I have a computer in my network that is unable to access the internet. I can ping myself, my router, and websites like google and yahoo but thats about it. I can connect to the Internet normally on my other computers except this one computer. They didnt have virus protection before and I recently installed Avast! and Ad-Aware SE. Anyone got any ideas?

To start your fix, I will need a HijackThis logfile. You can get HijackThis at this link: link

Then, extract HijackThis from its archive and place it in its own folder - NOT on the Desktop!. This is important. A good location for HijackThis would be the following path:

C:\HijackThis

The program (HijackThis_v_1.99.1.exe) would go in the folder "HijackThis".

Follow the instructions above, run HijackThis, and make a logfile. Post that logfile in a reply.

Here is the Hijact This Log report!

Logfile of HijackThis v1.99.1
Scan saved at 6:08:23 PM, on 5/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\lsass.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\tmp4.tmp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\hijackthis\HijackThis.exe

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\bywtro.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [A00F63F0F.exe] C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\_A00F63F0F.exe
O4 - HKCU\..\Run: [A00F63F1F.exe] C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\_A00F63F1F.exe
O4 - HKCU\..\Run: [SysRestore] "C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\tmp4.tmp.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer = 67.15.202.9,72.21.36.74,75.126.60.131
O17 - HKLM\System\CCS\Services\Tcpip\..\{C948F181-5F7D-4541-9548-ADDBAFABDDD5}: NameServer = 67.15.202.9,72.21.36.74,75.126.60.131
O17 - HKLM\System\CS1\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer = 67.15.202.9,72.21.36.74,75.126.60.131
O20 - AppInit_DLLs:
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: winlogin - Unknown owner - C:\WINDOWS\lsass.exe

You have quite a few problems there.

Make sure to read all of my post because you will not be able to access the Internet in Safe Mode.

Since you can't access the Internet, I will need you to download these programs to another computer. Then, using a USB Drive or a CD, you will have to copy them to the infected comp.

These are the programs to download:

* Ad-Aware SE Personal
* Spybot Search & Destroy
* LSPFix

Do not transfer them yet. You will have to install Ad-Aware on the computer you have Internet access on. When the setup finishes, don't open the readme or run a scan, but update the definitions file. Make sure it finishes updating. Do the same with Spybot. LSPFix does not need to be updated.

Next, copy this folder C:\Program Files\Lavasoft to a USB Drive (it is about 3 megabytes). Do the same with C:\Program Files\Spybot - Search & Destroy. You can just copy the zipped LSPFix file to the drive.

Transfer the contents of the drive to the computer without Internet access. Put the folders called Lavasoft and Spybot - Search & Destroy into C:\Program Files. Then, unzip the LSPFix folder to your desktop, where it makes a folder called LSPFix.

Next, reboot your computer into Safe Mode:

- Restart your computer.
- When the computer beeps, but before the Windows loading screen appears, repeatedly press F8. If your computer has function keys, disable them.
- If you get a message on a blue screen about boot drivers, press ESC and keep tapping F8.
- A black screen with grey text should appear. Using the arrow keys, select "Safe Mode" and press Enter. Like normal Windows loading, it will take a few moments.

In Safe Mode, open My Computer. Then, open this path: C:\Program Files\Lavasoft. There should be a folder inside it; just open it. There is a program called Ad-Aware; double-click on it to run a scan. If it gives you a message about definition files, ignore it. Instead of performing a smart scan, change the settings to a full scan. Do the scan. Remove any baddies that appear.

After the scan is done open the folder C:\Program Files\Spybot - Search & Destroy. Open the program called SpybotSd, and do a scan. Don't bother with the Immunize function; you need Internet access for that. Remove anything that is found.

When both the scans are finished, reboot your computer into Safe Mode again. Do the two scans seperately again. Keep rebooting and scanning until nothing can be found. Then, when nothing can be found, reboot into Normal Mode.

Open up HijackThis and go to the Misc. Tools section. Click on the Misc Tools tab, and click "Delete an NT Service". Copy and paste the following in the box that appears:

O23 - Service: winlogin - Unknown owner - C:\WINDOWS\lsass.exe

Press OK. It may reboot your computer; let it.

Next, open HijackThis and do a scan. Place checkmarks beside the following lines:

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\bywtro.dll",realset
O4 - HKCU\..\Run: [A00F63F0F.exe] C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\_A00F63F0F.exe
O4 - HKCU\..\Run: [A00F63F1F.exe] C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\_A00F63F1F.exe
O4 - HKCU\..\Run: [SysRestore] "C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\tmp4.tmp.exe"
O17 - HKLM\System\CCS\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer = 67.15.202.9,72.21.36.74,75.126.60.131
O17 - HKLM\System\CCS\Services\Tcpip\..\{C948F181-5F7D-4541-9548-ADDBAFABDDD5}: NameServer = 67.15.202.9,72.21.36.74,75.126.60.131
O17 - HKLM\System\CS1\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer = 67.15.202.9,72.21.36.74,75.126.60.131
O20 - AppInit_DLLs:

Press "Fix Checked".

Run Avast! Antivirus and perform a full system scan.

Reboot and post another HijackThis logfile.

I dont know... I think I put myself into an even worse situation :( Letting your know the Now symptoms...: periodical reboots, no network functionality <i was able to transfer files via network.> I had absolutely no Internet connection. IE ping router, websites like before.> Apparently my network drivers are all screwy now.. :( When i tried to get rid of the NT service that 023, it said the file was missing after the barrage of scans I completed with Ad aware and Spybot. Here is a HjT log, I hope I didnt broke it summore :) oh and this popup keeps poppin up everytime it does, my computer reboots...
the heading is Services and Controller app, and it has encountered a problem and must be shut down, then gives me a minute then it reboots.

Logfile of HijackThis v1.99.1
Scan saved at 7:40:18 AM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\tmp4.tmp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\hijackthis\HijackThis.exe

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [A00F63F0F.exe] C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\_A00F63F0F.exe
O4 - HKCU\..\Run: [A00F63F1F.exe] C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\_A00F63F1F.exe
O4 - HKCU\..\Run: [SysRestore] "C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\tmp4.tmp.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O11 - Options group: [INTERNATIONAL] International*
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: winlogin - Unknown owner - C:\WINDOWS\lsass.exe (file missing)

Hmm... no network. That can be fixed.

Can I get you to open up HijackThis again. Go to the Misc. Tools section, and click on the Backups tab. Check all instances of

O17 - HKLM\System\CS1\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer = 67.15.202.9,72.21.36.74,75.126.60.131

and press "Restore". Your network should work again.

You also have a very obvious Vundo infection, which I somehow missed the first time around. Please right-click on HijackThis_v_1.99.1 and rename it to asdf.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.

* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
*When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.


Please download FindAWF: link

Save the file to the Desktop
Double-click FindAWF.exe

If a Security Alert shows, allow the program to run.

When done, a text file awf.txt is produced.

Please post it in your reply.

Can I get you to copy the following files into a Notepad document? You will be rebooting into Safe Mode again.

