WINFIX problem, here is hijacks log

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning and a list of forums to seek help at.
  it should look like this

  VundoFix V2.1 by Atri
  By pressing enter you agree that you are using this at your own risk
  Please seek assistance at one of the following forums:
  http://www.atribune.org/forums
  http://www.247fixes.com/forums
  http://www.geekstogo.com/forum
  http://forums.net-integration.net

• At this point press enter one time.
• Next you will see:

  Type in the filepath as instructed by the forum staff
  Then Press Enter, Then F6, Then Enter Again to continue with the fix.

• At this point please type the following file path (make sure to enter it exactly as below!):

  C:\WINDOWS\System32\yabbx.dll

[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*] Next you will see:

Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.

[*]At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\System32\xbbay.*

[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

[*]The fix will run then HijackThis will open.
[*]In HiJackThis, please place a check next to the following items and click FIX CHECKED:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\System32\yabbx.dll
O4 - Startup: Reboot.exe
O20 - Winlogon Notify: yabbx - C:\WINDOWS\System32\yabbx.dll

[*]After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
[*]Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
[*]Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

ActiveScan:

Incident Status Location

Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-189e9f8-61f1b2df.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-2a0546cb-54bfbb3e.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-2a0546cb-54bfbb3e.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-2a0546cb-54bfbb3e.zip[VerifierBug.class]
Virus:Trj/Lowzones.JN Disinfected C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-2a0546cb-54bfbb3e.zip[web.exe]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-2a0546cb-54bfbb3e.zip[Worker.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-2a0546cb-54bfbb3e.zip[Xeyond.class]
Hacktool:HackTool/ExitWin.A No disinfected C:\Program Files\hijackthis\backups\backup-20050922-125406-174-Reboot.exe
Vundofix:

Incident Status Location

Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-189e9f8-61f1b2df.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-2a0546cb-54bfbb3e.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-2a0546cb-54bfbb3e.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-2a0546cb-54bfbb3e.zip[VerifierBug.class]
Virus:Trj/Lowzones.JN Disinfected C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-2a0546cb-54bfbb3e.zip[web.exe]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-2a0546cb-54bfbb3e.zip[Worker.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar.jar-2a0546cb-54bfbb3e.zip[Xeyond.class]
Hacktool:HackTool/ExitWin.A No disinfected C:\Program Files\hijackthis\backups\backup-20050922-125406-174-Reboot.exe
Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 1:30:39 PM, on 9/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://yahoo.sbc.com/dsl
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E11854A-8A6D-40FD-AC48-0F828399E7C8}: NameServer = 206.13.31.12 206.13.28.12
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Ryan\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Hi,
Download Ewido and install it. Then run, you will receive a warning message saying "Database not found", click "OK" for this. Next in the main screen, click "Update" and click "Start Update".
After the update process, click on the "Scanner" button in the left menu, then click on the "Complete System Scan" button.
If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.

Download SpywareBlaster and install it. Run it, and in the main screen, click "Enable All Protection". After it completes the process, close it.

Restart the PC, and please post a fresh HijackThis log along with the Ewido log. Also, please post back whether you receive WinFixer related pop-ups or not.

why do I have to download 9000 programs?

Hi,
Actually, your HijackThis log looks clean. But to make sure that everything is clean, scanning with a good AntiSpyware program like Ewido helps a lot.

If you are not getting any WinFixer related pop-ups, then you can skip this step!