Internet problems

Discussion in 'Windows - Virus and spyware problems' started by Zaxious, May 25, 2007.

  1. Zaxious

    Zaxious Member

    Oct 24, 2006
    Likes Received:
    Trophy Points:
    I have a computer in my network that is unable to access the internet. I can ping myself, my router, and websites like google and yahoo but thats about it. I can connect to the Internet normally on my other computers except this one computer. They didnt have virus protection before and I recently installed Avast! and Ad-Aware SE. Anyone got any ideas?
  2. Fredil

    Fredil Regular member

    Jul 19, 2006
    Likes Received:
    Trophy Points:
    To start your fix, I will need a HijackThis logfile. You can get HijackThis at this link: link

    Then, extract HijackThis from its archive and place it in its own folder - NOT on the Desktop!. This is important. A good location for HijackThis would be the following path:


    The program (HijackThis_v_1.99.1.exe) would go in the folder "HijackThis".

    Follow the instructions above, run HijackThis, and make a logfile. Post that logfile in a reply.
  3. Zaxious

    Zaxious Member

    Oct 24, 2006
    Likes Received:
    Trophy Points:
    Here is the Hijact This Log report!

    Logfile of HijackThis v1.99.1
    Scan saved at 6:08:23 PM, on 5/27/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2900.2180)

    Running processes:
    c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\bywtro.dll",realset
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [A00F63F0F.exe] C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\_A00F63F0F.exe
    O4 - HKCU\..\Run: [A00F63F1F.exe] C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\_A00F63F1F.exe
    O4 - HKCU\..\Run: [SysRestore] "C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\tmp4.tmp.exe"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O11 - Options group: [INTERNATIONAL] International*
    O17 - HKLM\System\CCS\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer =,,
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C948F181-5F7D-4541-9548-ADDBAFABDDD5}: NameServer =,,
    O17 - HKLM\System\CS1\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer =,,
    O20 - AppInit_DLLs:
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: winlogin - Unknown owner - C:\WINDOWS\lsass.exe

  4. Fredil

    Fredil Regular member

    Jul 19, 2006
    Likes Received:
    Trophy Points:
    You have quite a few problems there.

    Make sure to read all of my post because you will not be able to access the Internet in Safe Mode.

    Since you can't access the Internet, I will need you to download these programs to another computer. Then, using a USB Drive or a CD, you will have to copy them to the infected comp.

    These are the programs to download:

    * Ad-Aware SE Personal
    * Spybot Search & Destroy
    * LSPFix

    Do not transfer them yet. You will have to install Ad-Aware on the computer you have Internet access on. When the setup finishes, don't open the readme or run a scan, but update the definitions file. Make sure it finishes updating. Do the same with Spybot. LSPFix does not need to be updated.

    Next, copy this folder C:\Program Files\Lavasoft to a USB Drive (it is about 3 megabytes). Do the same with C:\Program Files\Spybot - Search & Destroy. You can just copy the zipped LSPFix file to the drive.

    Transfer the contents of the drive to the computer without Internet access. Put the folders called Lavasoft and Spybot - Search & Destroy into C:\Program Files. Then, unzip the LSPFix folder to your desktop, where it makes a folder called LSPFix.

    Next, reboot your computer into Safe Mode:

    - Restart your computer.
    - When the computer beeps, but before the Windows loading screen appears, repeatedly press F8. If your computer has function keys, disable them.
    - If you get a message on a blue screen about boot drivers, press ESC and keep tapping F8.
    - A black screen with grey text should appear. Using the arrow keys, select "Safe Mode" and press Enter. Like normal Windows loading, it will take a few moments.

    In Safe Mode, open My Computer. Then, open this path: C:\Program Files\Lavasoft. There should be a folder inside it; just open it. There is a program called Ad-Aware; double-click on it to run a scan. If it gives you a message about definition files, ignore it. Instead of performing a smart scan, change the settings to a full scan. Do the scan. Remove any baddies that appear.

    After the scan is done open the folder C:\Program Files\Spybot - Search & Destroy. Open the program called SpybotSd, and do a scan. Don't bother with the Immunize function; you need Internet access for that. Remove anything that is found.

    When both the scans are finished, reboot your computer into Safe Mode again. Do the two scans seperately again. Keep rebooting and scanning until nothing can be found. Then, when nothing can be found, reboot into Normal Mode.

    Open up HijackThis and go to the Misc. Tools section. Click on the Misc Tools tab, and click "Delete an NT Service". Copy and paste the following in the box that appears:

    O23 - Service: winlogin - Unknown owner - C:\WINDOWS\lsass.exe

    Press OK. It may reboot your computer; let it.

    Next, open HijackThis and do a scan. Place checkmarks beside the following lines:

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\bywtro.dll",realset
    O4 - HKCU\..\Run: [A00F63F0F.exe] C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\_A00F63F0F.exe
    O4 - HKCU\..\Run: [A00F63F1F.exe] C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\_A00F63F1F.exe
    O4 - HKCU\..\Run: [SysRestore] "C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\tmp4.tmp.exe"
    O17 - HKLM\System\CCS\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer =,,
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C948F181-5F7D-4541-9548-ADDBAFABDDD5}: NameServer =,,
    O17 - HKLM\System\CS1\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer =,,
    O20 - AppInit_DLLs:

    Press "Fix Checked".

    Run Avast! Antivirus and perform a full system scan.

    Reboot and post another HijackThis logfile.
  5. Zaxious

    Zaxious Member

    Oct 24, 2006
    Likes Received:
    Trophy Points:
    I dont know... I think I put myself into an even worse situation :( Letting your know the Now symptoms...: periodical reboots, no network functionality <i was able to transfer files via network.> I had absolutely no Internet connection. IE ping router, websites like before.> Apparently my network drivers are all screwy now.. :( When i tried to get rid of the NT service that 023, it said the file was missing after the barrage of scans I completed with Ad aware and spybot. Here is a HJT log, I hope I didnt broke it summore :) oh and this popup keeps poppin up everytime it does, my computer reboots...
    the heading is Services and Controller app, and it has encountered a problem and must be shut down, then gives me a minute then it reboots.

