu click Exit to exit Spybot Search & Destroy.
• Download and Unzip to your Desktop: »www.techsupportforum.com/sectool···imer.zip
• Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Please download ATF Cleaner
It does not require any installation.. It is set up to clean Windows TEMP folders, as well as IE, FireFox and Opera, Temporary Internet Files and Cookies.
• Double-click ATF-Cleaner.exe to run the program.

First Step:
• Under Main choose: Select All
• Click the Empty Selected button.
Next, if you use Firefox (and some Mozilla-based browsers)
• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
Next, if you use the Opera browser
• Click Opera at the top and choose: Select All
• Click the Empty Selected button. :!: Click Exit on the Main menu to close the program.

Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:
• Close all programs so that you are at your desktop.
• Double-click on the My Computer icon.
• Select the Tools menu and click Folder Options.
• After the new window appears select the View tab.
• Put a checkmark in the checkbox labeled Display the contents of system folders.
• Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
• Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
• Remove the checkmark from the checkbox labeled Hide protected operating system files.
• Press the Apply button and then the OK button and exit My Computer.
• Now your computer is configured to show all hidden files.

Malware Removal Steps
1. Open HijackThis again, System scan only. Checkmark these items:

R0 - HKLM\Software\Microsoft\InternetExplorer\Search,SearchAssistant = »www.wsou.cn/band.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings,ProxyOverride = 127.0.0.1
O3 - Toolbar: MyPoints Toolbar - {4E7BD74F-2B8D-469E-C1EA-F165BB85A330} - C:\PROGRA~1\mypoints\mypoints.dll
O3 - Toolbar: MYPOINTS - {A057A204-BACC-4D26-CEC4-75A487FD6484} -C:\PROGRA~1\mypoints\mypoints.dll
O4 - HKLM\..\Run: [BM2bfe5c27] Rundll32.exe "C:\WINDOWS\system32\jwhhvurp.dll",s
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe
O4 - Global Startup: Local Area Connection.lnk = ?
O14 - IERESET.INF:START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O15 - Trusted Zone: www.cashsurfers.com
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) -»coupons.smartsource.com/download/cscmv5X.cab
O16 - DPF: {7AA32FC7-133B-4AE7-998E-CED0D9829B12} (luna Class) -»static.waverevenue.com/website.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -»a19.g.akamai.net/7/19/7125/1452/···302/cpbrkpie.cab
O16 - DPF: {A305FBA3-4A87-483D-A53B-138F9F635357}(PCInfo.CMClass) -»ciscdb.sel.sony.com/support/pops···Info.CAB
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrintClass) - »offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {AF697529-9D41-4647-8D80-9E2D74696D5E} (Divx Control)- »192.168.1.81/userform/divx.cab
O16 - DPF: {BE153019-DCDB-479E-827B-C2AAB8CDCA64} (OSDetectControl) - »»https://www.msisurvey.com/share/osdetect.ocx
O21 - SSODL: NetCheck - {F5B7DDBE-5f02-4244-96DB-386DFA24496B} -(no file)

Click "Fix checked" and when the log panel clears exit HijackThis.

2. Download and Run -- ComboFix©
Download this file -- to your Desktop -- from any of these sources:

• Disconnect from the Internet.
• Disable your Antivirus software -- this includes any Script Blocking Feature it may have.

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any disclaimers to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

3. Please download MalwareBytes Anti-malware (MBAM) from one of the following links:

Once downloaded, close all programs and Windows on your computer (including this one.)

Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.

When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.

MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program.

On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer.

MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan.

When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click Show Results. Make sure all entries have a checkmark at their far left. You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine.

When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window. Remember where you saved the log file, as we will want to see it later.

4. Eset NOD32 scanner
Go here to run an online scannner from ESET: »www.eset.eu/online-scanner
Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Checked, and the option "Scan unwanted applications" is also Checked.
• Click Scan.
• Wait for the scan to finish.
• :!: Re-enable your Anvirisus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. We will need this later.

5. Run HijackThis again, and save the log file.

Submit to the Forum:
• The contents of C:\Combofix.txt;
• The MBAM log file;
• The ESET online scan results, C:\Program Files\EsetOnlineScanner\log.txt;
• The new HijackThis log.

