E6F1873B.DLL error on Start Up

[Peanut89]

I just can't rid of this error. I am running XP withOUT Service Pack 2, Adaware and the Norton Suite. At start up, I get a E6F1873B.DLL error. I ran Hijack this and received the following:

Logfile of HijackThis v1.99.1
Scan saved at 7:42:47 PM, on 7/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ehjmidjt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kylee\Local Settings\Temporary Internet Files\Content.IE5\EQYH1PGE\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {0D6A6BB7-5130-4C84-B00A-DDEFFFA65DBB} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {45F58D17-F667-4443-A46F-D7892FEBD45D} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {4797BB1F-D771-4A10-8DE3-9FBA930B2EA6} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {490BC1E4-EA0D-4C3A-9FDA-374EAEA015B8} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {5CC0CAC7-3E2E-45F1-83E3-A6EF8931140A} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: SDWin32 Class - {6AE88D96-631F-46AD-9D4B-69ABB92908B9} - C:\WINDOWS\System32\ufgiv.dll (file missing)
O2 - BHO: (no name) - {726A38EC-1399-4753-A21A-827830E305ED} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {990A5C79-FBBD-4641-AD6A-6BE9EF0F6AFC} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {99941630-5D3B-4D69-9FE2-F4AF6E2B6140} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {AF6F3F34-8654-452E-9318-5C681F268CFF} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {B51A1262-DE9B-4AEC-8536-4FCD90DAD351} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {BDC47C62-E84B-252B-DD31-13C1514837CF} - C:\WINDOWS\System32\xnkvgkul.dll (file missing)
O2 - BHO: (no name) - {C34628E4-3AC8-4989-85F5-3DD7F36EB30F} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {D1396C01-C870-10F2-BC2B-4A80E8FB5B42} - C:\WINDOWS\System32\tipbkigo.dll (file missing)
O2 - BHO: (no name) - {DB419924-C689-4CF5-B425-B1817447AAE6} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {ECC81B67-E55E-4EB4-B092-2733FC8D1BF6} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: WinStat - {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} - C:\WINDOWS\System32\WinStat12.dll (file missing)
O2 - BHO: (no name) - {F03A651E-CD79-4025-B28C-8BA9C1DB768A} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {F384F462-EFAE-4D1C-AB78-4A3A589473B5} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {F72DB6DB-7B00-44EC-9097-E8350F604682} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {F7DBCF31-416D-A863-252C-8660C18BEEAA} - C:\WINDOWS\System32\zaeqooqd.dll (file missing)
O2 - BHO: (no name) - {FFEB1B38-625B-4EEA-9725-88A52D0A8CBA} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [ufgivc] C:\WINDOWS\System32\ufgivc.exe
O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [vikelm] c:\windows\system32\vikelm.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ehjmidjt] C:\WINDOWS\System32\ehjmidjt.exe
O4 - HKLM\..\Run: [zbwmwlds] C:\WINDOWS\System32\zbwmwlds.exe
O4 - HKLM\..\Run: [AutoLoader5s3q1aNTVbXd] "C:\WINDOWS\System32\sccctrs.exe" /HideDir /HideUninstall /PC="CP.FHB" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [5FsW3mQ] sccctrs.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [lkqtl] C:\WINDOWS\System32\lkqtl.exe
O4 - HKLM\..\Run: [fmdslf] c:\windows\system32\lvakym.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1105157396326
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ognelaqwhori (MsUpdate6) - Unknown owner - C:\WINDOWS\System32\msupd6.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Does anyone have any ideas as to what needs to be removed? Thanks in advance for your help!!

[sUBs]

Hi and Welcome to TSF!

You have a severe case of multiple infections.

Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

It would appear that your Operating System and Internet Explorer are seriously outdated and this seems to be the source of your problem. Please go to Windows Update site and install all available Critical Updates. Patch your system with the most current security fixes and plug all the known vulnerabilities.

In the meanwhile, I suggest that you stop using Interent Explorer until we've fully disinfected your machine. Please download & use an alternative browser like Firefox.

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!.
If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

Please do not run Hijackthis from it's current location. Create a permanent folder and move hijackthis.exe into it.

