Tis the season for taxes :grin:

We'll help you get rid of this pest.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\N20050308.EXE
C:\PROGRAM FILES\EZULA\MMOD.EXE

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

ezula

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.vulgarteens.com/index.ph...0002720&pni=221 - unless you know what it's for?
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [nsvcin] C:\N20050308.EXE
O4 - HKLM\..\Run: [USB controller] "C:\WINDOWS\TEMP\ICD1.TMP\SVCMM32.EXE" /startup
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/0203...everContent.cab
O16 - DPF: {227F25BE-BCDC-11D0-BA80-0000F6181652} (CLRMachineInfoCtl Class) - https://eformrs.com/RSLoginModule.cab
O16 - DPF: {009F119F-8723-11D3-8791-00A0C9EF9624} (RSFTreeView Class) - http://eformrs.com/FormOpen/RSFormsTV.cab
O16 - DPF: {99140A4E-88C5-11D3-8793-00A0C9EF9624} (RSFDisplay Class) - http://eformrs.com/FormOpen/RSFormsDP.cab
O16 - DPF: {187728C3-71FD-11D3-878E-00A0C9EF9624} (RSFCalculating Class) - http://eformrs.com/FormOpen/Dll/RSFCalc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1690fb5...ip/RdxIE601.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50212/QDow_AS2.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spys...tterInstall.cab
O16 - DPF: {69FD62B1-0216-4C31-8D55-840ED86B7C8F} (HbInstObj) - http://installs.hotbar.com/installs...rams/hotbar.cab

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\N20050308.EXE
C:\PROGRAM FILES\EZULA\

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

Do this now:

======================

Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready):

Please download the following programs required for the removal process:

Kill2Me http://www.greyknight17.com/spy/Kill2Me.exe
VX2Finder http://www.greyknight17.com/spy/VX2Finder.exe
Hoster http://www.greyknight17.com/spy/Hoster.exe
CleanUp! http://cleanup.stevengould.org/ or http://www.greyknight17.com/spy/Cleanup.exe
KillBox http://www.greyknight17.com/spy/KillBox.exe
DllCompare http://www.greyknight17.com/spy/DllCompare.exe

Please follow the steps below:

1. Download/run the following uninstallers:

Look2Me Uninstaller http://www.look2me.com/cgi-bin/UnInstaller
IGN Keyword Uninstaller http://www.greyknight17.com/spy/NLNUninstall.zip
ClearSearch Uninstaller http://www.greyknight17.com/spy/ClrSchUninstall.zip

2. Run Kill2Me.

3. Run VX2Finder and click on the Find VX2.BetterInternet button. Click Make Log and post this in the forum.

4. Run DllCompare now and click on the Locate.com button. Wait a few seconds and then click on the Compare button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit ...), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now run DllCompare.

5. Go to C:\WINDOWS\SYSTEM\ and sort the files by date. Look for more recent created files and post them here. They are usually random named DLL files.

We also need a list of files in the following folders:

C:\WINDOWS\Downloaded Program Files\ - for these files, if they just have numbers as the filename, right click on them and go to Properties to see what they are. Post the description for each of those here.
C:\Program Files\Internet Explorer\ - there might be a download folder here. We are looking for any randomly named files. Post anything that looks suspicious.

Post all of the logs in your next post. We need them all to get a fix for this infection.

 

A couple of notes on the previous log:

* No, I don't have any idea what the "vulgarteens" thing is, and I doubt that my conservative, 73 year old dad knows either. However, one of his grandsons recently spent the weekend with grampa; that grandson might have a big knot on his head this evening. :laugh:

* I left alone the items with "eformrs" and "RSF" as they relate to one of our tax programs. I apologize for not noting that in the first thread.

Results from HJT Analyzer Result.txt:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMPROXY.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMOAGENT.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PccPfw] C:\Program Files\Trend Micro\Internet Security\PccPfw.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 8:33:39 AM, on 03/01/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\DOCKAPP.EXE
C:\WINDOWS\SYSTEM\AP9H4QMO.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [BayMgr] DockApp.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\SYSTEM\ap9h4qmo.exe
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O4 - Startup: Lotus 1-2-3 (2).LNK = C:\lotus\123\123w.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {227F25BE-BCDC-11D0-BA80-0000F6181652} (CLRMachineInfoCtl Class) - https://eformrs.com/RSLoginModule.cab
O16 - DPF: {009F119F-8723-11D3-8791-00A0C9EF9624} (RSFTreeView Class) - http://eformrs.com/FormOpen/RSFormsTV.cab
O16 - DPF: {99140A4E-88C5-11D3-8793-00A0C9EF9624} (RSFDisplay Class) - http://eformrs.com/FormOpen/RSFormsDP.cab
O16 - DPF: {187728C3-71FD-11D3-878E-00A0C9EF9624} (RSFCalculating Class) - http://eformrs.com/FormOpen/Dll/RSFCalc.cab