    Logfile of HijackThis v1.99.1
    Scan saved at 7:40:18 AM, on 5/28/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2900.2180)

    Running processes:
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [A00F63F0F.exe] C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\_A00F63F0F.exe
    O4 - HKCU\..\Run: [A00F63F1F.exe] C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\_A00F63F1F.exe
    O4 - HKCU\..\Run: [SysRestore] "C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\tmp4.tmp.exe"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O11 - Options group: [INTERNATIONAL] International*
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: winlogin - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
  6. Fredil

    Fredil Regular member

    Jul 19, 2006
    Likes Received:
    Trophy Points:
    Hmm... no network. That can be fixed.

    Can I get you to open up HijackThis again. Go to the Misc. Tools section, and click on the Backups tab. Check all instances of

    O17 - HKLM\System\CS1\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer =,,

    and press "Restore". Your network should work again.

    You also have a very obvious Vundo infection, which I somehow missed the first time around. Please right-click on HijackThis_v_1.99.1 and rename it to asdf.

    Please download VundoFix.exe to your desktop.

    Double-click VundoFix.exe to run it.

    * When VundoFix re-opens, click the Scan for Vundo button.
    * Once it's done scanning, click the Remove Vundo button.
    * You will receive a prompt asking if you want to remove the files, click YES
    * Once you click yes, your desktop will go blank as it starts removing Vundo.
    *When completed, it will prompt that it will reboot your computer, click OK.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    Please download FindAWF: link

    Save the file to the Desktop
    Double-click FindAWF.exe

    If a Security Alert shows, allow the program to run.

    When done, a text file awf.txt is produced.

    Please post it in your reply.

    Can I get you to copy the following files into a Notepad document? You will be rebooting into Safe Mode again.


    Enable viewing of Hidden Files. Open the Control Panel, then Folder Options. Click on the "View" tab, and check "Show hidden files and folders". Press OK.

    Reboot into Safe Mode and look for and delete the files above.

    VundoFix should have created a log in whatever directory it was run from, post VundoFix's log in your reply. Post a fresh HijackThis log as well as a FindAWF log.
  7. Zaxious

    Zaxious Member

    Oct 24, 2006
    Likes Received:
    Trophy Points:
    I did everything you asked for and I still do not have networking function after i restored the 017 keys, I uninstalled Avast!, thinking that it would help, no luck... umm the Services and Controll app error popup still pops up giving me a minute then reboots if i click dont send send error report or debug. Heres the three reports you asked for, I couldnt delete the lsass.exe file due to it being a critical windows file that was in use in safe mode. Here they are:

    Find AWF report by noahdfear ©2006

    bak folders found

    Directory of C:\WINDOWS\BAK

    05/04/2007 03:21 PM 96,768 svchost.exe
    1 File(s) 96,768 bytes

    Directory of C:\HP\KBD\BAK

    02/11/2003 11:02 PM 61,440 KBD.EXE
    1 File(s) 61,440 bytes

    Directory of C:\PROGRA~1\AIM\BAK

    08/05/2005 03:08 PM 67,160 aim.exe
    1 File(s) 67,160 bytes

    Directory of C:\PROGRA~1\AIM6\BAK

    11/07/2006 11:29 AM 50,736 aim6.exe
    1 File(s) 50,736 bytes

    Directory of C:\PROGRA~1\ITUNES\BAK

    04/21/2004 09:28 PM 286,720 iTunesHelper.exe
    1 File(s) 286,720 bytes

    Directory of C:\PROGRA~1\MESSEN~1\BAK

    0 File(s) 0 bytes

    Directory of C:\PROGRA~1\QUICKT~1\BAK

    08/07/2004 05:20 PM 98,304 qttask.exe
    1 File(s) 98,304 bytes

    Directory of C:\WINDOWS\CREATOR\BAK

    12/18/2003 02:31 AM 118,784 Remind_XP.exe
    1 File(s) 118,784 bytes

    Directory of C:\WINDOWS\SMINST\BAK

    04/14/2004 11:43 PM 233,472 RECGUARD.EXE
    1 File(s) 233,472 bytes

    Directory of C:\WINDOWS\SYSTEM\BAK

    05/07/1998 07:04 PM 52,736 hpsysdrv.exe
    1 File(s) 52,736 bytes

    Directory of C:\WINDOWS\SYSTEM32\BAK

    08/04/2004 03:00 PM 15,360 ctfmon.exe
    08/03/2004 09:43 PM 118,784 hkcmd.exe
    06/07/2004 09:42 PM 659,456 hphmon06.exe
    10/16/2002 07:57 PM 81,920 ps2.exe
    4 File(s) 875,520 bytes

    Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

    12/09/2003 02:18 AM 70,776 ccApp.exe
    01/20/2004 08:25 PM 124,056 CfgWiz.exe
    2 File(s) 194,832 bytes

    Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\BAK

    03/08/2006 09:56 AM 278,528 MtdAcqu.exe
    1 File(s) 278,528 bytes

    Directory of C:\PROGRA~1\HP\{AAC4F~1\BAK

    06/07/2004 09:53 PM 49,152 hphupd06.exe
    1 File(s) 49,152 bytes

    Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

    08/07/2004 05:03 PM 180,269 realsched.exe
    1 File(s) 180,269 bytes

    Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK

    08/06/2004 03:23 AM 218,240 UsrPrmpt.exe
    1 File(s) 218,240 bytes

    Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

    04/16/2007 07:05 PM 171,448 GoogleToolbarNotifier.exe
    1 File(s) 171,448 bytes

    Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

    08/07/2004 03:36 PM 32,881 jusched.exe
    1 File(s) 32,881 bytes

    Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

    06/07/2005 12:46 AM 57,344 apdproxy.exe
    1 File(s) 57,344 bytes

    Duplicate files of bak directory contents

    96768 May 4 2007 "C:\WINDOWS\bak\svchost.exe"
    14336 Aug 4 2004 "C:\WINDOWS\system32\svchost.exe"
    12800 Aug 17 2001 "D:\MiniNT\system32\svchost.exe"
    61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
    67160 Aug 5 2005 "C:\Program Files\AIM\bak\aim.exe"
    50736 Nov 7 2006 "C:\Program Files\AIM6\bak\aim6.exe"
    286720 Apr 21 2004 "C:\Program Files\iTunes\iTunesHelper.exe1176153038"
    286720 Apr 21 2004 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
    98304 Aug 7 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
    118784 Dec 18 2003 "C:\WINDOWS\CREATOR\bak\Remind_XP.exe"
    233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
    52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
    15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
    15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
    118784 Aug 3 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
    118784 Aug 3 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
    118784 Aug 3 2004 "C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\hkcmd.exe"
    659456 Jun 7 2004 "C:\WINDOWS\system32\bak\hphmon06.exe"
    81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
    81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
    70776 Dec 9 2003 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
    120464 Sep 30 2005 "C:\Program Files\Norton SystemWorks\CfgWiz.exe"
    120464 Sep 23 2005 "C:\Program Files\Norton SystemWorks\Norton AntiVirus\CfgWiz.exe"
    124056 Jan 20 2004 "C:\Program Files\Common Files\Symantec Shared\bak\CfgWiz.exe"
    104568 Feb 26 2001 "C:\Program Files\Common Files\Microsoft Shared\web server extensions\50\bin\CFGWIZ.EXE"
    278528 Mar 8 2006 "C:\Program Files\Creative\MediaSource5\bak\MtdAcqu.exe"
    49152 Jun 7 2004 "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe"
    180269 Aug 7 2004 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe1178124425"
    180269 Aug 7 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
    218240 Aug 6 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
    52272 Apr 16 2007 "C:\Program Files\Google\googletoolbar2user.exe"
    138168 Apr 16 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
    171448 Apr 16 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
    32881 Jun 3 2004 "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe"
    49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
    49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    32881 Aug 7 2004 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"
    57344 Jun 7 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"

    end of report

    VundoFix file (I think I got the right file!)


    and Finally the HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 9:20:00 PM, on 5/28/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2900.2180)

    Running processes:
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {149d0e5c-7c28-4d06-a1d5-0d21d3405c1b} - C:\WINDOWS\system32\dcomqic.dll (file missing)
    O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\fjcglosl.dll
    O2 - BHO: (no name) - {4D3D0406-08B9-455A-8B83-0C1E626ED4B4} - C:\WINDOWS\system32\xkaflnuu.dll
    O2 - BHO: msdn_lib.msdn_hlp - {7C2F2C76-1489-450D-B8FB-0B9692D788F9} - C:\WINDOWS\system32\msdn_lib.dll
    O2 - BHO: (no name) - {805550A5-DAB4-4F24-90AA-BC32EB28264f} - C:\WINDOWS\system32\xkaflnuu.dll
    O2 - BHO: (no name) - {817288D8-6989-49D6-B6CC-9EFBC0446737} - C:\WINDOWS\system32\vtstu.dll (file missing)
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmp2.tmp.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O11 - Options group: [INTERNATIONAL] International*
    O17 - HKLM\System\CCS\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer =,,
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C948F181-5F7D-4541-9548-ADDBAFABDDD5}: NameServer =,,
    O17 - HKLM\System\CS1\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer =,,
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: __c00B99B2 - C:\WINDOWS\system32\__c00B99B2.dat
    O20 - Winlogon Notify: __c00F1A08 - C:\WINDOWS\system32\__c00F1A08.dat
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: winlogin - Unknown owner - C:\WINDOWS\lsass.exe (file missing)

    Nice and long... Thank you so much for taking the time with this problem! I know you do this hundreds of times! We really appreciate it! I learn more and more and are able to repair others computers with the actions we do.
  8. Zaxious

    Zaxious Member

    Oct 24, 2006
    Likes Received:
    Trophy Points:
    Fredil! where you at man! You left meh, still working on da problem... wondering if its fixable or do I just need to format XP again.... ? Save meh
  9. Fredil

    Fredil Regular member

    Jul 19, 2006
    Likes Received:
    Trophy Points:
    I'm sorry I left you... it's been a busy few days.

    Give me another day, and I'll report back.

    Once again, sorry for the delay :-(
  10. Zaxious

    Zaxious Member

    Oct 24, 2006
    Likes Received:
    Trophy Points:
    Hey Fredil,
    Dude dont sweat it, I know your doing this voluntarily so I greatly appreciate even an inkling of your time! I hope your knowledge will germinate to me and I can help fix others computers as well!

    You da Man!

  11. Fredil

    Fredil Regular member

    Jul 19, 2006
    Likes Received:
    Trophy Points:
    Sorry... I had a lot of take-home final exams and my exit exams are next week. It's not easy being thirteen...

    I'm having a friend of mine (KotaGuy) interpret the FindAWF logfile. He will write me up a fix for you to use. (Batch files aren't my specialty.)

    Let's see what we can do for your network. Since I'm not wholly used to System Restore, you will have to do quite a few things again, or at least check.

    Open the Start Menu. Go to All Programs > Accessories > System Tools > System Restore. When the window opens, click "Next", and turn the month back to May (there are arrows on the top of the calendar). See if you have a restore point for May 27; if you don't, check for May 28. If you have more than one, revert to the earliest one. I apologize for not doing this earlier as a revert to May 27 would have guaranteed the network fix, I believe.

    After you restore, open HijackThis and place checkmarks next to the following lines (they may not be there; I am not familiar with the mechanics of System Restore):

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\bywtro.dll",realset
    O4 - HKCU\..\Run: [A00F63F0F.exe] C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\_A00F63F0F.exe
    O4 - HKCU\..\Run: [A00F63F1F.exe] C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\_A00F63F1F.exe
    O4 - HKCU\..\Run: [SysRestore] "C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\tmp4.tmp.exe"

    You should also run Spybot S & D, Ad-Aware, and VundoFix again (Remember to run SB and AAW in Safe Mode multiple times; VundoFix can be ran twice for better results sometimes).

    I need you to completely clear your Temporary Internet Files. Open up the Control Panel, and go to Folder Options. Click on the View tab, and enable the viewing of hidden files. Hit "Apply" and close Folder Options. Afterwards, open My Computer and the C: drive. Open Documents and Settings; you should see a bunch of usernames. Double-click on Allen (there may be something after it). You will see a folder called "Cookies"; right-click on the folder and select "Delete". You will see an error that index.dat cannot be deleted, this is okay. You will see another folder called Local Settings (it is faded out). Right-click on the folder called "Temp" and press Delete. You may or may not get an unable to delete message; if you do, tell me what file it is. Do the same thing with Temporary Internet Files.