C:\WINDOWS\lsass.exe
C:\WINDOWS\bywtro.dll
C:\WINDOWS\ALCXMNTR.EXE

Enable viewing of Hidden Files. Open the Control Panel, then Folder Options. Click on the "View" tab, and check "Show hidden files and folders". Press OK.

Reboot into Safe Mode and look for and delete the files above.

VundoFix should have created a log in whatever directory it was run from, post VundoFix's log in your reply. Post a fresh HijackThis log as well as a FindAWF log.

I did everything you asked for and I still do not have networking function after i restored the 017 keys, I uninstalled Avast!, thinking that it would help, no luck... umm the Services and Controll app error popup still pops up giving me a minute then reboots if i click dont send send error report or debug. Heres the three reports you asked for, I couldnt delete the lsass.exe file due to it being a critical windows file that was in use in safe mode. Here they are:


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

05/04/2007 03:21 PM 96,768 svchost.exe
1 File(s) 96,768 bytes

Directory of C:\HP\KBD\BAK

02/11/2003 11:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\AIM\BAK

08/05/2005 03:08 PM 67,160 aim.exe
1 File(s) 67,160 bytes

Directory of C:\PROGRA~1\AIM6\BAK

11/07/2006 11:29 AM 50,736 aim6.exe
1 File(s) 50,736 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

04/21/2004 09:28 PM 286,720 iTunesHelper.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

08/07/2004 05:20 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\WINDOWS\CREATOR\BAK

12/18/2003 02:31 AM 118,784 Remind_XP.exe
1 File(s) 118,784 bytes

Directory of C:\WINDOWS\SMINST\BAK

04/14/2004 11:43 PM 233,472 RECGUARD.EXE
1 File(s) 233,472 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

05/07/1998 07:04 PM 52,736 hpsysdrv.exe
1 File(s) 52,736 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 03:00 PM 15,360 ctfmon.exe
08/03/2004 09:43 PM 118,784 hkcmd.exe
06/07/2004 09:42 PM 659,456 hphmon06.exe
10/16/2002 07:57 PM 81,920 ps2.exe
4 File(s) 875,520 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

12/09/2003 02:18 AM 70,776 ccApp.exe
01/20/2004 08:25 PM 124,056 CfgWiz.exe
2 File(s) 194,832 bytes

Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\BAK

03/08/2006 09:56 AM 278,528 MtdAcqu.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\HP\{AAC4F~1\BAK

06/07/2004 09:53 PM 49,152 hphupd06.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

08/07/2004 05:03 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK

08/06/2004 03:23 AM 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

04/16/2007 07:05 PM 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

08/07/2004 03:36 PM 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

06/07/2005 12:46 AM 57,344 apdproxy.exe
1 File(s) 57,344 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

96768 May 4 2007 "C:\WINDOWS\bak\svchost.exe"
14336 Aug 4 2004 "C:\WINDOWS\system32\svchost.exe"
12800 Aug 17 2001 "D:\MiniNT\system32\svchost.exe"
61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
67160 Aug 5 2005 "C:\Program Files\AIM\bak\aim.exe"
50736 Nov 7 2006 "C:\Program Files\AIM6\bak\aim6.exe"
286720 Apr 21 2004 "C:\Program Files\iTunes\iTunesHelper.exe1176153038"
286720 Apr 21 2004 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
98304 Aug 7 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
118784 Dec 18 2003 "C:\WINDOWS\CREATOR\bak\Remind_XP.exe"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
118784 Aug 3 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
118784 Aug 3 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 Aug 3 2004 "C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\hkcmd.exe"
659456 Jun 7 2004 "C:\WINDOWS\system32\bak\hphmon06.exe"
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
70776 Dec 9 2003 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
120464 Sep 30 2005 "C:\Program Files\Norton SystemWorks\CfgWiz.exe"
120464 Sep 23 2005 "C:\Program Files\Norton SystemWorks\Norton AntiVirus\CfgWiz.exe"
124056 Jan 20 2004 "C:\Program Files\Common Files\Symantec Shared\bak\CfgWiz.exe"
104568 Feb 26 2001 "C:\Program Files\Common Files\Microsoft Shared\web server extensions\50\bin\CFGWIZ.EXE"
278528 Mar 8 2006 "C:\Program Files\Creative\MediaSource5\bak\MtdAcqu.exe"
49152 Jun 7 2004 "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe"
180269 Aug 7 2004 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe1178124425"
180269 Aug 7 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
218240 Aug 6 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
52272 Apr 16 2007 "C:\Program Files\Google\googletoolbar2user.exe"
138168 Apr 16 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
171448 Apr 16 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
32881 Jun 3 2004 "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe"
49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
32881 Aug 7 2004 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"
57344 Jun 7 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"


end of report

VundoFix file (I think I got the right file!)

C:\WINDOWS\system32\dcomqic.dll
C:\WINDOWS\system32\opnmkki.dll
C:\WINDOWS\system32\tmp4.tmp.dll
C:\WINDOWS\system32\utstv.bak1
C:\WINDOWS\system32\utstv.bak2
C:\WINDOWS\system32\utstv.ini
C:\WINDOWS\system32\utstv.ini2
C:\WINDOWS\system32\utstv.tmp
C:\WINDOWS\system32\vtstu.dll

and Finally the HjT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:20:00 PM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\msiexec.exe
C:\hijackthis\asdf.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {149d0e5c-7c28-4d06-a1d5-0d21d3405c1b} - C:\WINDOWS\system32\dcomqic.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\fjcglosl.dll
O2 - BHO: (no name) - {4D3D0406-08B9-455A-8B83-0C1E626ED4B4} - C:\WINDOWS\system32\xkaflnuu.dll
O2 - BHO: msdn_lib.msdn_hlp - {7C2F2C76-1489-450D-B8FB-0B9692D788F9} - C:\WINDOWS\system32\msdn_lib.dll
O2 - BHO: (no name) - {805550A5-DAB4-4F24-90AA-BC32EB28264f} - C:\WINDOWS\system32\xkaflnuu.dll
O2 - BHO: (no name) - {817288D8-6989-49D6-B6CC-9EFBC0446737} - C:\WINDOWS\system32\vtstu.dll (file missing)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmp2.tmp.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer = 67.15.202.9,72.21.36.74,75.126.60.131
O17 - HKLM\System\CCS\Services\Tcpip\..\{C948F181-5F7D-4541-9548-ADDBAFABDDD5}: NameServer = 67.15.202.9,72.21.36.74,75.126.60.131
O17 - HKLM\System\CS1\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer = 67.15.202.9,72.21.36.74,75.126.60.131
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: __c00B99B2 - C:\WINDOWS\system32\__c00B99B2.dat
O20 - Winlogon Notify: __c00F1A08 - C:\WINDOWS\system32\__c00F1A08.dat
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: winlogin - Unknown owner - C:\WINDOWS\lsass.exe (file missing)

Nice and long... Thank you so much for taking the time with this problem! I know you do this hundreds of times! We really appreciate it! I learn more and more and are able to repair others computers with the actions we do.

Fredil! where you at man! You left meh, still working on da problem... wondering if its fixable or do I just need to format XP again.... ? Save meh

I'm sorry I left you... it's been a busy few days.

Give me another day, and I'll report back.