End of KRC HijackThis Analyzer Log.
====================================================================Logfile of HijackThis v1.99.1
Scan saved at 8:33:39 AM, on 03/01/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\DOCKAPP.EXE
C:\WINDOWS\SYSTEM\AP9H4QMO.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [BayMgr] DockApp.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\SYSTEM\ap9h4qmo.exe
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O4 - Startup: Lotus 1-2-3 (2).LNK = C:\lotus\123\123w.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {227F25BE-BCDC-11D0-BA80-0000F6181652} (CLRMachineInfoCtl Class) - https://eformrs.com/RSLoginModule.cab
O16 - DPF: {009F119F-8723-11D3-8791-00A0C9EF9624} (RSFTreeView Class) - http://eformrs.com/FormOpen/RSFormsTV.cab
O16 - DPF: {99140A4E-88C5-11D3-8793-00A0C9EF9624} (RSFDisplay Class) - http://eformrs.com/FormOpen/RSFormsDP.cab
O16 - DPF: {187728C3-71FD-11D3-878E-00A0C9EF9624} (RSFCalculating Class) - http://eformrs.com/FormOpen/Dll/RSFCalc.cab


End of KRC HijackThis Analyzer Log.
====================================================================

I'm now moving into the steps of downloading the uninstallers.

Results from Vx2Finder:

Files Found---


User Agent String---
{2423599E-3FAE-4AB9-96A3-2C56FCE374A6}

I hope this is what I was supposed to post; I clicked on "Make Log" but could not find the log anywhere.

my Dllcompare log:

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\wustream.dll Sat Feb 26 2005 3:04:24p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\mgjter40.dll Sat Feb 26 2005 3:04:24p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\mjsip32.dll Sat Feb 26 2005 3:04:24p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\svncui.dll Sat Feb 26 2005 3:04:24p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\pddx5016.dll Sat Feb 26 2005 3:04:24p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\rzcrt4.dll Sat Feb 26 2005 3:04:24p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\mbimrt32.dll Sat Feb 26 2005 3:04:24p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\mk43dmod.dll Sat Feb 26 2005 3:04:24p ..S.R 222,568 217.35 K
________________________________________________

884 items found: 884 files (8 H/S), 0 directories.
Total of file sizes: 169,183,767 bytes 161.34 M

--------------------End log---------------------

recently created dll files in C:\windows\system (last 10 days):

docore.dll
dosync.dll
mbimrt32.dll
mgjter40.dll
mjsip32.dll
mk43dmod.dll
pddx5016.dll
rzcrt4.dll
svncu1.dll
wustream.dll
goldnew2b.dll
gh4mbkv9.dll


ITEMS IN C:\WINDOWS\Downloaded Program Files\:
ClrMachineInfoCtl Class
Quicktime Object
RSFCalculating Class
RSF Display Class
RSF Treeview Class
Shockwave Flash Object
Update Class

C:\Program Files\Internet Explorer\
There was no folder here called "download." There were a few oddball named subdirectories:

c:\program files\internet explorer\1033
This subdirectory contains 2 items. One is an empty file called mscreate.dir. The other is dwintl.dll, a 54kb application extension. Details say it is a "microsoft application error reporting"

c:\program files\internet explorer\MUI\0409
Only content is mscorier.dll, a 17kb application Extn. Description says it is a "mircorsoft.net runtime IE resources"

c:\program files\internet explorer\w2k
Contains the following:
expinst.exe ieex.cab ieexinst.inf MIGRATE.DLL MSCREATE.DIR

OK, I think I've gone through everything step by step. Help!!!

 

Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

This hijack may take a couple of tries to remove it. If you have any questions during this process, please ask us (just don't restart or shutdown - unless the instructions say so).

1. Run KillBox now.
a) Click on the 'Delete on Reboot' button.
b) Check 'End Explorer Shell While Killing File.'
c) Check 'Unregister .dll Before Deleting' for each file (if it's available).