1. From Windows Explorer, Click on drive C:
2. Click on File>New>Folder
3. Call it HJT, or any other name of your choice.
4. Move all files to the newly created folder

= = = = = = = = = = =

Please download these additional files/programs :- (Do not run them unless instructed to do so)
Unplug your computer from the Internet when you have finished downloading

CleanUp! - Install

KillBox v2.0.0.175 - Save to Desktop.

Ewido Security Suite - Install & Update it's database but do not run it yet.

Nailfix - Unzip to the desktop

FindIt's.zip - Unzip to a new folder on Desktop



= = = = = = = = = = =

Uninstall the following programs using Add/Remove Programs panel : * Some entries may not be present

• BrowserAid
  Virtual Bouncer
  Surf SideKick

= = = = = = = = = = =

Click Start>Run - type services.msc.
Locate the ognelaqwhori (MsUpdate6) service and double-click on it to open the Properties dialog.
Click the Stop button.
In the Startup type dropdown select Disabled.
Click the Apply button and then the Ok button.

Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, type in MsUpdate6 & click the OK button.


= = = = = = = = = = =

Start HiJackThis & go to Config>Misc Tools> Open process manager
Select the following and click Kill process one at a time. * Some entries may not be present

• C:\WINDOWS\System32\ehjmidjt.exe

= = = = = = = = = = =

Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: (no name) - {0D6A6BB7-5130-4C84-B00A-DDEFFFA65DBB} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {45F58D17-F667-4443-A46F-D7892FEBD45D} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {4797BB1F-D771-4A10-8DE3-9FBA930B2EA6} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {490BC1E4-EA0D-4C3A-9FDA-374EAEA015B8} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {5CC0CAC7-3E2E-45F1-83E3-A6EF8931140A} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: SDWin32 Class - {6AE88D96-631F-46AD-9D4B-69ABB92908B9} - C:\WINDOWS\System32\ufgiv.dll (file missing)
O2 - BHO: (no name) - {726A38EC-1399-4753-A21A-827830E305ED} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {990A5C79-FBBD-4641-AD6A-6BE9EF0F6AFC} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {99941630-5D3B-4D69-9FE2-F4AF6E2B6140} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {AF6F3F34-8654-452E-9318-5C681F268CFF} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {B51A1262-DE9B-4AEC-8536-4FCD90DAD351} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {BDC47C62-E84B-252B-DD31-13C1514837CF} - C:\WINDOWS\System32\xnkvgkul.dll (file missing)
O2 - BHO: (no name) - {C34628E4-3AC8-4989-85F5-3DD7F36EB30F} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {D1396C01-C870-10F2-BC2B-4A80E8FB5B42} - C:\WINDOWS\System32\tipbkigo.dll (file missing)
O2 - BHO: (no name) - {DB419924-C689-4CF5-B425-B1817447AAE6} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {ECC81B67-E55E-4EB4-B092-2733FC8D1BF6} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: WinStat - {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} - C:\WINDOWS\System32\WinStat12.dll (file missing)
O2 - BHO: (no name) - {F03A651E-CD79-4025-B28C-8BA9C1DB768A} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {F384F462-EFAE-4D1C-AB78-4A3A589473B5} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {F72DB6DB-7B00-44EC-9097-E8350F604682} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O2 - BHO: (no name) - {F7DBCF31-416D-A863-252C-8660C18BEEAA} - C:\WINDOWS\System32\zaeqooqd.dll (file missing)
O2 - BHO: (no name) - {FFEB1B38-625B-4EEA-9725-88A52D0A8CBA} - C:\Program Files\mri3vpxc\mri3vpxc.dll
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [ufgivc] C:\WINDOWS\System32\ufgivc.exe
O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [vikelm] c:\windows\system32\vikelm.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [ehjmidjt] C:\WINDOWS\System32\ehjmidjt.exe
O4 - HKLM\..\Run: [zbwmwlds] C:\WINDOWS\System32\zbwmwlds.exe
O4 - HKLM\..\Run: [AutoLoader5s3q1aNTVbXd] "C:\WINDOWS\System32\sccctrs.exe" /HideDir /HideUninstall /PC="CP.FHB" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [5FsW3mQ] sccctrs.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [lkqtl] C:\WINDOWS\System32\lkqtl.exe
O4 - HKLM\..\Run: [fmdslf] c:\windows\system32\lvakym.exe r
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: ognelaqwhori (MsUpdate6) - Unknown owner - C:\WINDOWS\System32\msupd6.exe