Once again, sorry for the delay :-(

Hey Fredil,
Dude dont sweat it, I know your doing this voluntarily so I greatly appreciate even an inkling of your time! I hope your knowledge will germinate to me and I can help fix others computers as well!

You da Man!


Zax

Sorry... I had a lot of take-home final exams and my exit exams are next week. It's not easy being thirteen...

I'm having a friend of mine (KotaGuy) interpret the FindAWF logfile. He will write me up a fix for you to use. (Batch files aren't my specialty.)

Let's see what we can do for your network. Since I'm not wholly used to System Restore, you will have to do quite a few things again, or at least check.

Open the Start Menu. Go to All Programs > Accessories > System Tools > System Restore. When the window opens, click "Next", and turn the month back to May (there are arrows on the top of the calendar). See if you have a restore point for May 27; if you don't, check for May 28. If you have more than one, revert to the earliest one. I apologize for not doing this earlier as a revert to May 27 would have guaranteed the network fix, I believe.

After you restore, open HijackThis and place checkmarks next to the following lines (they may not be there; I am not familiar with the mechanics of System Restore):

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\bywtro.dll",realset
O4 - HKCU\..\Run: [A00F63F0F.exe] C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\_A00F63F0F.exe
O4 - HKCU\..\Run: [A00F63F1F.exe] C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\_A00F63F1F.exe
O4 - HKCU\..\Run: [SysRestore] "C:\DOCUME~1\ALLEN~1.MIC\LOCALS~1\Temp\tmp4.tmp.exe"

You should also run Spybot S & D, Ad-Aware, and VundoFix again (Remember to run SB and AAW in Safe Mode multiple times; VundoFix can be ran twice for better results sometimes).

I need you to completely clear your Temporary Internet Files. Open up the Control Panel, and go to Folder Options. Click on the View tab, and enable the viewing of hidden files. Hit "Apply" and close Folder Options. Afterwards, open My Computer and the C: drive. Open Documents and Settings; you should see a bunch of usernames. Double-click on Allen (there may be something after it). You will see a folder called "Cookies"; right-click on the folder and select "Delete". You will see an error that index.dat cannot be deleted, this is okay. You will see another folder called Local Settings (it is faded out). Right-click on the folder called "Temp" and press Delete. You may or may not get an unable to delete message; if you do, tell me what file it is. Do the same thing with Temporary Internet Files.

Can I get you to grab me an Uninstall Log from HijackThis. Open it up, and open the Misc. Tools tab. Click on the button labelled "Open Uninstall Manager". There should be a button called "Save List"; save the list and post it in your reply.

Are you getting BSOD (Blue Screen of Death)? If you are, tell me. It *may* be the source of your Internet problem.

In your reply:
* A new VundoFix log
* A log of the HijackThis Uninstall Manager
* A HijackThis logfile
* A lot of good luck :)

Thirteen? your not thirteen! anyway... nothing new happened.. still got the same network down, the services and controller app error popup still shows no internet function... I cant even ping.. here are the requested items.


HijackThis Unistall Log

Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Download Manager 2.2 (Remove Only)
Adobe Reader 6.0.1
Adobe® Photoshop® Album Starter Edition 3.0
Agere Systems PCI Soft Modem
CC_ccProxyMSI
CC_ccStart
ccCommon
Easy Internet Sign-up
Google Toolbar for Internet Explorer
Help and Support Additions
High Definition Audio Driver Package - KB835221
HijackThis 1.99.1
Hotfix for Windows XP (KB915865)
HP Deskjet Preloaded Printer Drivers
HP Image Zone 4.2
HP Image Zone Plus 4.2
HP Organize
HP Photo & Imaging 3.5 - HP Devices
HP PSC & OfficeJet 4.0
HP Software Update
HPIZ402
Intel(R) Extreme Graphics Driver
IntelliMover Data Transfer Demo
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
KBD
LiveReg (Symantec Corporation)
LiveUpdate 1.90 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Office XP Professional with FrontPage
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Works 7.0
MSRedist
muvee autoProducer 3.5 magicMoments - HPD
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Personal firewall
Norton Personal firewall (Symantec Corporation)
Norton Security Center
Norton WMI Update
NVIDIA GART Driver
PC-Doctor for Windows
Photosmart 320,370,7400,8100,8400 Series
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
QuickTime
RealPlayer
Sonic RecordNow!
Updates from HP
Windows Internet Explorer 7
Windows XP Hotfix - KB883667

Logfile of HijackThis v1.99.1
Scan saved at 9:15:28 PM, on 6/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\hijackthis\asdf.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {149d0e5c-7c28-4d06-a1d5-0d21d3405c1b} - C:\WINDOWS\system32\dcomqic.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\fjcglosl.dll
O2 - BHO: (no name) - {4D3D0406-08B9-455A-8B83-0C1E626ED4B4} - C:\WINDOWS\system32\xkaflnuu.dll
O2 - BHO: msdn_lib.msdn_hlp - {7C2F2C76-1489-450D-B8FB-0B9692D788F9} - C:\WINDOWS\system32\msdn_lib.dll
O2 - BHO: (no name) - {805550A5-DAB4-4F24-90AA-BC32EB28264f} - C:\WINDOWS\system32\xkaflnuu.dll
O2 - BHO: (no name) - {817288D8-6989-49D6-B6CC-9EFBC0446737} - C:\WINDOWS\system32\vtstu.dll (file missing)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmp2.tmp.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer = 67.15.202.9,72.21.36.74,75.126.60.131
O17 - HKLM\System\CCS\Services\Tcpip\..\{C948F181-5F7D-4541-9548-ADDBAFABDDD5}: NameServer = 67.15.202.9,72.21.36.74,75.126.60.131
O17 - HKLM\System\CS1\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer = 67.15.202.9,72.21.36.74,75.126.60.131
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: __c00B99B2 - C:\WINDOWS\system32\__c00B99B2.dat
O20 - Winlogon Notify: __c00F1A08 - C:\WINDOWS\system32\__c00F1A08.dat
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: winlogin - Unknown owner - C:\WINDOWS\lsass.exe (file missing)



VundoFix V6.4.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 8:41:07 PM 5/28/2007

Listing files found while scanning....

C:\WINDOWS\system32\dcomqic.dll
C:\WINDOWS\system32\opnmkki.dll
C:\WINDOWS\system32\tmp4.tmp.dll
C:\WINDOWS\system32\utstv.bak1
C:\WINDOWS\system32\utstv.bak2
C:\WINDOWS\system32\utstv.ini
C:\WINDOWS\system32\utstv.ini2
C:\WINDOWS\system32\utstv.tmp
C:\WINDOWS\system32\vtstu.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\dcomqic.dll
C:\WINDOWS\system32\dcomqic.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnmkki.dll
C:\WINDOWS\system32\opnmkki.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\utstv.bak1
C:\WINDOWS\system32\utstv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\utstv.bak2
C:\WINDOWS\system32\utstv.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\utstv.ini
C:\WINDOWS\system32\utstv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\utstv.ini2
C:\WINDOWS\system32\utstv.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\utstv.tmp
C:\WINDOWS\system32\utstv.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtstu.dll
C:\WINDOWS\system32\vtstu.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 6:44:19 PM 6/1/2007

Listing files found while scanning....

