Hello all...I am being bombarded with popups, running very slow, and have had some crashes. I've run ad-aware, spybot, & virus scan. Adaware and spybot find many items and can delete most but they always seem to return. HJT log below. Any help is appreciated, Thank-you!

Logfile of HijackThis v1.99.0
Scan saved at 7:53:24 PM, on 4/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\rundll32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\WINDOWS\System32\nrivlv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
C:\WINDOWS\System32\wintask.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\System32\cacore60.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\NQZRENC.EXE
C:\WINDOWS\HDCGDLL.EXE
C:\WINDOWS\System32\rdprmd.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan.exe
C:\WINDOWS\System32\r?gsvr32.exe
C:\WINDOWS\System32\rdprmd.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\New Folder\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nrivlv.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [ftjjny] c:\windows\system32\ftjjny.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [554714a95cee] C:\WINDOWS\System32\cacore60.exe
O4 - HKLM\..\Run: [NQZRENC] C:\WINDOWS\NQZRENC.EXE
O4 - HKLM\..\Run: [HDCGDLL] C:\WINDOWS\HDCGDLL.EXE
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitehkg32.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Pkfiv] C:\WINDOWS\System32\r?gsvr32.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [rdprmd] C:\WINDOWS\System32\rdprmd.exe
O4 - HKCU\..\RunOnce: [rdprmd] C:\WINDOWS\System32\rdprmd.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - [url]http://survey.otxresearch.com/Preloader.dll[/url]
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [url]http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab[/url]
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - [url]http://aolcc.aol.com/computercheckup/qdiagcc.cab[/url]
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - [url]http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - [url]http://www.nick.com/common/groove/gx/GrooveAX25.cab[/url]
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - [url]http://www.installengine.com/engine/isetup.cab[/url]
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - [url]http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab[/url]
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - [url]http://www.pulse3d.com/players/english/5.0/win/PulsePlayer5AxWin.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2406279-21C6-438B-8274-134901BB617C}: NameServer = 205.188.146.145
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

You have several major infections here and it is going to take several steps to clean it out... We need to start here:

Please download FindQoologic from here:
http://forums.net-integration.net/index.ph...=post&id=134981 (http://forums.net-integration.net/index.php?act=Attach&type=post&id=134981)
Save it to the desktop and run Find-Qoologic2.bat. This will generate a log file; please post the entire contents of the log file here for me to see.

Budfred:

was this:
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe

the line that made you look for the qoologic bug? If not, what was it?

Thanks for replying. I hope I did this correctly, the log file is below.

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
<NO NAME> REG_SZ

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Br iefcaseMenu
<NO NAME> REG_SZ {85BBD920-42A0-1069-A2E4-08002B30309D}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Of fline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Op en With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Op en With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qg mfkf
<NO NAME> REG_SZ {f335ff0d-0ff9-47b6-880e-269636a45e25}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qg mfkfgg
<NO NAME> REG_SZ {d204a405-c206-4da6-88ce-cc6e087d6d88}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a 2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{C FC7205E-2792-4378-9591-3879CC6C9022}

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

The actual files are not showing up in the log, so we will need to try another approach... This will happen sometimes with this infection...

Please download RootkitRevealer.exe and unzip it into a folder. Run a scan and produce a log...
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
When it is done, go to File and select Save...
Include the log in your next reply.
Do not worry if there are a large number of items, this is normal.
It is a deep scan which will take a considerable amount of time, I suggest you disconnect from the internet and leave the PC alone until its finished.

To reduce the size of the log posted here, please edit out items that appear in these folders if there are some:
C:\RECYCLER\NPROTECT
C:\System Volume Information
before you post the log....

classicsoftware,

This is the telling item:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nrivlv.exe

It is part of a Narrator infection...

Again, thanks for your help. I hope this is correct as the log file was not very large. Results below...

HKLM\SOFTWARE\Classes\webcal\URL Protocol 5/18/2004 9:39 PM 13 bytes Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Microsoft\SchedulingAgent\LastTaskRu n 4/26/2005 8:23 AM 16 bytes Data mismatch between Windows API and raw hive data.