= = = = = = = = = = =

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

• C:\WINDOWS\System32\ufgiv.dll
  C:\WINDOWS\System32\xnkvgkul.dll
  C:\WINDOWS\System32\tipbkigo.dll
  C:\WINDOWS\System32\WinStat12.dll
  C:\WINDOWS\System32\zaeqooqd.dll
  C:\WINDOWS\System32\winupdtl.exe
  C:\WINDOWS\System32\ufgivc.exe
  c:\windows\system32\vikelm.exe
  C:\WINDOWS\System32\wsxsvc\
  C:\WINDOWS\System32\ehjmidjt.exe
  C:\WINDOWS\System32\zbwmwlds.exe
  C:\WINDOWS\System32\sccctrs.exe
  C:\WINDOWS\System32\lkqtl.exe
  c:\windows\system32\lvakym.exe
  C:\WINDOWS\System32\sysmonnt
  C:\WINDOWS\System32\msupd6.exe
  C:\WINDOWS\svcproc.exe

Start KillBox.
Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox
Click the dropdown-arrow next to the "Full Path of File to Delete" field.
Verify that the filenames you pasted are found in there.
Select/tick the following:
* Replace on Reboot
* Use Dummy
* End Explorer Shell While Killing File
* "Unregister.dll Before Deleting" * if it's not grayed out
Click the RED X button.
Click "Yes" at the 'Delete on Reboot' prompt.
Click "Yes" at the 'Pending Operations' prompt.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


= = = = = = = = = = =

Reboot to SafeMode

1. Shut Windows down, and then turn off the computer.
2. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
3. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
   Windows Advanced Options menu appears.
4. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

= = = = = = = = = = =

Run Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.


= = = = = = = = = = =

Enable the viewing of Hidden files
1. From Windows Explorer, go to Tools>Folder Options>View tab.
2. enable the option for `Show hidden files and folder´
3. disable the option for `Hide file extensions for known types´
4. disable the option for `Hide protected operating system files´
5. click "Yes" to confirm & then click "OK"

= = =

Locate and delete the following folder(s), if present:

• C:\Program Files\hpdll\
  C:\Program Files\SurfSideKick 3\
  C:\Program Files\mri3vpxc\
  C:\WINDOWS\isrvs\
  C:\PROGRA~1\VBouncer\

Search for & delete ... using "Start>Search..." the following file(s), if present:

• E6F1873B.DLL
  D9EBC318C

= = = = = = = = = = =

Run Cleanup! & configure the program as follows:

1. Click Options...
2. Move the arrow down to Custom CleanUp!
3. Put a check next to the following:
   • Empty Recycle Bins
   • Delete Cookies
   • Delete Prefetch files
   • [X]Scan local drives for temporary files (Please uncheck this option)
   • Cleanup! All Users
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders without making a backup


= = = = = = = = = = =

Run Ewido:

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files
• With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click OK.
• Once finished, click the Save report button
• Save the report to your desktop

Close Ewido


= = = = = = = = = = =

Reboot to NormalMode.

Do an online scan at Panda

Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

• Save it to your desktop.
• Double-click the new icon on your desktop (tmas-web-scan.exe)
• It will say "Loading TrendMicro definitions".
• Once the definitions are loaded, the program will appear to close then re-open.
• Click "Start Scan"
• After it's done scanning, click "Scan Results"
• Make sure all items found have a check next to them, then click "Clean Threats Now".
• Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.


= = = = = = = = = = =

Run FindIt's.bat and wait for notepad to open a text file. Please be patient as it requires some time to finish running. Then post the results in your next reply

In your next post, please include fresh copies of:

• HiJackThis log
• List of files that Panda failed to disinfect
• Ewido's logs
• FindIt's log
• AntiSpyware log

Please provide details of any problems you encountered whilst performing the above steps.

[Peanut89]

Subs - thank you so much. I will do as you advise.