C:\WINDOWS\bywtro.dll
C:\WINDOWS\ortwyb.ini

Beginning removal...

Attempting to delete C:\WINDOWS\ortwyb.ini
C:\WINDOWS\ortwyb.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 7:22:52 PM 6/1/2007

Listing files found while scanning....

No infected files were found.

Oh, I so am thirteen :D

Nothing wrong with uninstall log.

For some reason, VundoFix isn't working as well as it should; there is still active Vundo in your HijackThis log.

We should fix this. Open HijackThis and re-scan. Place checkmarks beside the following:

O2 - BHO: (no name) - {149d0e5c-7c28-4d06-a1d5-0d21d3405c1b} - C:\WINDOWS\system32\dcomqic.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\fjcglosl.dll
O2 - BHO: (no name) - {4D3D0406-08B9-455A-8B83-0C1E626ED4B4} - C:\WINDOWS\system32\xkaflnuu.dll
O2 - BHO: msdn_lib.msdn_hlp - {7C2F2C76-1489-450D-B8FB-0B9692D788F9} - C:\WINDOWS\system32\msdn_lib.dll
O2 - BHO: (no name) - {805550A5-DAB4-4F24-90AA-BC32EB28264f} - C:\WINDOWS\system32\xkaflnuu.dll
O2 - BHO: (no name) - {817288D8-6989-49D6-B6CC-9EFBC0446737} - C:\WINDOWS\system32\vtstu.dll (file missing)
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmp2.tmp.dll (all of these except one are Vundo, the other is malware)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE (Realtek spyware, not malicious but monitors your computer habits)
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe (spyware crap from Zeno Search)
O23 - Service: winlogin - Unknown owner - C:\WINDOWS\lsass.exe (file missing)

Press "Fix Checked".

Please download SmitFraudFix.exe to your Desktop. Double-click it; it should produce a Command Prompt window. A credits screen will come up; press any key to get past it.

Note: Do Not Perform Any Other Options Unless Asked!!

Please select option No. 1 - Search. Press Enter, and it will perform a scan. After the scan, a log called rapport.txt will be made; it will look something like this (minus Chinese characters; my Notepad has a display issue):

Quote:

---

SmitFraudFix v2.190

Scan done at 11:13:18.90, 02/06/2007
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

换换换换换换换换换换换换 Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
C:\Program Files\Labtec Wireless Desktop\MulMouse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Labtec Wireless Desktop\OSD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe

换换换换换换换换换换换换 hosts

hosts file corrupted !

127.0.0.1 hk.digitaltrends.com
127.0.0.1 microsoft.com.org #[IE-SpyAd]
127.0.0.1 www.www.microsoft.com.org

换换换换换换换换换换换换 C:\


换换换换换换换换换换换换 C:\WINDOWS


换换换换换换换换换换换换 C:\WINDOWS\system


换换换换换换换换换换换换 C:\WINDOWS\Web


换换换换换换换换换换换换 C:\WINDOWS\system32


换换换换换换换换换换换换 C:\WINDOWS\system32\LogFiles


换换换换换换换换换换换换 C:\Documents and Settings\Fred


换换换换换换换换换换换换 C:\Documents and Settings\Fred\Application Data


换换换换换换换换换换换换 Start Menu


换换换换换换换换换换换换 C:\DOCUME~1\Fred\FAVORI~1


换换换换换换换换换换换换 Desktop


换换换换换换换换换换换换 C:\Program Files


换换换换换换换换换换换换 Corrupted keys


换换换换换换换换换换换换 Desktop Components



换换换换换换换换换换换换 Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


换换换换换换换换换换换换 AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


换换换换换换换换换换换换 Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


换换换换换换换换换换换换 pe386-msguard-lzx32-huy32-xpdt



换换换换换换换换换换换换 DNS

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 68.87.71.226
DNS Server Search Order: 68.87.73.242

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3A83503C-97C5-4772-AF16-CE0E31C48BC1}: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3A83503C-97C5-4772-AF16-CE0E31C48BC1}: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3A83503C-97C5-4772-AF16-CE0E31C48BC1}: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242


换换换换换换换换换换换换 Scanning for wininet.dll infection


换换换换换换换换换换换换 End

---

Copy and paste the contents of that log into your reply. Please note that I use a custom Hosts file, and my Hosts file isn't actually corrupted :D If SmitFraudFix.exe won't work on the Desktop, please copy the file into C:. Then it should work.

Next, I want to see what we're dealing with. Please go to VirusTotal. In the top right, you should see a button labelled "Browse"; there should be a text box beside it. Paste the following into that text box:

C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

Click the big "Send" button. You may have to wait a while, as there are a few people using VirusTotal to scan suspicious files. When the scan is done, there should be a table. Don't worry about the smaller one below it with random characters; just copy the whole table on top and paste it into your reply. It should look something like this (I don't really have a virus; I scanned a VBS file that would open your CD-Tray if opened):

Quote:

---

AhnLab-V3 2007.5.31.2 06.01.2007 no virus found
AntiVir 7.4.0.29 06.01.2007 no virus found
Authentium 4.93.8 05.23.2007 VBS/CDEject.A
Avast 4.7.997.0 06.01.2007 no virus found
AVG 7.5.0.467 06.01.2007 no virus found
BitDefender 7.2 06.02.2007 no virus found
CAT-QuickHeal 9.00 06.01.2007 no virus found
ClamAV devel-20070416 06.02.2007 no virus found
DrWeb 4.33 06.02.2007 no virus found
eSafe 7.0.15.0 05.31.2007 no virus found
eTrust-Vet 30.7.3684 06.02.2007 no virus found
Ewido 4.0 06.02.2007 no virus found
FileAdvisor 1 06.02.2007 no virus found
Fortinet 2.85.0.0 06.02.2007 Joke/EjectCD
F-Prot 4.3.2.48 06.01.2007 VBS/CDEject.A
F-Secure 6.70.13030.0 06.01.2007 VBS/CDEject.A
Ikarus T3.1.1.8 06.02.2007 no virus found
Kaspersky 4.0.2.24 06.02.2007 no virus found
McAfee 5044 06.01.2007 no virus found
Microsoft 1.2503 06.02.2007 no virus found
NOD32v2 2305 06.01.2007 no virus found
Norman 5.80.02 06.01.2007 no virus found
Panda 9.0.0.4 06.02.2007 no virus found
Prevx1 V2 06.02.2007 no virus found
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 05.30.2007 no virus found
Symantec 10 06.02.2007 no virus found
TheHacker 6.1.6.128 05.31.2007 no virus found
VBA32 3.12.0 06.01.2007 Trojan.VBS.CDJack.a#1
VirusBuster 4.3.23:9 06.02.2007 Joke.VBS.Cdject.A
Webwasher-Gateway 6.0.1 06.02.2007 no virus found

---

Do the same thing for the following (all of the files should not take more than twenty minutes):

C:\WINDOWS\system32\xkaflnuu.dll

C:\WINDOWS\system32\msdn_lib.dll

C:\WINDOWS\system32\dwdsregt.exe

c:\windows\system32\cijdngd.dll (this may be the file that is the source of your Internet problem)

C:\WINDOWS\lsass.exe

C:\WINDOWS\system32\tmp2.tmp.dll

C:\WINDOWS\system32\__c00B99B2.dat

C:\WINDOWS\system32\__c00F1A08.dat

Paste the results of all the files in your reply (if all the scans for one file say "No virus found", you do not need to paste the log, just tell me). Seperate them so I know what file was scanned.