    Can I get you to grab me an Uninstall Log from HijackThis. Open it up, and open the Misc. Tools tab. Click on the button labelled "Open Uninstall Manager". There should be a button called "Save List"; save the list and post it in your reply.

    Are you getting BSOD (Blue Screen of Death)? If you are, tell me. It *may* be the source of your Internet problem.

    In your reply:
    * A new VundoFix log
    * A log of the HijackThis Uninstall Manager
    * A HijackThis logfile
    * A lot of good luck :)
    Last edited: Jun 1, 2007
  12. Zaxious

    Zaxious Member

    Oct 24, 2006
    Likes Received:
    Trophy Points:
    Thirteen? your not thirteen! anyway... nothing new happened.. still got the same network down, the services and controller app error popup still shows no internet function... I cant even ping.. here are the requested items.

    HijackThis Unistall Log

    Ad-Aware SE Personal
    Adobe Acrobat - Reader 6.0.2 Update
    Adobe Download Manager 2.2 (Remove Only)
    Adobe Reader 6.0.1
    Adobe® Photoshop® Album Starter Edition 3.0
    Agere Systems PCI Soft Modem
    Easy Internet Sign-up
    Google Toolbar for Internet Explorer
    Help and Support Additions
    High Definition Audio Driver Package - KB835221
    HijackThis 1.99.1
    Hotfix for Windows XP (KB915865)
    HP Deskjet Preloaded Printer Drivers
    HP Image Zone 4.2
    HP Image Zone Plus 4.2
    HP Organize
    HP Photo & Imaging 3.5 - HP Devices
    HP PSC & OfficeJet 4.0
    HP Software Update
    Intel(R) Extreme Graphics Driver
    IntelliMover Data Transfer Demo
    InterVideo WinDVD Creator 2
    InterVideo WinDVD Player
    Java 2 Runtime Environment, SE v1.4.2_03
    LiveReg (Symantec Corporation)
    LiveUpdate 1.90 (Symantec Corporation)
    Microsoft .NET Framework 1.1
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Standard Edition 2003
    Microsoft Office XP Professional with FrontPage
    Microsoft Plus! Dancer LE
    Microsoft Plus! Digital Media Edition Installer
    Microsoft Plus! Photo Story 2 LE
    Microsoft Works 7.0
    muvee autoProducer 3.5 magicMoments - HPD
    Norton AntiVirus 2004
    Norton AntiVirus 2004 (Symantec Corporation)
    Norton AntiVirus Parent MSI
    Norton Internet Security
    Norton Internet Security
    Norton Internet Security
    Norton Internet Security
    Norton Internet Security
    Norton Internet Security
    Norton Internet Security
    Norton Personal Firewall
    Norton Personal Firewall (Symantec Corporation)
    Norton Security Center
    Norton WMI Update
    NVIDIA GART Driver
    PC-Doctor for Windows
    Photosmart 320,370,7400,8100,8400 Series
    Python 2.2 combined Win32 extensions
    Python 2.2.1
    Sonic RecordNow!
    Updates from HP
    Windows Internet Explorer 7
    Windows XP Hotfix - KB883667

    Logfile of HijackThis v1.99.1
    Scan saved at 9:15:28 PM, on 6/1/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2900.2180)

    Running processes:
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {149d0e5c-7c28-4d06-a1d5-0d21d3405c1b} - C:\WINDOWS\system32\dcomqic.dll (file missing)
    O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\fjcglosl.dll
    O2 - BHO: (no name) - {4D3D0406-08B9-455A-8B83-0C1E626ED4B4} - C:\WINDOWS\system32\xkaflnuu.dll
    O2 - BHO: msdn_lib.msdn_hlp - {7C2F2C76-1489-450D-B8FB-0B9692D788F9} - C:\WINDOWS\system32\msdn_lib.dll
    O2 - BHO: (no name) - {805550A5-DAB4-4F24-90AA-BC32EB28264f} - C:\WINDOWS\system32\xkaflnuu.dll
    O2 - BHO: (no name) - {817288D8-6989-49D6-B6CC-9EFBC0446737} - C:\WINDOWS\system32\vtstu.dll (file missing)
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmp2.tmp.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O11 - Options group: [INTERNATIONAL] International*
    O17 - HKLM\System\CCS\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer =,,
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C948F181-5F7D-4541-9548-ADDBAFABDDD5}: NameServer =,,
    O17 - HKLM\System\CS1\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer =,,
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: __c00B99B2 - C:\WINDOWS\system32\__c00B99B2.dat
    O20 - Winlogon Notify: __c00F1A08 - C:\WINDOWS\system32\__c00F1A08.dat
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: winlogin - Unknown owner - C:\WINDOWS\lsass.exe (file missing)

    VundoFix V6.4.1

    Checking Java version...

    Java version is
    Old versions of java are exploitable and should be removed.

    Java version is
    Old versions of java are exploitable and should be removed.

    Java version is
    Old versions of java are exploitable and should be removed.

    Java version is

    Scan started at 8:41:07 PM 5/28/2007

    Listing files found while scanning....


    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\dcomqic.dll
    C:\WINDOWS\system32\dcomqic.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\opnmkki.dll
    C:\WINDOWS\system32\opnmkki.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\utstv.bak1
    C:\WINDOWS\system32\utstv.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\utstv.bak2
    C:\WINDOWS\system32\utstv.bak2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\utstv.ini
    C:\WINDOWS\system32\utstv.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\utstv.ini2
    C:\WINDOWS\system32\utstv.ini2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\utstv.tmp
    C:\WINDOWS\system32\utstv.tmp Has been deleted!

    Attempting to delete C:\WINDOWS\system32\vtstu.dll
    C:\WINDOWS\system32\vtstu.dll Has been deleted!

    Performing Repairs to the registry.

    VundoFix V6.4.1

    Checking Java version...

    Java version is
    Old versions of java are exploitable and should be removed.

    Java version is
    Old versions of java are exploitable and should be removed.

    Java version is
    Old versions of java are exploitable and should be removed.

    Java version is

    Scan started at 6:44:19 PM 6/1/2007

    Listing files found while scanning....


    Beginning removal...