[Peanut89]

Okay - I have started the process (Don't be alarmed - I am on another computer at this time). Windows has been updated (it wasn't updated in the past because it kept "erroring out." 100% successful this time. Here is where I hit a roadblock. After "fixing" items in Hijackthis, the next step is:

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.
C:\WINDOWS\System32\ufgiv.dll
C:\WINDOWS\System32\xnkvgkul.dll
C:\WINDOWS\System32\tipbkigo.dll
C:\WINDOWS\System32\WinStat12.dll
C:\WINDOWS\System32\zaeqooqd.dll
C:\WINDOWS\System32\winupdtl.exe
C:\WINDOWS\System32\ufgivc.exe
c:\windows\system32\vikelm.exe
C:\WINDOWS\System32\wsxsvc\
C:\WINDOWS\System32\ehjmidjt.exe
C:\WINDOWS\System32\zbwmwlds.exe
C:\WINDOWS\System32\sccctrs.exe
C:\WINDOWS\System32\lkqtl.exe
c:\windows\system32\lvakym.exe
C:\WINDOWS\System32\sysmonnt
C:\WINDOWS\System32\msupd6.exe
C:\WINDOWS\svcproc.exe
Start KillBox.
Etc., etc.

Where should I copy these files from? They are not visable in Hijackthis. Also, I went to Explorer - C:\Windows\System32 .... and could not find, as an example "ufgiv.dll." Am I in teh wrong place?

Thanks again!

[sUBs]

If you have saved the instructions in notepad, open it.
Use your mouse to select/highlight these entries. (not all entries will be present)

C:\WINDOWS\System32\ufgiv.dll
C:\WINDOWS\System32\xnkvgkul.dll
C:\WINDOWS\System32\tipbkigo.dll
C:\WINDOWS\System32\WinStat12.dll
C:\WINDOWS\System32\zaeqooqd.dll
C:\WINDOWS\System32\winupdtl.exe
C:\WINDOWS\System32\ufgivc.exe
c:\windows\system32\vikelm.exe
C:\WINDOWS\System32\wsxsvc\
C:\WINDOWS\System32\ehjmidjt.exe
C:\WINDOWS\System32\zbwmwlds.exe
C:\WINDOWS\System32\sccctrs.exe
C:\WINDOWS\System32\lkqtl.exe
c:\windows\system32\lvakym.exe
C:\WINDOWS\System32\sysmonnt
C:\WINDOWS\System32\msupd6.exe
C:\WINDOWS\svcproc.exe

When you have highlighted them, press these keyboard keys simultaneously - [ctrl]+[c]
This action will copy the entries to Windows clipboard

Start Killbox
Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox ... continue with rest of instructions.

[Peanut89]

Subs:

Firstly, thanks for all of your help. After numerous hours of following your steps, the DLL error no longer exists at start up on the desktop. I will list the details as you requested but will 1st list the problems encountered:

1) Problem at start-up - Error box "C:\Windows|Nail.exe" .."windows cannot find Nail.exe.... (Note: I probably deleted something in error).
2) Ewido - no report - just listed "53 objects".
3) NailIt - did as prescribed. While scanning, "Not looking in hidden folders" was mentioned.
4)Panda - kicked back to Desktop when finished. I then manually rebooted.

Here's the details and I look forward to your response:



HiJackThis Log (Fresh)

Logfile of HijackThis v1.99.1
Scan saved at 11:25:50 PM, on 7/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {BDC47C62-E84B-252B-DD31-13C1514837CF} - (no file)
O2 - BHO: (no name) - {D1396C01-C870-10F2-BC2B-4A80E8FB5B42} - (no file)
O2 - BHO: (no name) - {F7DBCF31-416D-A863-252C-8660C18BEEAA} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lkqtl] C:\WINDOWS\System32\lkqtl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1105157396326
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Trend Micro Results:

Virus Scan 0 virus cleaned, 1 virus deleted


Results:
We have detected 1 infected file(s) with 1 virus(es) on your computer. Only 0 out of 0 infected files are displayed: - 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 1 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected File Associated Virus Name Action Taken
C:\Program Files\Windows Media Player\wmplayer.exe.tmp TROJ_SMALL.AMT Deletion successful