If you get an error syaing something about 0 bytes file size, then I probably did something wrong, not you :D

In your next reply:
* A SmitFraudFix log
* VirusTotal logs for all the files you scanned
* A fresh HijackThis logfile

The first are the VirusTotal logs then the smithfraud, then the HjT. Ive used smithfraudFix quite a few times to fix friends computers and it works like a charm but hehe didnt work this time round! desktop still loads up slow and the Services and Controller app error code still keeps poppin up! FYI...

I'll have to see some proof that your thirteen!! I cant believe it!!

XKAFLUNN.DLL

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.01.2007 Win-Trojan/Klone.131604.K
AntiVir 7.4.0.29 06.01.2007 TR/Dldr.ConHook.Gen
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.01.2007 no virus found
AVG 7.5.0.467 06.02.2007 Generic4.RMZ
BitDefender 7.2 06.03.2007 Trojan.BHO.AR
CAT-QuickHeal 9.00 06.02.2007 Trojan.Klone.j
ClamAV devel-20070416 06.03.2007 no virus found
DrWeb 4.33 06.02.2007 no virus found
eSafe 7.0.15.0 05.31.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3684 06.02.2007 Win32/Vundo.DA
Ewido 4.0 06.02.2007 Adware.BHO
FileAdvisor 1 06.03.2007 no virus found
Fortinet 2.85.0.0 06.02.2007 no virus found
F-Prot 4.3.2.48 06.01.2007 no virus found
F-Secure 6.70.13030.0 06.02.2007 Packed.Win32.Klone.j
Ikarus T3.1.1.8 06.02.2007 Packed.Win32.Klone.j
Kaspersky 4.0.2.24 06.03.2007 Packed.Win32.Klone.j
McAfee 5044 06.01.2007 no virus found
Microsoft 1.2503 06.03.2007 Adware:Win32/Virtumonde.A
NOD32v2 2305 06.01.2007 probably a variant of Win32/Adware.BHO.V
Norman 5.80.02 06.01.2007 Smalltroj.gen2
Panda 9.0.0.4 06.02.2007 Spyware/Virtumonde
Prevx1 V2 06.03.2007 no virus found
Sophos 4.18.0 06.01.2007 Troj/BHO-CB
Sunbelt 2.2.907.0 05.30.2007 no virus found
Symantec 10 06.03.2007 no virus found
TheHacker 6.1.6.128 05.31.2007 Trojan/Klone.j
VBA32 3.12.0 06.02.2007 Adware.Crew
VirusBuster 4.3.23:9 06.02.2007 Trojan.DL.Conhook.Gen!Pac
Webwasher-Gateway 6.0.1 06.02.2007 Trojan.Dldr.ConHook.Gen


tmp2.tmp.dll

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.01.2007 no virus found
AntiVir 7.4.0.29 06.01.2007 TR/Dldr.ConHook.Gen
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.01.2007 no virus found
AVG 7.5.0.467 06.02.2007 no virus found
BitDefender 7.2 06.03.2007 MemScan:Trojan.Agent.AADI
CAT-QuickHeal 9.00 06.02.2007 no virus found
ClamAV devel-20070416 06.03.2007 no virus found
DrWeb 4.33 06.02.2007 no virus found
eSafe 7.0.15.0 05.31.2007 no virus found
eTrust-Vet 30.7.3684 06.02.2007 no virus found
Ewido 4.0 06.02.2007 no virus found
FileAdvisor 1 06.03.2007 no virus found
Fortinet 2.85.0.0 06.02.2007 suspicious
F-Prot 4.3.2.48 06.01.2007 no virus found
F-Secure 6.70.13030.0 06.02.2007 no virus found
Ikarus T3.1.1.8 06.02.2007 Trojan-Spy.Win32.Bancos.ha
Kaspersky 4.0.2.24 06.03.2007 no virus found
McAfee 5044 06.01.2007 no virus found
Microsoft 1.2503 06.03.2007 VirTool:Win32/Obfuscator.C
NOD32v2 2305 06.01.2007 a variant of Win32/BHO.G
Norman 5.80.02 06.01.2007 W32/Suspicious_U.gen
Panda 9.0.0.4 06.02.2007 Suspicious file
Prevx1 V2 06.03.2007 no virus found
Sophos 4.18.0 06.01.2007 Mal/Packer
Sunbelt 2.2.907.0 05.30.2007 VIPRE.Suspicious
Symantec 10 06.03.2007 no virus found
TheHacker 6.1.6.128 05.31.2007 no virus found
VBA32 3.12.0 06.02.2007 Trojan.Win32.BHO.g
VirusBuster 4.3.23:9 06.02.2007
Webwasher-Gateway 6.0.1 06.03.2007 Trojan.Dldr.ConHook.Gen


MSDN_LIB.dll

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.01.2007 no virus found
AntiVir 7.4.0.29 06.01.2007 TR/Crypt.FKM.Gen
Authentium 4.93.8 05.23.2007 is a security risk or a "backdoor" program
Avast 4.7.997.0 06.01.2007 no virus found
AVG 7.5.0.467 06.02.2007 Downloader.Generic4.ILD
BitDefender 7.2 06.03.2007 no virus found
CAT-QuickHeal 9.00 06.02.2007 no virus found
ClamAV devel-20070416 06.03.2007 no virus found
DrWeb 4.33 06.02.2007 no virus found
eSafe 7.0.15.0 05.31.2007 Win32.VB.apq
eTrust-Vet 30.7.3684 06.02.2007 no virus found
Ewido 4.0 06.02.2007 Downloader.VB.apq
FileAdvisor 1 06.03.2007 no virus found
Fortinet 2.85.0.0 06.02.2007 W32/VB.APQ!tr.dldr
F-Prot 4.3.2.48 06.01.2007 W32/Downloader2
F-Secure 6.70.13030.0 06.02.2007 Trojan-Downloader.Win32.VB.apq
Ikarus T3.1.1.8 06.02.2007 Trojan-Downloader.Win32.VB.apq
Kaspersky 4.0.2.24 06.03.2007 Trojan-Downloader.Win32.VB.apq
McAfee 5044 06.01.2007 TFactory
Microsoft 1.2503 06.03.2007 no virus found
NOD32v2 2305 06.01.2007 no virus found
Norman 5.80.02 06.01.2007 W32/DLoader.CSPU
Panda 9.0.0.4 06.02.2007 Malware Generic
Prevx1 V2 06.03.2007 no virus found
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 05.30.2007 Trojan.Unclassified.gen
Symantec 10 06.03.2007 Trojan Horse
TheHacker 6.1.6.128 05.31.2007 Trojan/Downloader.VB.apq
VBA32 3.12.0 06.02.2007 Trojan-Downloader.Win32.VB.apq
VirusBuster 4.3.23:9 06.02.2007 no virus found
Webwasher-Gateway 6.0.1 06.03.2007 Trojan.Crypt.FKM.Gen

