System 32 box showing up at startup

Hi nrp46e- welcome to DaniWeb :)

You will need to close/quit all web browser programs and disconnect from the Internet for some of the following, so you should print out the following instructions or save them into a text file with Notepad.

1. Open your Add/Remove Programs control panel and uninstall the following programs if you find them listed:

* all Wild Tangent software
* PCShield
* Viewpoint Manager

2. Download ATF-Cleaner and save it to convenient location.

3. Download the free version of AVG Anti-Spyware (formerly ewido). Save the installer file to your desktop or any convenient folder.

* Run the installer, accepting the default options. Run the program once installed, click on the Update icon at the top of the main AVG window, and allow the program to download the most current components.

* Close AVG once the updates have been downloaded.

4. Close all running instances of Internet Explorer.

5. Scan with HijackThis again, put a check in hte box to teh left of the following entries, and then click the "Fix checked" button. Close HijackThis once it completes its fixes:

O2 - BHO: (no name) - {B33359D5-C6BC-4CDE-C58E-582CB8AE1D24} - C:\WINDOWS\system32\jboexihc.dll
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PCShield] regsvr32 /s C:\WINDOWS\system32\sfg.dll
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtangent.com/install/w...ker/wtinst.cab
O16 - DPF: {ECF5F2BD-C78B-4C6F-91BB-2A311FCCA4C7} (WTApp Class) - http://www.shockwave.com/content/com...c/CMonline.dll
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/w...mes/wtinst.cab

6. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

* Double-click ATF-Cleaner.exe to run the program.
- Click the Main menu option.
- Check the Select All box. (Uncheck cookies if you do not want them removed).
- Click the Empty Selected button.

If you use Firefox browser:

- Click the Firefox menu option.
- Check the Select All box. (Uncheck cookies if you do not want them removed).
- Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, click No at the prompt.
- Click Exit on the Main menu to close the program.

* Run AVG Anti-Spyware.

- Click on the "Scanner" icon just to the right of the Update icon. In the Scanner window, click on the "Settings" tab.
- Under "How to act?", click on "Recommended actions" and choose "Delete" from the resulting menu.
- All boxes under "How to scan" and "Possibly unwanted..." should be checked.
- Under "Reports", check "Automatically generate report after every scan".
- Under "What to scan", select "Scan every file".
- Click on the "Scan" tab, and then click on "Complete System Scan" to start scanning. It usually takes at least 40 minutes to complete a full scan.

Once the scan is complete, a window listing all infected objects (if any are found) will be displayed. Below the list of infected objects, make sure the Set all elements to: option is set to Delete and then click the Apply all actions button.

After the malicious items are deleted, you will be given the option to save the scan report; do that. The report is saved as a text file in the C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports folder. (The actual filename is a combination of the date and time of the scan.)

* Reboot the computer normally, run a new HijackThis scan, and post the log. Also open the AVG Anti-Spyware report in Windows Notepad and Cut-N-Paste the entire contents of that report.

is viewpoint manager spyware?
viewpoint media player came preinstalled on my dell...

I am still getting the System 32 box at startup, i'm not sure if viewpoint manager is spyware or not but i did the previous, here is the requested logs. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 10:46:39 AM, on 12/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Neil Patel\Desktop\Desktop\HijackThis 1.99.1 [English]\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {B33359D5-C6BC-4CDE-C58E-582CB8AE1D24} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCShield] regsvr32 /s C:\WINDOWS\system32\sfg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [PCShield] regsvr32 /s C:\WINDOWS\system32\sfg.dll
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.zazi.com/wfplayer/tdserver.cab
O16 - DPF: {11F8D6A0-01C6-4A23-A40F-1C3A560B99EA} (MavenInstallerAXControl Class) - http://client.maven.net/client/mavenInstaller.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {25064DE4-9CC0-11D5-BB86-0050DAC5EBD0} (printQuick Browser Add In) - http://www.pqpc.com/plugin/axversion/1000/printQuick.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://134.193.160.163/activex/AMC.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {935E891B-7F5B-4F5E-B0E4-FF5D03462541} (YaYaEng Control) - http://www.yaya.com/cgi-bin/load.cgi?downloads/122/YaYaEng.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://a320.g.akamai.net/7/320/1456/v50245/www.pulse3d.com/players/english/5.0/win/PulsePlayer5AxWin.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {ECF5F2BD-C78B-4C6F-91BB-2A311FCCA4C7} -
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} -
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = umkc.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = umkc.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = umkc.edu
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 2:57:37 AM 12/7/2006
+ Scan result:

C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned.
C:\WINDOWS\SYSTEM32\navshext1.dll -> Adware.Chiem : Cleaned.
HKLM\SOFTWARE\DelFin -> Adware.Delfin : Cleaned.
HKLM\SOFTWARE\DelFin\PromulGate -> Adware.Delfin : Cleaned.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DelFin Media Viewer -> Adware.Delfin : Cleaned.
HKU\S-1-5-21-2649289507-71594873-1131426265-1006\Software\DelFin -> Adware.Delfin : Cleaned.
HKU\S-1-5-21-2649289507-71594873-1131426265-1006\Software\DelFin\PromulGate -> Adware.Delfin : Cleaned.
C:\WINDOWS\SYSTEM32\CometTB.exe -> Adware.EZula : Cleaned.
C:\WINDOWS\SYSTEM32\Freeze.exe -> Adware.EZula : Cleaned.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C2EEB4FA-B6D6-41B9-9CFA-ABA87F862BCB} -> Adware.Generic : Cleaned.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C2EEB4FA-B6D6-41B9-9CFA-ABA87F862BCB} -> Adware.Generic : Cleaned.
C:\WINDOWS\SYSTEM\Update_Hosts.DLL -> Adware.IGetNet : Cleaned.
C:\WINDOWS\SYSTEM32\ctbv2.dll -> Adware.Sahat : Cleaned.
C:\WINDOWS\SYSTEM32\nostalgia.dll -> Dropper.Agent.og : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C0.tmp -> TrackingCookie.2o7 : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4.tmp -> TrackingCookie.2o7 : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16.tmp -> TrackingCookie.Adserver : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D1.tmp -> TrackingCookie.Adserver : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp -> TrackingCookie.Adtech : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8.tmp -> TrackingCookie.Bluestreak : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB.tmp -> TrackingCookie.Bridgetrack : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9.tmp -> TrackingCookie.Burstnet : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA.tmp -> TrackingCookie.Casalemedia : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C5.tmp -> TrackingCookie.Com : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C4.tmp -> TrackingCookie.Falkag : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C7.tmp -> TrackingCookie.Falkag : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD.tmp -> TrackingCookie.Falkag : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1CA.tmp -> TrackingCookie.Questionmarket : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF.tmp -> TrackingCookie.Questionmarket : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11.tmp -> TrackingCookie.Realtracker : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12.tmp -> TrackingCookie.Revenue : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1CC.tmp -> TrackingCookie.Revenue : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C6.tmp -> TrackingCookie.Ru4 : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC.tmp -> TrackingCookie.Ru4 : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13.tmp -> TrackingCookie.Serving-sys : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1CD.tmp -> TrackingCookie.Serving-sys : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq14.tmp -> TrackingCookie.Statcounter : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1CE.tmp -> TrackingCookie.Tacoda : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq15.tmp -> TrackingCookie.Trafficmp : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1CF.tmp -> TrackingCookie.Trafficmp : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D0.tmp -> TrackingCookie.Tribalfusion : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C2.tmp -> TrackingCookie.Yieldmanager : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17.tmp -> TrackingCookie.Zedo : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D2.tmp -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\fynbn.exe -> Trojan.Fynben.a : Cleaned.
C:\Documents and Settings\Neil Patel\Desktop\Desktop\HijackThis 1.99.1 [English]\hijackthis\backups\backup-20061207-014016-487.dll -> Trojan.Goldid : Cleaned.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP642\A0082994.dll -> Trojan.Goldid : Cleaned.
C:\WINDOWS\SYSTEM32\lbkglcya.dll -> Trojan.Goldid : Cleaned.
C:\WINDOWS\SYSTEM32\lzixryty.dll -> Trojan.Golid : Cleaned.