Trojan/Worm Check 0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed: - 0 worm(s)/Trojan(s) passed, 0 worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable
Trojan/Worm Name Trojan/Worm Type Action Taken




Spyware Check 0 spyware program removed

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 2 spyware(s) on your computer. Only 0 out of 0 spywares are displayed: - 2 spyware(s) passed, 0 spyware(s) no action available
- 0 spyware(s) removed, 0 spyware(s) unremovable
Spyware Name Spyware Type Action Taken
COOKIE_722 Cookie Pass
COOKIE_1433 Cookie Pass




Microsoft Vulnerability Check No vulnerability detected

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 0 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.
Risk Level Issue How to Fix


Ewido:

There was no report - it mentioned "53 objects"


FindIt's log:

Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 07/19/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\TSC.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\RMAGEN~1.DLL
* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is D8B1-E608

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is D8B1-E608

Directory of C:\WINDOWS\system32

06/11/2005 04:34 PM 29,926 CasinoGames.ico
06/11/2005 04:34 PM 4,286 Get $888 Free!.ico
06/06/2005 08:36 PM 2,238 partypoker.ico
3 File(s) 36,450 bytes
0 Dir(s) 30,397,714,432 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».

HKEY_CLASSES_ROOT\mfiltis\Date
HKEY_CLASSES_ROOT\mfiltis\Excl
HKEY_CLASSES_ROOT\mfiltis\Sites
HKEY_LOCAL_MACHINE\SOFTWARE\System Updater\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\


Activescan Log:

Incident Status Location

Spyware:spyware/surfsidekick No disinfected C:\DOCUMENTS AND SETTINGS\KYLEE\APPLICATION DATA\Sskcwrd.dll
Adware:adware/portalscan No disinfected C:\WINDOWS\SYSTEM32\winupdt.bin
Adware:adware/topspyware No disinfected C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\wmplayer.exe.tmp
Adware:adware/ipinsight No disinfected C:\WINDOWS\INF\farmmext.inf
Adware:adware/delfinmedia No disinfected C:\keys.ini
Adware:adware/isearch No disinfected C:\WINDOWS\delprot.ini
Adware:adware/apropos No disinfected C:\PROGRAM FILES\CxtPls
Adware:adware/myway No disinfected C:\PROGRAM FILES\MySearch
Adware:adware/dealhelper No disinfected C:\WINDOWS\SYSTEM32\Newmsrdk
Adware:adware/addestroyer No disinfected C:\DOCUMENTS AND SETTINGS\KYLEE\START MENU\PROGRAMS\AdDestroyer
Spyware:spyware/tvmedia No disinfected C:\WINDOWS\bundles
Adware:adware/transponder No disinfected C:\WINDOWS\inst
Adware:adware/savenow No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vmss
Adware:adware/comedy-planet No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\JOKE
Adware:adware/wintools No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\DDATE
Adware:adware/navhelper No disinfected HKEY_CLASSES_ROOT\CLSID\{BDF3E430-B101-42AD-A544-FADC6B084872}
Adware:adware/virtualbouncer No disinfected HKEY_CLASSES_ROOT\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}
Adware:adware/elitebar No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\USER AGENT\POST PLATFORM\IEBAR
Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
Adware:Adware/AlwaysupdatednewsNo disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp
Virus:Trj/Downloader.DHO Disinfected C:\WINDOWS\Downloaded Program Files\EPXActiveX.ocx
Adware:Adware/BTGrab No disinfected C:\WINDOWS\inf\btgrab.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\farmmext.inf
Virus:Trj/Multidropper.PK Disinfected C:\WINDOWS\system32\cp.exe

Thanks again Subs!!!!

[sUBs]

Looks cleaner
Let's get to work..