cijdngd.dll

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.01.2007 Win-Trojan/Xema.variant
AntiVir 7.4.0.29 06.01.2007 TR/Agent.AOJ.17
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.01.2007 no virus found
AVG 7.5.0.467 06.02.2007 no virus found
BitDefender 7.2 06.03.2007 Trojan.Agent.AOJ
CAT-QuickHeal 9.00 06.02.2007 Trojan.Agent.afg
ClamAV devel-20070416 06.03.2007 no virus found
DrWeb 4.33 06.02.2007 Trojan.Netqv
eSafe 7.0.15.0 05.31.2007 Win32.Agent.afg
eTrust-Vet 30.7.3684 06.02.2007 Win32/Netvq!generic
Ewido 4.0 06.02.2007 Trojan.Agent.j
FileAdvisor 1 06.03.2007 High threat detected
Fortinet 2.85.0.0 06.02.2007 W32/NetVQ.QTZ!tr
F-Prot 4.3.2.48 06.01.2007 no virus found
F-Secure 6.70.13030.0 06.02.2007 Trojan.Win32.Agent.afg
Ikarus T3.1.1.8 06.02.2007 Trojan.Win32.Agent.afg
Kaspersky 4.0.2.24 06.03.2007 Trojan.Win32.Agent.afg
McAfee 5044 06.01.2007 no virus found
Microsoft 1.2503 06.03.2007 no virus found
NOD32v2 2305 06.01.2007 no virus found
Norman 5.80.02 06.01.2007 no virus found
Panda 9.0.0.4 06.02.2007 Trj/Spamer.BP
Prevx1 V2 06.03.2007 Polynomial.Code.Exploit
Sophos 4.18.0 06.01.2007 Troj/NetVQ-Gen
Sunbelt 2.2.907.0 05.30.2007 Trojan.Win32.Agent.afg
Symantec 10 06.03.2007 no virus found
TheHacker 6.1.6.128 05.31.2007 Trojan/Agent.afg
VBA32 3.12.0 06.02.2007 Trojan.Win32.Agent.afg
VirusBuster 4.3.23:9 06.02.2007 no virus found
Webwasher-Gateway 6.0.1 06.03.2007 Trojan.Agent.AOJ.17

__c00F1A08.dat

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.01.2007 no virus found
AntiVir 7.4.0.29 06.01.2007 HEUR/Crypted
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.01.2007 no virus found
AVG 7.5.0.467 06.02.2007 no virus found
BitDefender 7.2 06.03.2007 no virus found
CAT-QuickHeal 9.00 06.02.2007 no virus found
ClamAV devel-20070416 06.03.2007 no virus found
DrWeb 4.33 06.02.2007 Trojan.DownLoader.22964
eSafe 7.0.15.0 05.31.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3684 06.02.2007 no virus found
Ewido 4.0 06.02.2007 no virus found
FileAdvisor 1 06.03.2007 no virus found
Fortinet 2.85.0.0 06.02.2007 no virus found
F-Prot 4.3.2.48 06.01.2007 no virus found
F-Secure 6.70.13030.0 06.02.2007 Packed.Win32.Morphine.a
Ikarus T3.1.1.8 06.02.2007 MalwareScope.Trojan-Spy.BZub.1
Kaspersky 4.0.2.24 06.03.2007 Packed.Win32.Morphine.a
McAfee 5044 06.01.2007 no virus found
Microsoft 1.2503 06.03.2007 VirTool:Win32/Obfuscator.E
NOD32v2 2305 06.01.2007 no virus found
Norman 5.80.02 06.01.2007 W32/BHO.QG
Panda 9.0.0.4 06.02.2007 Malware Generic
Prevx1 V2 06.03.2007 no virus found
Sophos 4.18.0 06.01.2007 Mal/Behav-010
Sunbelt 2.2.907.0 05.30.2007 no virus found
Symantec 10 06.03.2007 no virus found
TheHacker 6.1.6.128 05.31.2007 Trojan/Morphine.a
VBA32 3.12.0 06.02.2007 Trojan.DownLoader.22964
VirusBuster 4.3.23:9 06.02.2007 no virus found
Webwasher-Gateway 6.0.1 06.03.2007 Heuristic.Crypted

__c00B99B2.dat

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.01.2007 no virus found
AntiVir 7.4.0.29 06.01.2007 HEUR/Crypted
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.01.2007 no virus found
AVG 7.5.0.467 06.02.2007 no virus found
BitDefender 7.2 06.03.2007 no virus found
CAT-QuickHeal 9.00 06.02.2007 no virus found
ClamAV devel-20070416 06.03.2007 no virus found
DrWeb 4.33 06.02.2007 Trojan.DownLoader.22964
eSafe 7.0.15.0 05.31.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3684 06.02.2007 no virus found
Ewido 4.0 06.02.2007 no virus found
FileAdvisor 1 06.03.2007 no virus found
Fortinet 2.85.0.0 06.02.2007 no virus found
F-Prot 4.3.2.48 06.01.2007 no virus found
F-Secure 6.70.13030.0 06.02.2007 Packed.Win32.Morphine.a
Ikarus T3.1.1.8 06.02.2007 MalwareScope.Trojan-Spy.BZub.1
Kaspersky 4.0.2.24 06.03.2007 Packed.Win32.Morphine.a
McAfee 5044 06.01.2007 no virus found
Microsoft 1.2503 06.03.2007 VirTool:Win32/Obfuscator.E
NOD32v2 2305 06.01.2007 no virus found
Norman 5.80.02 06.01.2007 W32/BHO.QG
Panda 9.0.0.4 06.02.2007 Malware Generic
Prevx1 V2 06.03.2007 no virus found
Sophos 4.18.0 06.01.2007 Mal/Behav-010
Sunbelt 2.2.907.0 05.30.2007 no virus found
Symantec 10 06.03.2007 no virus found
TheHacker 6.1.6.128 05.31.2007 Trojan/Morphine.a
VBA32 3.12.0 06.02.2007 Trojan.DownLoader.22964
VirusBuster 4.3.23:9 06.02.2007 no virus found
Webwasher-Gateway 6.0.1 06.03.2007 Heuristic.Crypted


SmitFraudFix v2.113

Scan done at 22:04:42.45, Sat 06/02/2007
Run from C:\Documents and Settings\HP_Owner\Desktop\SmitFraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\HP_Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\HP_Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\HP_Owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Logfile of HijackThis v1.99.1
Scan saved at 11:14:31 PM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\HP_Owner\Application Data\U3\00001755C8600165\LaunchPad.exe
C:\hijackthis\asdf.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cijdngd.dll
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer = 67.15.202.9,72.21.36.74,75.126.60.131
O17 - HKLM\System\CCS\Services\Tcpip\..\{C948F181-5F7D-4541-9548-ADDBAFABDDD5}: NameServer = 67.15.202.9,72.21.36.74,75.126.60.131
O17 - HKLM\System\CS1\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer = 67.15.202.9,72.21.36.74,75.126.60.131
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: __c00B99B2 - C:\WINDOWS\system32\__c00B99B2.dat
O20 - Winlogon Notify: __c00F1A08 - C:\WINDOWS\system32\__c00F1A08.dat
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Quote:

---

cijdngd.dll

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.01.2007 Win-Trojan/Xema.variant
AntiVir 7.4.0.29 06.01.2007 TR/Agent.AOJ.17
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.01.2007 no virus found
AVG 7.5.0.467 06.02.2007 no virus found
BitDefender 7.2 06.03.2007 Trojan.Agent.AOJ
CAT-QuickHeal 9.00 06.02.2007 Trojan.Agent.afg
ClamAV devel-20070416 06.03.2007 no virus found
DrWeb 4.33 06.02.2007 Trojan.Netqv
eSafe 7.0.15.0 05.31.2007 Win32.Agent.afg
eTrust-Vet 30.7.3684 06.02.2007 Win32/Netvq!generic
Ewido 4.0 06.02.2007 Trojan.Agent.j
FileAdvisor 1 06.03.2007 High threat detected
Fortinet 2.85.0.0 06.02.2007 W32/NetVQ.QTZ!tr
F-Prot 4.3.2.48 06.01.2007 no virus found
F-Secure 6.70.13030.0 06.02.2007 Trojan.Win32.Agent.afg
Ikarus T3.1.1.8 06.02.2007 Trojan.Win32.Agent.afg
Kaspersky 4.0.2.24 06.03.2007 Trojan.Win32.Agent.afg
McAfee 5044 06.01.2007 no virus found
Microsoft 1.2503 06.03.2007 no virus found
NOD32v2 2305 06.01.2007 no virus found
Norman 5.80.02 06.01.2007 no virus found
Panda 9.0.0.4 06.02.2007 Trj/Spamer.BP
Prevx1 V2 06.03.2007 Polynomial.Code.Exploit
Sophos 4.18.0 06.01.2007 Troj/NetVQ-Gen
Sunbelt 2.2.907.0 05.30.2007 Trojan.Win32.Agent.afg
Symantec 10 06.03.2007 no virus found
TheHacker 6.1.6.128 05.31.2007 Trojan/Agent.afg
VBA32 3.12.0 06.02.2007 Trojan.Win32.Agent.afg
VirusBuster 4.3.23:9 06.02.2007 no virus found
Webwasher-Gateway 6.0.1 06.03.2007 Trojan.Agent.AOJ.17

---

Isn't it nice to know that there are randomly named trojans killing your LSP stack?

Nevermind. The good thing is that you have LSPFix on hand. Open up LSPFix. If there is something in the "Remove" box, DO NOT DO ANYTHING, LEAVE IT AND PRESS "FINISH". If there isn't then follow my directions carefully, since failure to do so can require you to reinstall your OS. If there isn't anything in the "Remove" box, then place a little checkmark beside the "I know what I'm doing..." box. One by one, select all instances of cijdngd.dll and move them over to the "Remove" panel. Press "Finish". If you still can't access the Internet, then open LSPFix again and just press Finish without doing anything. This *should* get your Internet back if your network is operational... damn network problem :) A good way to see if it worked is to disconnect your network and to plug the modem directly into your computer.

I said Search, not Clean for SmitFraudFix, but I guess no harm done. However, you will have to clean further with SMF. Reboot into Safe Mode:

Originally posted by Fredil:

---

- Restart your computer.
- When the computer beeps, but before the Windows loading screen appears, repeatedly press F8. If your computer has function keys, disable them.
- If you get a message on a blue screen about boot drivers, press ESC and keep tapping F8.
- A black screen with grey text should appear. Using the arrow keys, select "Safe Mode" and press Enter. Like normal Windows loading, it will take a few moments.

---

and run SmitFraudFix again, selecting "Clean". It should overwrite the C:\rapport.txt; give me the new one.

You missed some files to send to VirusTotal; so those weren't infected/didn't exist? If they didn't exist, try enabling hidden files then sending again:

1. Open the Control Panel
2. Open Folder Options and click the "View" tab
3. Click "Show hidden files and folders"
4. Press "Apply" and "Close".

For the files you did send, though, the scans don't look very promising. Reboot into Safe Mode and delete the following files:

C:\WINDOWS\system32\xkaflnuu.dll

C:\WINDOWS\system32\msdn_lib.dll

C:\WINDOWS\lsass.exe

C:\WINDOWS\system32\tmp2.tmp.dll

C:\WINDOWS\system32\__c00B99B2.dat

C:\WINDOWS\system32\__c00F1A08.dat

C:\WINDOWS\bywtro.dll

C:\WINDOWS\ALCXMNTR.EXE

C:\WINDOWS\system32\fjcglosl.dll

Right-click on your Recycle Bin and select "Empty Recycle Bin". Reboot into Normal Mode. If you just installed Avast! on this computer as well, then uninstall either Norton or Avast!, as two antivirus programs on one computer is a no-no.

In your next reply I want:
* rapport.txt from SmitFraudFix
* new VirusTotal logs, if applicable
* a fresh HijackThis log

Hey, I apoligize for not saying it in my reply, the missing files had no problems and did not include them... I did the LSPFix and still no Internet... I still have no network either.. I have yellow question marks on my network portion of the devices and no connections like the LAN or the I394 adapter like I once did.. I cant even attempt to set up a network either..

As far as the SmitFraudFix, I do believe that was just a scan, either it was a previous attempt at fixing before we started and/or I used the wrong file.

I also tried to delete the files you requested and ran into some problems.... The following files would not delete:

lsass.exe - cannot be deleted due to critical windows file
c00B99B2.dat - in use by other program and cannot delete
c00F1A08.dat - Access denied -prob go into administrator and delete??
Bywtro - File not found.

Here are the files you requested:

Logfile of HijackThis v1.99.1
Scan saved at 3:01:02 PM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\hijackthis\asdf.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer = 67.15.202.9,72.21.36.74,75.126.60.131
O17 - HKLM\System\CCS\Services\Tcpip\..\{C948F181-5F7D-4541-9548-ADDBAFABDDD5}: NameServer = 67.15.202.9,72.21.36.74,75.126.60.131
O17 - HKLM\System\CS1\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer = 67.15.202.9,72.21.36.74,75.126.60.131
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: __c00B99B2 - C:\WINDOWS\system32\__c00B99B2.dat
O20 - Winlogon Notify: __c00F1A08 - C:\WINDOWS\system32\__c00F1A08.dat
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

SmitFraudFix v2.113

Scan done at 14:11:03.32, Sun 06/03/2007
Run from C:\Documents and Settings\HP_Owner\Desktop\SmitFraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Let's try to delete lsass.

Please download the Pocket Killbox by Option^Explicit to your desktop. Run it. In the box that says "Full Path of File to Delete", carefully copy and paste the following:

C:\WINDOWS\lsass.exe

Underneath that, select "Delete on Reboot" instead of "Standard File Kill". Press the button that features a white X on a red circle. When if it asks if you want to reboot now, press "Yes".