C:\Documents and Settings\MOM\Local Settings\Temp\Cookies\mom@partner2profit[1].txt 4/25/2005 3:39 PM 88 bytes Hidden from Windows API.

C:\Documents and Settings\MOM\Local Settings\Temp\Temporary Internet Files\Content.IE5\I7B9NTV9\main[1].css 4/25/2005 3:39 PM 3.76 KB Hidden from Windows API.

C:\Documents and Settings\MOM\Local Settings\Temp\Temporary Internet Files\Content.IE5\I7B9NTV9\main[2].css 4/25/2005 3:39 PM 3.76 KB Hidden from Windows API.

C:\Documents and Settings\MOM\Local Settings\Temp\Temporary Internet Files\Content.IE5\K5YJ4LQJ\BDS_3TooshiesPRW_720x30 0_62[1].jpg 4/25/2005 3:39 PM 37.74 KB Hidden from Windows API.

C:\Documents and Settings\MOM\Local Settings\Temp\Temporary Internet Files\Content.IE5\K5YJ4LQJ\CAMHYPJ9.HTM 4/25/2005 3:39 PM 930 bytes Hidden from Windows API.

C:\Documents and Settings\MOM\Local Settings\Temp\Temporary Internet Files\Content.IE5\OUHWK992\main[1].css 4/25/2005 3:39 PM 3.76 KB Hidden from Windows API.

Okay, start by downloading this program: http://www.ccleaner.com/

And then go to the site linked in my signature for HJT and download KillBox and LSPfix...

Reboot to Safe Mode (tap on F8 just before Windows starts to load and select Safe Mode)... Open an HJT scan and put checks by these (some may not be present in Safe Mode):

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nrivlv.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [ftjjny] c:\windows\system32\ftjjny.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [554714a95cee] C:\WINDOWS\System32\cacore60.exe
O4 - HKLM\..\Run: [NQZRENC] C:\WINDOWS\NQZRENC.EXE
O4 - HKLM\..\Run: [HDCGDLL] C:\WINDOWS\HDCGDLL.EXE
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitehkg32.exe
O4 - HKCU\..\Run: [Pkfiv] C:\WINDOWS\System32\r?gsvr32.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [rdprmd] C:\WINDOWS\System32\rdprmd.exe
O4 - HKCU\..\RunOnce: [rdprmd] C:\WINDOWS\System32\rdprmd.exe
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4...23/cpbrkpie.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.com/players/engl...layer5AxWin.cab

Then close all open windows except HJT and click on Fix checked...

Open LSPfix... You will need to say "I know what I am doing" to proceed... Move all instances of winlspak.dll to the Remove window and click through to do the fix...

Open CCleaner and run it to clean out all temp folders...

Set Windows to show all hidden and system files...

Find and delete this file... It will have some character in the ? position... Do NOT delete regsvr32.exe:

C:\WINDOWS\System32\r?gsvr32.exe

Run a Search for this file and delete it:

AUNPS2.DLL

Open KillBox and copy/paste this entire block of files into the dialogue box... Set it to delete on reboot:

C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\isrvs\ffisearch.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\WINDOWS\System32\nrivlv.exe
C:\WINDOWS\System32\winupdt.exe
C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
c:\windows\system32\ftjjny.exe
C:\WINDOWS\cfgmgr51.dll,DllRun
C:\WINDOWS\System32\wintask.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\System32\cacore60.exe
C:\WINDOWS\NQZRENC.EXE
C:\WINDOWS\HDCGDLL.EXE
C:\WINDOWS\farmmext.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\windows\system32\elitehkg32.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\WINDOWS\System32\rdprmd.exe
C:\WINDOWS\System32\cacore60.exe
C:\Documents and Settings\MOM\Local Settings\Temp\Cookies\mom@partner2profit[1].txt
C:\Documents and Settings\MOM\Local Settings\Temp\Temporary Internet Files\Content.IE5\I7B9NTV9\main[1].css
C:\Documents and Settings\MOM\Local Settings\Temp\Temporary Internet Files\Content.IE5\I7B9NTV9\main[2].css
C:\Documents and Settings\MOM\Local Settings\Temp\Temporary Internet Files\Content.IE5\K5YJ4LQJ\BDS_3TooshiesPRW_720x30 0_62[1].jpg
C:\Documents and Settings\MOM\Local Settings\Temp\Temporary Internet Files\Content.IE5\K5YJ4LQJ\CAMHYPJ9.HTM
C:\Documents and Settings\MOM\Local Settings\Temp\Temporary Internet Files\Content.IE5\OUHWK992\main[1].css
c:\windows\system32\winlspak.dll