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

I have attached a file to this post - regdel.txt
Download it & rename it "regdel.reg" (inclusive of the quotes)
Double-click on it & answer YES when prompted to merge into the Registry

Unplug your computer from the Internet when you have finished downloading


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Uninstall the following programs, if present, using Control Panel > Add/Remove Programs :

• CxtPls
  MySearch

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {BDC47C62-E84B-252B-DD31-13C1514837CF} - (no file)
O2 - BHO: (no name) - {D1396C01-C870-10F2-BC2B-4A80E8FB5B42} - (no file)
O2 - BHO: (no name) - {F7DBCF31-416D-A863-252C-8660C18BEEAA} - (no file)
O4 - HKLM\..\Run: [lkqtl] C:\WINDOWS\System32\lkqtl.exe
O15 - Trusted Zone: http://www.neededware.com


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Enable the viewing of Hidden files

1. From Windows Explorer, go to Tools>Folder Options>View tab.
2. Enable the option for `Show hidden files and folder´
3. Disable the option for `Hide file extensions for known types´
4. Disable the option for `Hide protected operating system files´
5. Click Yes to confirm & then click OK

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Locate and delete the following folder(s), if present:

• C:\PROGRAM FILES\CxtPls
  C:\PROGRAM FILES\MySearch
  C:\WINDOWS\SYSTEM32\Newmsrdk
  C:\DOCUMENTS AND SETTINGS\KYLEE\START MENU\PROGRAMS\AdDestroyer
  C:\WINDOWS\bundles
  C:\WINDOWS\inst
  C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vmss

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

• C:\Program Files\Windows Media Player\wmplayer.exe.tmp
  C:\WINDOWS\Downloaded Program Files\EPXActiveX.ocx
  C:\WINDOWS\inf\btgrab.inf
  C:\WINDOWS\inf\farmmext.inf
  C:\WINDOWS\system32\cp.exe
  C:\DOCUMENTS AND SETTINGS\KYLEE\APPLICATION DATA\Sskcwrd.dll
  C:\WINDOWS\SYSTEM32\winupdt.bin
  C:\keys.ini
  C:\WINDOWS\delprot.ini
  C:\WINDOWS\SYSTEM32\CasinoGames.ico
  C:\WINDOWS\SYSTEM32\Get $888 Free!.ico
  C:\WINDOWS\SYSTEM32\partypoker.ico
  C:\WINDOWS\System32\lkqtl.exe

Select/Highlight all the filename(s) from the above.
Copy to clipboard by pressing [CTRL]+[C] on your keyboard.
Start KillBox.exe

1. Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox
   Click the dropdown-arrow next to the "Full Path of File to Delete" field.
   Verify that the filenames you pasted are found in there.
2. Select/tick the following:
   • Replace on Reboot
   • Use Dummy
   • End Explorer Shell While Killing File
   • Unregister.dll Before Deleting * if it's not grayed out
3. Click the RED X button.
4. Click Yes at the 'Delete on Reboot' prompt.
5. Click Yes at the 'Pending Operations prompt'.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT & Run Cleanup! & configure the program as follows:

1. Click Options...
2. Move the arrow down to Custom CleanUp!
3. Put a check next to the following:
   • Empty Recycle Bins
   • Delete Cookies
   • Delete Prefetch files
   • [X]Scan local drives for temporary files (Please uncheck this option)
   • Cleanup! All Users
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders without making a backup


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

In your next post, please include fresh logs from:

1. HiJackThis

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[Peanut89]

Subs

Pardon my ignorance, but I just started following your most recent instructions and got hung up on stage 1. Regdel.txt pops up as a Notepad item. I can rename this but I don't think that I am doing it properly as nothing prompts me to merge into the Registry. Sorry, but I am a little remedial when it comes to this stuff. Thanks!

[sUBs]

It's a common mistake.

Please enable the viewing of hidden files.

1. From Windows Explorer, go to Tools>Folder Options>View tab.
2. Enable the option for `Show hidden files and folder´
3. Disable the option for `Hide file extensions for known types´
4. Disable the option for `Hide protected operating system files´
5. Click Yes to confirm & then click OK

Look at the regdel.REG file you've downloaded.
Make sure it's named as regdel.REG & not regdel.reg.txt (double extensions)

[Peanut89]

Subs

I followed the steps in your last post and will provide a fresh Hijack this. Following this post, I will detail the process and problems encountered.