Copy and paste each of the following (one by one) into KillBox and hit the X button for each one (when it asks you if you want to reboot, choose NO for all of them):

c:\recycler\desktop.ini
c:\WINDOWS\system\guard.tmp
C:\WINDOWS\SYSTEM\AP9H4QMO.EXE
C:\Program Files\NaviSearch\
C:\WINDOWS\SYSTEM\wustream.dll
C:\WINDOWS\SYSTEM\mgjter40.dll
C:\WINDOWS\SYSTEM\mjsip32.dll
C:\WINDOWS\SYSTEM\svncui.dll
C:\WINDOWS\SYSTEM\pddx5016.dll
C:\WINDOWS\SYSTEM\rzcrt4.dll
C:\WINDOWS\SYSTEM\mbimrt32.dll
C:\WINDOWS\SYSTEM\mk43dmod.dll
C:\WINDOWS\SYSTEM\docore.dll
C:\WINDOWS\SYSTEM\dosync.dll
C:\WINDOWS\SYSTEM\mbimrt32.dll
C:\WINDOWS\SYSTEM\mgjter40.dll
C:\WINDOWS\SYSTEM\mjsip32.dll
C:\WINDOWS\SYSTEM\mk43dmod.dll
C:\WINDOWS\SYSTEM\pddx5016.dll
C:\WINDOWS\SYSTEM\rzcrt4.dll
C:\WINDOWS\SYSTEM\svncu1.dll
C:\WINDOWS\SYSTEM\wustream.dll
C:\WINDOWS\SYSTEM\goldnew2b.dll
C:\WINDOWS\SYSTEM\gh4mbkv9.dll

2. Restart and hit the F8 key (repeatedly until a menu shows up) to enter Safe Mode.

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\SYSTEM\AP9H4QMO.EXE

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

NaviSearch

3. Run HijackThis and do a scan. Check and fix the following:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\SYSTEM\ap9h4qmo.exe

4. Close HijackThis and run Hoster. Click 'Restore Original Hosts' and click OK.

Run CleanUp! program again and clean everything. Say Yes when it asks you to reboot/logoff.

5. Reboot into Normal Mode and run HijackThis. See if the O1 entries are still in HijackThis. If they are still there, go to c:\windows\system\ and sort the files by date. There will/should be two new DLLs.
-- If those O1 entries do return in HijackThis, paste those two files into KillBox (see Step 1 above) and kill them. Just follow through the same procedures (Steps 2-5) like before. Make sure NOT to reboot until you deleted those two files (otherwise the names will change again).

After that's done (or if you want more help), give us a new set of updated logs (DllCompare, VX2Finder, HijackThis).

 

In going through the "Killbox" the program crashed several times after I clicked the X button (actually after I got the message that the file would be deleted on reboot). Got the "This program performed an illegal operation" message.

Was this to be expected or is it a likely problem? I'm holding off on restarting into safe mode until I hear back.

thx

 

Decent instincts, but press on. Any lingering bad guys will show up on your next set of logs.

Thx for checking.......

 

Here are my current logs:

HJT:
Logfile of HijackThis v1.99.1
Scan saved at 3:42:23 PM, on 03/01/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMPROXY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\DOCKAPP.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMOAGENT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BayMgr] DockApp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PccPfw] C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O4 - Startup: Lotus 1-2-3 (2).LNK = C:\lotus\123\123w.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {227F25BE-BCDC-11D0-BA80-0000F6181652} (CLRMachineInfoCtl Class) - https://eformrs.com/RSLoginModule.cab
O16 - DPF: {009F119F-8723-11D3-8791-00A0C9EF9624} (RSFTreeView Class) - http://eformrs.com/FormOpen/RSFormsTV.cab
O16 - DPF: {99140A4E-88C5-11D3-8793-00A0C9EF9624} (RSFDisplay Class) - http://eformrs.com/FormOpen/RSFormsDP.cab
O16 - DPF: {187728C3-71FD-11D3-878E-00A0C9EF9624} (RSFCalculating Class) - http://eformrs.com/FormOpen/Dll/RSFCalc.cab

DLLCOMPARE:
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found "
________________________________________________

872 items found: 872 files, 0 directories.
Total of file sizes: 166,993,623 bytes 159.25 M

--------------------End log---------------------

VX2Finder
Files Found---


User Agent String---
{2423599E-3FAE-4AB9-96A3-2C56FCE374A6}

 

OK......well, things look clean. Just to be sure, do a little web surfing, reboot once or twice and post a new HJT log.

I think we're done, but this booger reincarnates itself sometimes.