Click through to run KillBox... You will need to approve each file... Reboot into Safe Mode again and find and delete these folders:

C:\WINDOWS\[b]isrvs[/b[
C:\WINDOWS\System32\[b]nsvsvc
C:\WINDOWS\System32\picsvr
C:\Documents and Settings\All Users\Application Data\msw
C:\Program Files\Media Access
C:\PROGRAM Files\VBouncer
C:\PROGRAM Files\Web Offer

Then reboot into Normal mode... If there were any items that you could not find in Safe Mode, run HJT and fix them now... Once you are done with that, reboot and post a fresh log with a detailed report on how things went...

Whew!... Thanks for the assistance, I'm not sure how I did but tried to be as thorough as I could. Killbox was difficult, will explain but will follow the order of your instructions for the details...

Downloaded cccleaner
Downloaded Killbox and LSPfix

Rebooted to Safe Mode and ran HJT, all but two items ( 04 - HKLM\..\Run: [etbrun] C:\windows\system32\elitehkg32.exe AND 04- HKCU\..\RunOnce: [rdprmd} C:\WINDOWS\System32\rdprmd.exe ) were present. Fixed checked.

Opened LSPFix, moved winlspak.dll to remove and fixed ~ everything went smooth there.
LSP Repair Summary-
Repairs complete
0 Name space provider entries removed
0 NameSpace provider entries renumbered
4 Protocol provider entries removed
15 Protocol provider entries renumbered

Ran CCleaner- again, smooth sailing. Removed 376.0 MB.

Set windows to show all hidden and system files.
Could not find C:\WINDOWS\System32\r?gsvr32.exe....searched everywhere!
Found and deleted AUNPS2.DLL.

Opened Killbox, followed your instructions. I couldn't copy/paste in bulk it would only accept one at a time. So, I copied and pasted individually and after each clicked delete file (red X) then clicked yes to 'delete on reboot' then No to 'reboot now' until I entered the last one then clicked yes. I'm not sure if it actually worked as there was not an indication either way upon reboot.

Was able to find and delete all remaining folders except two; VBouncer, as I could only find it in Spybot recovery and Web Offer which was no where in sight. Rebooted to normal mode, opened hijackthis ran a scan checked and fixed remaining items. Rebooted and ran the scan below. Please let me know if I missed anything. Thanks again for your help.
Logfile of HijackThis v1.99.0
Scan saved at 5:59:09 PM, on 4/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tdrn.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\etc4oamk\59310860.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\New Folder\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [etc4oamk] C:\Program Files\etc4oamk\etc4oamk.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nrivlv.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O23 - Service: CLQYT - ??????????????????????????????????? - C:\DOCUME~1\MOM\LOCALS~1\Temp\CLQYT.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

The main infection is still there... There are a couple of other scans we can run to try to find the bad files... Try one or both of these and post the logs they produce back here:

RKfiles:

http://skads.org/special/rkfiles.zip

RansackAgent:

http://mythicsoft.fileburst.com/agentran.exe

Also, before posting back, please download the latest version of HJT and replace the copy you have with it... You can get it through the link in my signature... It is 1.99.1....

Didn't have much luck....
According to McAfee the new HJT is infected with W32/Generic.worm!p2p. What do you make of that?

Also, after extracting ransack and attemping to open I am told 'Unable to execute file: C:\Program Files\Mythicsoft\AgentRansack\Readme.txt ShellExecute failed;code2. I tried to uncheck the 'show the ReadMe.txt' box but that didn't work either. So, I couldn't open or run it. Any suggestions?

Had trouble with rkfiles... When I tried to run it I would get the following:
1 file(s) copied
1 file(s) copied
1 file(s) copied
Please wait until this DOS window closes...post the contents of c:\log.tx Checking system folder
But, it didn't do anything after that. I never got a log. Also, when I tried to open the "strings" folder that accompanied rkfiles, I got a quick blink and then nothing.