Logfile of HijackThis v1.99.1
Scan saved at 10:02:09 PM, on 7/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
O2 - BHO: (no name) - {BDC47C62-E84B-252B-DD31-13C1514837CF} - (no file)
O2 - BHO: (no name) - {D1396C01-C870-10F2-BC2B-4A80E8FB5B42} - (no file)
O2 - BHO: (no name) - {F7DBCF31-416D-A863-252C-8660C18BEEAA} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1105157396326
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

NOTE:

1) I tried to "fix" the following items twice but they still appear:

O2 - BHO: (no name) - {BDC47C62-E84B-252B-DD31-13C1514837CF} - (no file)
O2 - BHO: (no name) - {D1396C01-C870-10F2-BC2B-4A80E8FB5B42} - (no file)
O2 - BHO: (no name) - {F7DBCF31-416D-A863-252C-8660C18BEEAA} - (no file)

2) Upon start-up, after running Clean-Up, the following was displayed on my desktop:

DOS WINDOW with the blue bar title:

C:\Windows\System32\lkqtl.exe

Also, a pop up error box:
"/6 bill MS-Dos Subsystem
C:Windows\System32\lkqtl.exe
The NTVDM CPU has encountered an illegal instruction
CS:053c IP:ffe OP:fe le 09 04f Choose close to terminate

I chose close.

Thanks again Subs. I look forward to your analysis.

[sUBs]

1. Go to Start>Run - type regedit
2. Go to File>Export & save the Registry somewhere as a backup.
3. Close the Registry Editor.
4. Go to Start>Run - type notepad
5. Then copy and paste the following into Notepad:

Quote:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDC47C62-E84B-252B-DD31-13C1514837CF}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D1396C01-C870-10F2-BC2B-4A80E8FB5B42}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F7DBCF31-416D-A863-252C-8660C18BEEAA}]

6. Save the file as "delete.reg". Make sure to save it with the quotes.
7. Double click on it and choose [YES] to merge it.
8. You may delete the file afterwards.

Reboot your computer & see if that lkqtl.exe error message appears again.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

If it does, download SilentRunners.vbs - Right click & choose Save As... SilentRunners.vbs

Before proceeding, disable any anti-virus or anti-spyware programs that may block/disable scripts
Double-click SilentRunners.vbs to run it. This will take a few minutes.
When it's done, you'll receive the prompt "All Done!". It will create a file called "Startup Programs". Post ALL its contents here in your next reply.

Go to HijackThis> Config> Misc Tools
Checkmark/tick 'list also minor sections (full)'
Click the 'Generate StartupList log' button
Post the log in your next reply

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

If the error doesnt appear, I will require you to do a further scan..
Download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

• Save it to your desktop.
• Double-click the new icon on your desktop (tmas-web-scan.exe)
• It will say "Loading TrendMicro definitions".
• Once the definitions are loaded, the program will appear to close then re-open.
• Click "Start Scan"
• After it's done scanning, click "Scan Results"
• Make sure all items found have a check next to them, then click "Clean Threats Now".
• Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

In your next post, please include fresh logs from:

1. HiJackThis
2. Antispyware.log
3. SilentRunner (if error exist)
4. StartupList (if error exist)

Please update us on how the computer behaves now

[Peanut89]

sUBs

I finally had a chance to follow your next set of directions. During the reboots, I would see the "lkqtl" Dos box pop up and then disappear. I did not see it at all when I last rebooted. Here's the fresh logs that you requested:

HiJackThis

Logfile of HijackThis v1.99.1
Scan saved at 10:02:02 PM, on 7/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\HJT\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
O2 - BHO: (no name) - {BDC47C62-E84B-252B-DD31-13C1514837CF} - (no file)
O2 - BHO: (no name) - {D1396C01-C870-10F2-BC2B-4A80E8FB5B42} - (no file)
O2 - BHO: (no name) - {F7DBCF31-416D-A863-252C-8660C18BEEAA} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1105157396326
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Antispyware Log:

Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DMVLite'
Found 'iebar' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext'
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT'
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Found 'Class' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Found 'ClassGUID' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Found 'ConfigFlags' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Found 'DeviceDesc' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Found 'Legacy' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Found 'NextInstance' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT'
Found 'Service' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Found '' in 'SOFTWARE\Classes\EPXACTIVEX.EPXActiveXCtrl.1'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run'
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Backup
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for restore. [SCANMODS] Error=5.
Finished Backup
Started Cleaning
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT'. Error=5.
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'. Error=5.
Finished Cleaning

Thanks!