    Attempting to delete C:\WINDOWS\ortwyb.ini
    C:\WINDOWS\ortwyb.ini Has been deleted!

    Performing Repairs to the registry.

    VundoFix V6.4.1

    Checking Java version...

    Java version is
    Old versions of java are exploitable and should be removed.

    Java version is
    Old versions of java are exploitable and should be removed.

    Java version is
    Old versions of java are exploitable and should be removed.

    Java version is

    Scan started at 7:22:52 PM 6/1/2007

    Listing files found while scanning....

    No infected files were found.
  13. Fredil

    Fredil Regular member

    Jul 19, 2006
    Likes Received:
    Trophy Points:
    Oh, I so am thirteen :D

    Nothing wrong with uninstall log.

    For some reason, VundoFix isn't working as well as it should; there is still active Vundo in your HijackThis log.

    We should fix this. Open HijackThis and re-scan. Place checkmarks beside the following:

    O2 - BHO: (no name) - {149d0e5c-7c28-4d06-a1d5-0d21d3405c1b} - C:\WINDOWS\system32\dcomqic.dll (file missing)
    O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\fjcglosl.dll
    O2 - BHO: (no name) - {4D3D0406-08B9-455A-8B83-0C1E626ED4B4} - C:\WINDOWS\system32\xkaflnuu.dll
    O2 - BHO: msdn_lib.msdn_hlp - {7C2F2C76-1489-450D-B8FB-0B9692D788F9} - C:\WINDOWS\system32\msdn_lib.dll
    O2 - BHO: (no name) - {805550A5-DAB4-4F24-90AA-BC32EB28264f} - C:\WINDOWS\system32\xkaflnuu.dll
    O2 - BHO: (no name) - {817288D8-6989-49D6-B6CC-9EFBC0446737} - C:\WINDOWS\system32\vtstu.dll (file missing)
    O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmp2.tmp.dll
    (all of these except one are Vundo, the other is malware)
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE (Realtek spyware, not malicious but monitors your computer habits)
    O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe (spyware crap from Zeno Search)
    O23 - Service: winlogin - Unknown owner - C:\WINDOWS\lsass.exe (file missing)

    Press "Fix Checked".

    Please download SmitFraudFix.exe to your Desktop. Double-click it; it should produce a Command Prompt window. A credits screen will come up; press any key to get past it.

    Note: Do Not Perform Any Other Options Unless Asked!!

    Please select option No. 1 - Search. Press Enter, and it will perform a scan. After the scan, a log called rapport.txt will be made; it will look something like this (minus Chinese characters; my Notepad has a display issue):

    Copy and paste the contents of that log into your reply. Please note that I use a custom Hosts file, and my Hosts file isn't actually corrupted :D If SmitFraudFix.exe won't work on the Desktop, please copy the file into C:. Then it should work.

    Next, I want to see what we're dealing with. Please go to VirusTotal. In the top right, you should see a button labelled "Browse"; there should be a text box beside it. Paste the following into that text box:

    C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

    Click the big "Send" button. You may have to wait a while, as there are a few people using VirusTotal to scan suspicious files. When the scan is done, there should be a table. Don't worry about the smaller one below it with random characters; just copy the whole table on top and paste it into your reply. It should look something like this (I don't really have a virus; I scanned a VBS file that would open your CD-Tray if opened):

    Do the same thing for the following (all of the files should not take more than twenty minutes):




    (this may be the file that is the source of your Internet problem)





    Paste the results of all the files in your reply (if all the scans for one file say "No virus found", you do not need to paste the log, just tell me). Seperate them so I know what file was scanned.

    If you get an error syaing something about 0 bytes file size, then I probably did something wrong, not you :D

    In your next reply:
    * A SmitFraudFix log
    * VirusTotal logs for all the files you scanned
    * A fresh HijackThis logfile
    Last edited: Jun 2, 2007
  14. Zaxious

    Zaxious Member

    Oct 24, 2006
    Likes Received:
    Trophy Points:
    The first are the VirusTotal logs then the smithfraud, then the HJT. Ive used smithfraudFix quite a few times to fix friends computers and it works like a charm but hehe didnt work this time round! desktop still loads up slow and the Services and Controller app error code still keeps poppin up! FYI...

    I'll have to see some proof that your thirteen!! I cant believe it!!


    Antivirus Version Update Result
    AhnLab-V3 2007.5.31.2 06.01.2007 Win-Trojan/Klone.131604.K
    AntiVir 06.01.2007 TR/Dldr.ConHook.Gen
    Authentium 4.93.8 05.23.2007 no virus found
    Avast 4.7.997.0 06.01.2007 no virus found
    AVG 06.02.2007 Generic4.RMZ
    BitDefender 7.2 06.03.2007 Trojan.BHO.AR
    CAT-QuickHeal 9.00 06.02.2007 Trojan.Klone.j
    ClamAV devel-20070416 06.03.2007 no virus found
    DrWeb 4.33 06.02.2007 no virus found
    eSafe 05.31.2007 Suspicious Trojan/Worm
    eTrust-Vet 30.7.3684 06.02.2007 Win32/Vundo.DA
    Ewido 4.0 06.02.2007 Adware.BHO
    FileAdvisor 1 06.03.2007 no virus found
    Fortinet 06.02.2007 no virus found
    F-Prot 06.01.2007 no virus found
    F-Secure 6.70.13030.0 06.02.2007 Packed.Win32.Klone.j
    Ikarus T3.1.1.8 06.02.2007 Packed.Win32.Klone.j
    Kaspersky 06.03.2007 Packed.Win32.Klone.j
    McAfee 5044 06.01.2007 no virus found
    Microsoft 1.2503 06.03.2007 Adware:Win32/Virtumonde.A
    NOD32v2 2305 06.01.2007 probably a variant of Win32/Adware.BHO.V
    Norman 5.80.02 06.01.2007 Smalltroj.gen2
    Panda 06.02.2007 Spyware/Virtumonde
    Prevx1 V2 06.03.2007 no virus found
    Sophos 4.18.0 06.01.2007 Troj/BHO-CB
    Sunbelt 2.2.907.0 05.30.2007 no virus found
    Symantec 10 06.03.2007 no virus found
    TheHacker 05.31.2007 Trojan/Klone.j
    VBA32 3.12.0 06.02.2007 Adware.Crew
    VirusBuster 4.3.23:9 06.02.2007 Trojan.DL.Conhook.Gen!Pac
    Webwasher-Gateway 6.0.1 06.02.2007 Trojan.Dldr.ConHook.Gen