You can now archive your Killbox file or delete it. We will now use a simpler program called Unlocker to delete the other files. Download Unlocker to your Desktop and install it. Run Unlocker. Nothing will appear to happen except for something appearing in your tray (bottom right hand corner); this is normal.

Now, try to delete the other two files again. Wait a while; when it says that it will not delete, Unlocker will show up (yay!). If it says that no unlocking handle could be found, select "Delete" from the menu. If it could not delete, tell it to delete on reboot. However, if unlocking handles were found, press the "Unlock All" button at the bottom of the screen.

Empty your Recycle Bin and reboot your computer.

Post another HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 8:50:23 PM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\hijackthis\asdf.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer = 67.15.202.9,72.21.36.74,75.126.60.131
O17 - HKLM\System\CCS\Services\Tcpip\..\{C948F181-5F7D-4541-9548-ADDBAFABDDD5}: NameServer = 67.15.202.9,72.21.36.74,75.126.60.131
O17 - HKLM\System\CS1\Services\Tcpip\..\{70BEFD5F-1A57-4819-8D74-B4EDA69EEC34}: NameServer = 67.15.202.9,72.21.36.74,75.126.60.131
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: __c00B99B2 - C:\WINDOWS\system32\__c00B99B2.dat (file missing)
O20 - Winlogon Notify: __c00F1A08 - C:\WINDOWS\system32\__c00F1A08.dat (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Sorry about the delay. I only have one final left on Monday. Yay!

You still have an AWF infection, which I am still clueless on how to deal with. KotaGuy seems to be on vacation, which isn't a very good thing for you. However, the AWF doesn't seem to be doing anything.

Check your network configuration settings to see if you can find anything wrong.

How's your Internet? If it doesn't work, try this:

1. Go to Start > Run.
2. Type "ipconfig -release" (the space is necessary, no quotes)
3. A black box will flash. This is normal.
4. Open Start > Run again. Type "ipconfig -renew" (no quotes, necessary space. Get the pattern?)

This will also refresh your IP Address.

Since it's been a while, post another HijackThis log.

I wasnt even able to do any of that... it came up with an error of thers like no ip service or something like that... I think someone else may have restored it to a further back previous restore point as now everything is working fine.... but check the HjT log to see if everythings alright... i ran the virustotals on the files and found no problems...


Logfile of HijackThis v1.99.1
Scan saved at 7:54:35 PM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\asdf.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...lion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vagsmemorymakers.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3...lion&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

You can delete Alcxmntr.exe if you want, but it's not necessary.

Other than AWF, your computer is clean. Just waiting for Kota now :D

Terribly sorry about the delay; there was an issue with the AfterDawn PM system. Anyways, here are your directions:

First off, copy everything in the quotebox below into a new Notepad (not Wordpad) document:

Quote:

---

@ECHO OFF

if exist "C:\WINDOWS\svchost.exe" del /q "C:\WINDOWS\svchost.exe"
copy /y "C:\WINDOWS\bak\svchost.exe" "C:\WINDOWS\svchost.exe"
if exist "C:\hp\KBD\KBD.EXE" del /q "C:\hp\KBD\KBD.EXE"
copy /y "C:\hp\KBD\bak\KBD.EXE" "C:\hp\KBD\KBD.EXE"
if exist "C:\Program Files\AIM\aim.exe" del /q "C:\Program Files\AIM\aim.exe"
copy /y "C:\Program Files\AIM\bak\aim.exe" "C:\Program Files\AIM\aim.exe"
if exist "C:\Program Files\AIM6\aim6.exe" del /q "C:\Program Files\AIM6\aim6.exe"
copy /y "C:\Program Files\AIM6\bak\aim6.exe" "C:\Program Files\AIM6\aim6.exe"
if exist "C:\Program Files\iTunes\iTunesHelper.exe" del /q "C:\Program Files\iTunes\iTunesHelper.exe"
copy /y "C:\Program Files\iTunes\bak\iTunesHelper.exe" "C:\Program Files\iTunes\iTunesHelper.exe"
if exist "C:\Program Files\QuickTime\qttask.exe" del /q "C:\Program Files\QuickTime\qttask.exe"
copy /y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime\qttask.exe"
if exist "C:\WINDOWS\CREATOR\Remind_XP.exe" del /q "C:\WINDOWS\CREATOR\Remind_XP.exe"
copy /y "C:\WINDOWS\CREATOR\bak\Remind_XP.exe" "C:\WINDOWS\CREATOR\Remind_XP.exe"
if exist "C:\WINDOWS\SMINST\RECGUARD.EXE" del /q "C:\WINDOWS\SMINST\RECGUARD.EXE"
copy /y "C:\WINDOWS\SMINST\bak\RECGUARD.EXE" "C:\WINDOWS\SMINST\RECGUARD.EXE"
if exist "C:\WINDOWS\system\hpsysdrv.exe" del /q "C:\WINDOWS\system\hpsysdrv.exe"
copy /y "C:\WINDOWS\system\bak\hpsysdrv.exe" "C:\WINDOWS\system\hpsysdrv.exe"
if exist "C:\WINDOWS\system32\ctfmon.exe" del /q "C:\WINDOWS\system32\ctfmon.exe"
copy /y "C:\WINDOWS\system32\bak\ctfmon.exe" "C:\WINDOWS\system32\ctfmon.exe"
if exist "C:\WINDOWS\system32\hkcmd.exe" del /q "C:\WINDOWS\system32\hkcmd.exe"
copy /y "C:\WINDOWS\system32\bak\hkcmd.exe" "C:\WINDOWS\system32\hkcmd.exe"
if exist "C:\WINDOWS\system32\hphmon06.exe" del /q "C:\WINDOWS\system32\hphmon06.exe"
copy /y "C:\WINDOWS\system32\bak\hphmon06.exe" "C:\WINDOWS\system32\hphmon06.exe"
if exist "C:\WINDOWS\system32\ps2.exe" del /q "C:\WINDOWS\system32\ps2.exe"
copy /y "C:\WINDOWS\system32\bak\ps2.exe" "C:\WINDOWS\system32\ps2.exe"
if exist "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" del /q "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
copy /y "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe" "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
if exist "C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe" del /q "C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe"
copy /y "C:\Program Files\Common Files\Symantec Shared\bak\CfgWiz.exe" "C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe"
if exist "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" del /q "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe"
copy /y "C:\Program Files\Creative\MediaSource5\bak\MtdAcqu.exe" "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe"
if exist "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" del /q "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
copy /y "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe" "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
if exist "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" del /q "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
copy /y "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
if exist "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" del /q "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
copy /y "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe" "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
if exist "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" del /q "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
copy /y "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe" "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
if exist "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" del /q "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
copy /y "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe" "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
if exist "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" del /q "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
copy /y "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe" "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

---

Now, save the file. In File Type, save it as All Files, not text document. For the file name, type KillAWF.bat and save it to the Desktop.

Next, reboot into Safe Mode (you know how to do this). Double-click on KillAWF.bat. As I am not certain with the mechanics of batch file editing, I cannot guarantee any outcomes, but a black window will pop up, stay (very) briefly, and close.

Reboot into Normal Mode, and post another HijackThis logfile.