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20390075 Sat, 26 Apr 2008 06:07:17 EDT browser redirect and sluggish startup; HT log added http://www.dslreports.com/forum/remark,20389409 randyw01 : My latest problem is something causing both IE and Firefox to open a second window after I open a first one, with sex-dating, casino, or other some other unwanted site appearing in the 2nd window. I'm also experiencing a few slow computer startup, having to wait over 5 minutes after the desktop begins to load.

Spybot, Windows Defender and AVG Antispyware were run at night in safe mode ( Adaware crashing in safe mode ). Spybot detected Virtumonde, couldn't fully clean it. Forgot to save logfiles of Defender and AVG. Spybot allowed to run on next normal restart and claimed to finish off Virtumonde cleaning, but may have failed.

I've spent most of the past day working on this; don't really want to run an online scan at the moment since it'll be running during waking hours and I won't be able to anything with the results until I wake hours after it's done.

System has 384 MB memory, Celeron 1.8 Ghz processor, Win XP Home SP 2, Spybot, Adaware ( free ), Windows Defender, AVG, ZoneAlarm ( free ), Norton Antivirus 2008.

Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:16 PM, on 4/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,SearchAssistant = »www.wsou.cn/band.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title

= Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: PrintMe - {97387E2B-B2FA-4E4A-A607-F3B5C134F71C} -

C:\Program Files\EFI\PrintMeToolbar\htpmcap.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-

0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: MyPoints Toolbar - {4E7BD74F-2B8D-469E-C1EA-

F165BB85A330} - C:\PROGRA~1\mypoints\mypoints.dll
O3 - Toolbar: MYPOINTS - {A057A204-BACC-4D26-CEC4-75A487FD6484} -

C:\PROGRA~1\mypoints\mypoints.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy

Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32

\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common

Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1

\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program

Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program

Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program

Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton

AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows

Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program

Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BM2bfe5c27] Rundll32.exe "C:\WINDOWS\system32

\jwhhvurp.dll",s
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-

88D8A56B10AA}] "C:\Program Files\Common

Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot -

Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet

Explorer\iexplore.exe

»www.symantec.com/techsupp/servle···essages?

module=2007&error=0&language=en&product=SymNRT&version=2008.0.2.1

7&build=Symantec&a=00000082.00000097.000001cd&b=00000082.00000097

.000001cf&c=00000083.00000018.000000a8
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program

Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Local Area Connection.lnk = ?
O8 - Extra context menu item: Download All by FlashGet -

C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet -

C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-

11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05

\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-

000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-

BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-

47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-

47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-

0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-

8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-

58CAB36FD2A2} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy

Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-

11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32

\nwprovau.dll
O14 - IERESET.INF:

START_PAGE_URL=http://store.presario.net/scripts/redirectors/pres

ario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O15 - Trusted Zone: www.cashsurfers.com
O15 - Trusted IP range: 192.168.1.81
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes

Control) -

»www.worldwinner.com/games/v46/sc···blecubes.

cab
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} (Mines Control)

- »www.worldwinner.com/games/v41/mi···ines.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9}

(asusTek_sysctrl Class) -

»support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop

Utility) - »www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) -

»www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam

Control) -

»www.worldwinner.com/games/v47/sk···lgam.cab
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web

Installer) -

»https://www.peoplepc.com/ppcos/ISP60/Dow···webi.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader

Object) -

»www.worldwinner.com/games/v46/sh···ader.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7}

(BlueStream_Flash Class) -

»www.rovion.com/Controls/Rovion.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio

Conferencing) -

»us.chat1.yimg.com/us.yimg.com/i/···cscom.ca

b
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout

Control) -

»www.worldwinner.com/games/v48/br···kout.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control)

- »www.worldwinner.com/games/v50/pool/pool.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius

Control) - »www.worldwinner.com/games/v43/ji···gsaw.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec

SmartIssue) -

»www.symantec.com/techsupp/asa/ss···tlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec

Script Runner Class) -

»www.symantec.com/techsupp/asa/ss···tlsr.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

»download.mcafee.com/molbin/share···01/mcins

ctl.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) -

»coupons.smartsource.com/download/cscmv5X.cab
O16 - DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} (WWHearts

Control) -

»www.worldwinner.com/games/v52/ww···arts.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) -

»www.worldwinner.com/games/v63/bj···/bja.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled

Control) -

»www.worldwinner.com/games/v46/be···eled.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx

Control) -

»www.worldwinner.com/games/v49/bl···werx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl

Class) -

»www.update.microsoft.com/microso···rols/en/

x86/client/wuweb_site.cab?1202179311687
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell

Control) -

»