[sUBs]

Quote:

Originally Posted by Peanut89

During the reboots, I would see the "lkqtl" Dos box pop up and then disappear. I did not see it at all when I last rebooted.

Do you still have isues with the ""lkqtl" Dos box pop up"? Since you didnt post SilentRunner's log & StartupList, I'll assume it's gone.

In this round, we'll have to make a trip into the Registry to do some manual editing. This is to remove some of the stubborn entries which refused to go away.

1. Go to Start>Run - type REGEDIT
2. Go to File>Export & save the Registry somewhere as a backup.
3. After you have done that, Navigate to these keys -
   
   Quote:

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDC47C62-E84B-252B-DD31-13C1514837CF}
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D1396C01-C870-10F2-BC2B-4A80E8FB5B42}
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F7DBCF31-416D-A863-252C-8660C18BEEAA}

4. Right click & delete the key (only keys listed in RED need to be deleted)
5. Close the Registry Editor when you've finished

* If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Reboot & post a fresh HJT log

[Peanut89]

sUBs

Here is the latest HiJackThis log. Nothing pops up at startup. I had to use the Permissions fix to delete the Reg as directed.

Logfile of HijackThis v1.99.1
Scan saved at 10:58:45 PM, on 7/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\System32\ImapiRox.exe
C:\HJT\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1105157396326
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[sUBs]

Does it feel good to be clean again?

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

1. Create a new System Restore point
   • click Start >> Run - type SYSDM.CPL & press Enter
   • select the System Restore Tab
   • tick on the checkbox - "Turn off System Restore on all drives"
   • click Apply
   • then untick the same checkbox & click OK
   
   
2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
   1. From within Internet Explorer click on the Tools menu and then click on Options.
   2. Click once on the Security tab
   3. Click once on the Internet icon so it becomes highlighted.
   4. Click once on the Custom Level button.
      1. Change the Download signed ActiveX controls to Prompt
         
      2. Change the Download unsigned ActiveX controls to Disable
         
      3. Change the Initialize and script ActiveX controls not marked as safe to Disable
         
      4. Change the Installation of desktop items to Prompt
         
      5. Change the Launching programs and files in an IFRAME to Prompt
         
      6. Change the Navigate sub-frames across different domains to Prompt
         
      7. When all these settings have been made, click on the OK button.
         
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
   5. Next press the Apply button and then the OK to exit the Internet Properties page.
   
   
3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   Virus, Spyware, and Malware Protection and Removal Resources
   
   
4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
   
   For a tutorial on Firewalls and a listing of some available ones see the link below:
   Understanding and Using Firewalls
   
   
6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
   
   A tutorial on installing & using this product can be found here:
   Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
   
   
8. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
   
   A tutorial on installing & using this product can be found here:
   Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
   
   
9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
   
   A tutorial on installing & using this product can be found here:
   Using SpywareBlaster to protect your computer from Spyware and Malware
   
   
10. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will further enhance your safety

• IE/Spyad - IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  
  
• MVPS Hosts file - The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  
  
• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.
  
  
• Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• Google Toolbar - Get the free google toolbar to help stop pop up windows.
  
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here > Using Winpatrol to protect your computer from malicious software
  

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

[Peanut89]

sUBs

Certainly, it does feel good to be clean!! Actually, you just assisted me in cleaning my teen's computer. I have set up Firefox as the deafult browser and I will most likely change our other computers to default to Firefox. Before I sign off, I would like to know if I need to retain Nailfix, Findit, Killbox, etc. and the other programs that I have placed on the Desktop during this process. I would assume that these items can now be deleted but will defer to you in this regard.

Other than that, everything is wonderful again with this computer. Your willingness to take the time to hang in there and assist me is definitley above and beyond. My sisncere thanks to your for your assistance.

[sUBs]

You may delete those tools. Hopefully, you would have no further use for them.

Ewido & CleanUp should be retained. Most people are so taken with Ewido that they probably wouldnt uninstall it even if I had requested so.

Have a wonderful day.

sUBs