    Antivirus Version Update Result
    AhnLab-V3 2007.5.31.2 06.01.2007 no virus found
    AntiVir 06.01.2007 TR/Dldr.ConHook.Gen
    Authentium 4.93.8 05.23.2007 no virus found
    Avast 4.7.997.0 06.01.2007 no virus found
    AVG 06.02.2007 no virus found
    BitDefender 7.2 06.03.2007 MemScan:Trojan.Agent.AADI
    CAT-QuickHeal 9.00 06.02.2007 no virus found
    ClamAV devel-20070416 06.03.2007 no virus found
    DrWeb 4.33 06.02.2007 no virus found
    eSafe 05.31.2007 no virus found
    eTrust-Vet 30.7.3684 06.02.2007 no virus found
    Ewido 4.0 06.02.2007 no virus found
    FileAdvisor 1 06.03.2007 no virus found
    Fortinet 06.02.2007 suspicious
    F-Prot 06.01.2007 no virus found
    F-Secure 6.70.13030.0 06.02.2007 no virus found
    Ikarus T3.1.1.8 06.02.2007 Trojan-Spy.Win32.Bancos.ha
    Kaspersky 06.03.2007 no virus found
    McAfee 5044 06.01.2007 no virus found
    Microsoft 1.2503 06.03.2007 VirTool:Win32/Obfuscator.C
    NOD32v2 2305 06.01.2007 a variant of Win32/BHO.G
    Norman 5.80.02 06.01.2007 W32/Suspicious_U.gen
    Panda 06.02.2007 Suspicious file
    Prevx1 V2 06.03.2007 no virus found
    Sophos 4.18.0 06.01.2007 Mal/Packer
    Sunbelt 2.2.907.0 05.30.2007 VIPRE.Suspicious
    Symantec 10 06.03.2007 no virus found
    TheHacker 05.31.2007 no virus found
    VBA32 3.12.0 06.02.2007 Trojan.Win32.BHO.g
    VirusBuster 4.3.23:9 06.02.2007
    Webwasher-Gateway 6.0.1 06.03.2007 Trojan.Dldr.ConHook.Gen


    Antivirus Version Update Result
    AhnLab-V3 2007.5.31.2 06.01.2007 no virus found
    AntiVir 06.01.2007 TR/Crypt.FKM.Gen
    Authentium 4.93.8 05.23.2007 is a security risk or a "backdoor" program
    Avast 4.7.997.0 06.01.2007 no virus found
    AVG 06.02.2007 Downloader.Generic4.ILD
    BitDefender 7.2 06.03.2007 no virus found
    CAT-QuickHeal 9.00 06.02.2007 no virus found
    ClamAV devel-20070416 06.03.2007 no virus found
    DrWeb 4.33 06.02.2007 no virus found
    eSafe 05.31.2007 Win32.VB.apq
    eTrust-Vet 30.7.3684 06.02.2007 no virus found
    Ewido 4.0 06.02.2007 Downloader.VB.apq
    FileAdvisor 1 06.03.2007 no virus found
    Fortinet 06.02.2007 W32/VB.APQ!tr.dldr
    F-Prot 06.01.2007 W32/Downloader2
    F-Secure 6.70.13030.0 06.02.2007 Trojan-Downloader.Win32.VB.apq
    Ikarus T3.1.1.8 06.02.2007 Trojan-Downloader.Win32.VB.apq
    Kaspersky 06.03.2007 Trojan-Downloader.Win32.VB.apq
    McAfee 5044 06.01.2007 TFactory
    Microsoft 1.2503 06.03.2007 no virus found
    NOD32v2 2305 06.01.2007 no virus found
    Norman 5.80.02 06.01.2007 W32/DLoader.CSPU
    Panda 06.02.2007 Malware Generic
    Prevx1 V2 06.03.2007 no virus found
    Sophos 4.18.0 06.01.2007 no virus found
    Sunbelt 2.2.907.0 05.30.2007 Trojan.Unclassified.gen
    Symantec 10 06.03.2007 Trojan Horse
    TheHacker 05.31.2007 Trojan/Downloader.VB.apq
    VBA32 3.12.0 06.02.2007 Trojan-Downloader.Win32.VB.apq
    VirusBuster 4.3.23:9 06.02.2007 no virus found
    Webwasher-Gateway 6.0.1 06.03.2007 Trojan.Crypt.FKM.Gen


    Antivirus Version Update Result
    AhnLab-V3 2007.5.31.2 06.01.2007 Win-Trojan/Xema.variant
    AntiVir 06.01.2007 TR/Agent.AOJ.17
    Authentium 4.93.8 05.23.2007 no virus found
    Avast 4.7.997.0 06.01.2007 no virus found
    AVG 06.02.2007 no virus found
    BitDefender 7.2 06.03.2007 Trojan.Agent.AOJ
    CAT-QuickHeal 9.00 06.02.2007 Trojan.Agent.afg
    ClamAV devel-20070416 06.03.2007 no virus found
    DrWeb 4.33 06.02.2007 Trojan.Netqv
    eSafe 05.31.2007 Win32.Agent.afg
    eTrust-Vet 30.7.3684 06.02.2007 Win32/Netvq!generic
    Ewido 4.0 06.02.2007 Trojan.Agent.j
    FileAdvisor 1 06.03.2007 High threat detected
    Fortinet 06.02.2007 W32/NetVQ.QTZ!tr
    F-Prot 06.01.2007 no virus found
    F-Secure 6.70.13030.0 06.02.2007 Trojan.Win32.Agent.afg
    Ikarus T3.1.1.8 06.02.2007 Trojan.Win32.Agent.afg
    Kaspersky 06.03.2007 Trojan.Win32.Agent.afg
    McAfee 5044 06.01.2007 no virus found
    Microsoft 1.2503 06.03.2007 no virus found
    NOD32v2 2305 06.01.2007 no virus found
    Norman 5.80.02 06.01.2007 no virus found
    Panda 06.02.2007 Trj/Spamer.BP
    Prevx1 V2 06.03.2007 Polynomial.Code.Exploit
    Sophos 4.18.0 06.01.2007 Troj/NetVQ-Gen
    Sunbelt 2.2.907.0 05.30.2007 Trojan.Win32.Agent.afg
    Symantec 10 06.03.2007 no virus found
    TheHacker 05.31.2007 Trojan/Agent.afg
    VBA32 3.12.0 06.02.2007 Trojan.Win32.Agent.afg
    VirusBuster 4.3.23:9 06.02.2007 no virus found
    Webwasher-Gateway 6.0.1 06.03.2007 Trojan.Agent.AOJ.17