Is it me? Did I not do these steps correctly? I really appreciate your time and effort, Thank you. Any thoughts on how to proceed?

According to McAfee the new HJT is infected with W32/Generic.worm!p2p. What do you make of that?This means that you badly need to update McAfee... They fixed that error a while ago...

Did you look for c:\log.tx or c:\log.txt?? It would have the "t" on the end...

If you can't find logs from either of those, we can go back to a RootkitRevealer log and then also do this:

Try running an MWavScan... It will produce a log in the lower right hand corner and you will need to scroll to the bottom of the log to find the bad items and use Ctrl-C to copy it and then paste it here for review....

http://www.mwti.net/antivirus/free_utilities.asp

Okay, ran rkfiles again. Found log this time, it's below....

C:\Documents and Settings\MOM\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM32\andaq.dll: UPX!
C:\WINDOWS\SYSTEM32\c54bGs.dll: UPX!
C:\WINDOWS\SYSTEM32\MILiveDownload3.dll: UPX!
C:\WINDOWS\SYSTEM32\mmudoc.exe: UPX!
C:\WINDOWS\SYSTEM32\nrivlv.exe: UPX!
C:\WINDOWS\SYSTEM32\skytown.exe: UPX!
C:\WINDOWS\SYSTEM32\vqwpy.dat: UPX!
C:\WINDOWS\SYSTEM32\winup2date.dll: UPX!
C:\WINDOWS\SYSTEM32\wmconfig.cpl: UPX!
C:\WINDOWS\SYSTEM32\eliteetx32.exe: FSG!
C:\WINDOWS\SYSTEM32\elitegdy32.exe: FSG!
C:\WINDOWS\SYSTEM32\eliteyrv32.exe: FSG!
C:\WINDOWS\SYSTEM32\DFRG.MSC: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\SYSTEM32\doolsav.dat: PEC2
C:\WINDOWS\SYSTEM32\lvnq0955e.dll: ipeC2
C:\WINDOWS\SYSTEM32\MBV1_0.DLL: ipeC2
C:\WINDOWS\SYSTEM32\ndiewimg.dll: ipeC2
C:\WINDOWS\SYSTEM32\nwrsda.dll: ipeC2
C:\WINDOWS\SYSTEM32\pK4ulih9184.dll: ipeC2
C:\WINDOWS\SYSTEM32\PMUSTAB.DLL: ipeC2
C:\WINDOWS\SYSTEM32\ppdx5016.dll: ipeC2
C:\WINDOWS\SYSTEM32\q686lgls16q6.dll: ipeC2
C:\WINDOWS\SYSTEM32\SRFTPUB.DLL: ipeC2
C:\WINDOWS\SYSTEM32\SXAYERXP.DLL: ipeC2
C:\WINDOWS\SYSTEM32\WENMM.DLL: ipeC2

Files Found in all users startup Folder............
------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tdrn.exe: UPX!
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\del.tmp: UPX!
C:\WINDOWS\extract.exe.tcf: UPX!
C:\WINDOWS\icont.exe: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\Unwash5.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\wupdsnff.exe: UPX!

The MWavScan is very large....it will take 3 or more posts to fit it all in. That is only the bad items too! Said I was infected with 300+ :eek: ...Shall I post the entire log? Also, I am going to update McAfee now and get the new HJT...Did you want to see that now or should I wait? Thanks again!

Okay, you have even more of a mess than I realized... Before you post the MWavScan try running at least two of these online virus scans and let them fix whatever they find...

http://www.pandasoftware.com/activescan/

http://www.kaspersky.com/scanforvirus

or the HouseCall option in my signature...

Then download and run Ewido and either TDS3 or TrojanHunter... Be sure to update before running them:

http://www.ewido.net/en/

http://tds.diamondcs.com.au/

http://www.trojanhunter.com/

Once these are done, reboot and try MWavScan again... If it is still huge, we may just need to bite the bullet and post/fix... We will need a fresh RKFiles log once you do all that too... Hopefully these scans will take some of this out...