    Antivirus Version Update Result
    AhnLab-V3 2007.5.31.2 06.01.2007 no virus found
    AntiVir 06.01.2007 HEUR/Crypted
    Authentium 4.93.8 05.23.2007 no virus found
    Avast 4.7.997.0 06.01.2007 no virus found
    AVG 06.02.2007 no virus found
    BitDefender 7.2 06.03.2007 no virus found
    CAT-QuickHeal 9.00 06.02.2007 no virus found
    ClamAV devel-20070416 06.03.2007 no virus found
    DrWeb 4.33 06.02.2007 Trojan.DownLoader.22964
    eSafe 05.31.2007 Suspicious Trojan/Worm
    eTrust-Vet 30.7.3684 06.02.2007 no virus found
    Ewido 4.0 06.02.2007 no virus found
    FileAdvisor 1 06.03.2007 no virus found
    Fortinet 06.02.2007 no virus found
    F-Prot 06.01.2007 no virus found
    F-Secure 6.70.13030.0 06.02.2007 Packed.Win32.Morphine.a
    Ikarus T3.1.1.8 06.02.2007 MalwareScope.Trojan-Spy.BZub.1
    Kaspersky 06.03.2007 Packed.Win32.Morphine.a
    McAfee 5044 06.01.2007 no virus found
    Microsoft 1.2503 06.03.2007 VirTool:Win32/Obfuscator.E
    NOD32v2 2305 06.01.2007 no virus found
    Norman 5.80.02 06.01.2007 W32/BHO.QG
    Panda 06.02.2007 Malware Generic
    Prevx1 V2 06.03.2007 no virus found
    Sophos 4.18.0 06.01.2007 Mal/Behav-010
    Sunbelt 2.2.907.0 05.30.2007 no virus found
    Symantec 10 06.03.2007 no virus found
    TheHacker 05.31.2007 Trojan/Morphine.a
    VBA32 3.12.0 06.02.2007 Trojan.DownLoader.22964
    VirusBuster 4.3.23:9 06.02.2007 no virus found
    Webwasher-Gateway 6.0.1 06.03.2007 Heuristic.Crypted


    Antivirus Version Update Result
    AhnLab-V3 2007.5.31.2 06.01.2007 no virus found
    AntiVir 06.01.2007 HEUR/Crypted
    Authentium 4.93.8 05.23.2007 no virus found
    Avast 4.7.997.0 06.01.2007 no virus found
    AVG 06.02.2007 no virus found
    BitDefender 7.2 06.03.2007 no virus found
    CAT-QuickHeal 9.00 06.02.2007 no virus found
    ClamAV devel-20070416 06.03.2007 no virus found
    DrWeb 4.33 06.02.2007 Trojan.DownLoader.22964
    eSafe 05.31.2007 Suspicious Trojan/Worm
    eTrust-Vet 30.7.3684 06.02.2007 no virus found
    Ewido 4.0 06.02.2007 no virus found
    FileAdvisor 1 06.03.2007 no virus found
    Fortinet 06.02.2007 no virus found
    F-Prot 06.01.2007 no virus found
    F-Secure 6.70.13030.0 06.02.2007 Packed.Win32.Morphine.a
    Ikarus T3.1.1.8 06.02.2007 MalwareScope.Trojan-Spy.BZub.1
    Kaspersky 06.03.2007 Packed.Win32.Morphine.a
    McAfee 5044 06.01.2007 no virus found
    Microsoft 1.2503 06.03.2007 VirTool:Win32/Obfuscator.E
    NOD32v2 2305 06.01.2007 no virus found
    Norman 5.80.02 06.01.2007 W32/BHO.QG
    Panda 06.02.2007 Malware Generic
    Prevx1 V2 06.03.2007 no virus found
    Sophos 4.18.0 06.01.2007 Mal/Behav-010
    Sunbelt 2.2.907.0 05.30.2007 no virus found
    Symantec 10 06.03.2007 no virus found
    TheHacker 05.31.2007 Trojan/Morphine.a
    VBA32 3.12.0 06.02.2007 Trojan.DownLoader.22964
    VirusBuster 4.3.23:9 06.02.2007 no virus found
    Webwasher-Gateway 6.0.1 06.03.2007 Heuristic.Crypted

    SmitFraudFix v2.113

    Scan done at 22:04:42.45, Sat 06/02/2007
    Run from C:\Documents and Settings\HP_Owner\Desktop\SmitFraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\HP_Owner

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\HP_Owner\Application Data

    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu

    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\HP_Owner\FAVORI~1

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

    »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

    »»»»»»»»»»»»»»»»»»»»»»»» End

    Logfile of HijackThis v1.99.1
    Scan saved at 11:14:31 PM, on 6/2/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2900.2180)

    Running processes:
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
    C:\Documents and Settings\HP_Owner\Application Data\U3\00001755C8600165\LaunchPad.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
    O11 - Options group: [INTERNATIONAL] International*
    O17 - HKLM\System\CCS\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer =,,
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C948F181-5F7D-4541-9548-ADDBAFABDDD5}: NameServer =,,
    O17 - HKLM\System\CS1\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer =,,
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: __c00B99B2 - C:\WINDOWS\system32\__c00B99B2.dat
    O20 - Winlogon Notify: __c00F1A08 - C:\WINDOWS\system32\__c00F1A08.dat
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  15. Fredil

    Fredil Regular member

    Jul 19, 2006
    Likes Received:
    Trophy Points:
    Isn't it nice to know that there are randomly named trojans killing your LSP stack?

    Nevermind. The good thing is that you have LSPFix on hand. Open up LSPFix. If there is something in the "Remove" box, DO NOT DO ANYTHING, LEAVE IT AND PRESS "FINISH". If there isn't then follow my directions carefully, since failure to do so can require you to reinstall your OS. If there isn't anything in the "Remove" box, then place a little checkmark beside the "I know what I'm doing..." box. One by one, select all instances of cijdngd.dll and move them over to the "Remove" panel. Press "Finish". If you still can't access the Internet, then open LSPFix again and just press Finish without doing anything. This *should* get your Internet back if your network is operational... damn network problem :) A good way to see if it worked is to disconnect your network and to plug the modem directly into your computer.

    I said Search, not Clean for SmitFraudFix, but I guess no harm done. However, you will have to clean further with SMF. Reboot into Safe Mode:

    and run SmitFraudFix again, selecting "Clean". It should overwrite the C:\rapport.txt; give me the new one.

    You missed some files to send to VirusTotal; so those weren't infected/didn't exist? If they didn't exist, try enabling hidden files then sending again:

    1. Open the Control Panel
    2. Open Folder Options and click the "View" tab
    3. Click "Show hidden files and folders"
    4. Press "Apply" and "Close".

    For the files you did send, though, the scans don't look very promising. Reboot into Safe Mode and delete the following files:










    Right-click on your Recycle Bin and select "Empty Recycle Bin". Reboot into Normal Mode. If you just installed Avast! on this computer as well, then uninstall either Norton or Avast!, as two antivirus programs on one computer is a no-no.

    In your next reply I want:
    * rapport.txt from SmitFraudFix
    * new VirusTotal logs, if applicable
    * a fresh HijackThis log
  16. Zaxious

    Zaxious Member

    Oct 24, 2006
    Likes Received:
    Trophy Points:
    Hey, I apoligize for not saying it in my reply, the missing files had no problems and did not include them... I did the LSPFix and still no Internet... I still have no network either.. I have yellow question marks on my network portion of the devices and no connections like the LAN or the I394 adapter like I once did.. I cant even attempt to set up a network either..

    As far as the SmitFraudFix, I do believe that was just a scan, either it was a previous attempt at fixing before we started and/or I used the wrong file.

    I also tried to delete the files you requested and ran into some problems.... The following files would not delete:

    lsass.exe - cannot be deleted due to critical windows file
    c00B99B2.dat - in use by other program and cannot delete
    c00F1A08.dat - Access denied -prob go into administrator and delete??
    Bywtro - File not found.

    Here are the files you requested:

    Logfile of HijackThis v1.99.1
    Scan saved at 3:01:02 PM, on 6/3/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2900.2180)

    Running processes:
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O17 - HKLM\System\CCS\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer =,,
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C948F181-5F7D-4541-9548-ADDBAFABDDD5}: NameServer =,,
    O17 - HKLM\System\CS1\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer =,,
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: __c00B99B2 - C:\WINDOWS\system32\__c00B99B2.dat
    O20 - Winlogon Notify: __c00F1A08 - C:\WINDOWS\system32\__c00F1A08.dat
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    SmitFraudFix v2.113

    Scan done at 14:11:03.32, Sun 06/03/2007
    Run from C:\Documents and Settings\HP_Owner\Desktop\SmitFraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process

    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri

    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» End
  17. Fredil

    Fredil Regular member

    Jul 19, 2006
    Likes Received:
    Trophy Points:
    Let's try to delete lsass.

    Please download the Pocket Killbox by Option^Explicit to your desktop. Run it. In the box that says "Full Path of File to Delete", carefully copy and paste the following:


    Underneath that, select "Delete on Reboot" instead of "Standard File Kill". Press the button that features a white X on a red circle. When if it asks if you want to reboot now, press "Yes".

    You can now archive your Killbox file or delete it. We will now use a simpler program called Unlocker to delete the other files. Download Unlocker to your Desktop and install it. Run Unlocker. Nothing will appear to happen except for something appearing in your tray (bottom right hand corner); this is normal.

    Now, try to delete the other two files again. Wait a while; when it says that it will not delete, Unlocker will show up (yay!). If it says that no unlocking handle could be found, select "Delete" from the menu. If it could not delete, tell it to delete on reboot. However, if unlocking handles were found, press the "Unlock All" button at the bottom of the screen.

    Empty your Recycle Bin and reboot your computer.

    Post another HijackThis log.
  18. Zaxious

    Zaxious Member

    Oct 24, 2006
    Likes Received:
    Trophy Points:
    Logfile of HijackThis v1.99.1
    Scan saved at 8:50:23 PM, on 6/3/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2900.2180)

    Running processes:
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O17 - HKLM\System\CCS\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer =,,
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C948F181-5F7D-4541-9548-ADDBAFABDDD5}: NameServer =,,
    O17 - HKLM\System\CS1\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer =,,
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: __c00B99B2 - C:\WINDOWS\system32\__c00B99B2.dat (file missing)
    O20 - Winlogon Notify: __c00F1A08 - C:\WINDOWS\system32\__c00F1A08.dat (file missing)
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

  19. Fredil

    Fredil Regular member

    Jul 19, 2006
    Likes Received:
    Trophy Points:
    Sorry about the delay. I only have one final left on Monday. Yay!

    You still have an AWF infection, which I am still clueless on how to deal with. KotaGuy seems to be on vacation, which isn't a very good thing for you. However, the AWF doesn't seem to be doing anything.

    Check your network configuration settings to see if you can find anything wrong.

    How's your Internet? If it doesn't work, try this:

    1. Go to Start > Run.
    2. Type "ipconfig -release" (the space is necessary, no quotes)
    3. A black box will flash. This is normal.
    4. Open Start > Run again. Type "ipconfig -renew" (no quotes, necessary space. Get the pattern?)

    This will also refresh your IP Address.

    Since it's been a while, post another HijackThis log.
  20. Zaxious

    Zaxious Member

    Oct 24, 2006
    Likes Received:
    Trophy Points:
    I wasnt even able to do any of that... it came up with an error of thers like no ip service or something like that... I think someone else may have restored it to a further back previous restore point as now everything is working fine.... but check the HJT log to see if everythings alright... i ran the virustotals on the files and found no problems...

    Logfile of HijackThis v1.99.1
    Scan saved at 7:54:35 PM, on 6/8/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
    O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Share This Page