::Report end

is viewpoint manager spyware?
viewpoint media player came preinstalled on my dell...

Viewpoint is rarely knowingly downloaded and installed by the end-user; it usually comes bundled as an add-on to other sofware installations, or comes pre-installed on computers from companies with whom Viewpoint and/or its affiliates have a marketing agreement. Dell, HP/Compaq, and AOL are three such companies.
Although their FAQ states that Viewpoint is:

"Required with installation of AOL, AIM, current versions of the Netscape web browser, certain Adobe products, and some retail computers sold today."

It is not required in those instances, although it may be needed for some AOL features/extras (although not for the main AOL programs themselves). There are obvoioulsy many other programs/plug-ins capable of playing web media content.

Viewpoint Manager is the automatic online update component of the Viewpoint media player software. While Viewpoint doesn't collect personally identifying information about you via ViewMgr.exe, their privacy policy states this:

Viewpoint collects limited anonymous information in connection with its search and advertising products that your browser makes available whenever you visit a website. This information includes your browser type, browser language, referrer URL, the date and time of your search query and your operating system. We may use one or more cookies that may uniquely identify your browser.

and this:

"We may share aggregated anonymous information with others in general compliance with industry standards. An example of aggregated data that we may share in this way includes the number of times an advertisement has been “clicked” by the total number of web surfers who have viewed the page in which the advertisement was displayed."

Note that "industry standards" in this case means "all the other guys do it", and nothing more.

So: 1) Viewpoint is almost exclusively installed without the user's knowledge, 2) it runs the ViewMgr.exe program to connect to Viewpoint servers without the user's knowledge, and 3) it collects (at the least) data about visited sites and ad-clicks without the user's knowledge.

You decide ;)

nrp46e-

I haven't forgotten the main issue here, but I'm only on my lunch break right now and don't have time to post the next steps for you; I'll do that later today.

yeah, my dell came with bloat like aol, realplayer, macaffe, sonic and a whole host of crap.

Luckily it came with the option to burn a full standard SP2 XP home cd so i did that and reinstalled, killing the recovery partition and all its bundled rubbbish and installed my own drivers and streamlined system

1. Hmm... when/why did you uninstall Norton Antivirus? It was present in your first log, but not your latest. :?:

2. I think SpyBot's "Tea Timer" function may have gotten in the way of the fixes I last posted. Please do the following:

* Open SpyBot, open the Tools menu on the right pane and click on Resident and uncheck Resident "Tea timer"(Protection of over-all system settings) active. Exit SpyBot once you have finished.

* Open AVG anti-spyware and verify that it has the most current updates installed. Don't run a scan yet; just close the program once you've verified that it is current on its updates.

* Download the attached nrp64eFix.zip file and save it to your desktop.
* Right-click on the downloaded nrp64eFix.zip folder and choose the "Extract all..." option from the resulting drop-down menu. This will start Windows' Folder Extraction Wizard. Click the "Next" button to start the wizard.
* In the next window, verify that the target extraction folder is C:\Documents and Settings\Neil Patel\Desktop\nrp46eFix. If not, click on the "Browse" button, and in the destination selection box, hilight Desktop and then click "OK".
* Click "Next", and then click "Finished"; a window dispaying the newly-extracted nrp46eFix.bat file should open; don't run the file yet; just close the window.

* Reboot the computer into Safe Mode.

* Run another HijackThis scan and have it fix the following entries (note that not all of the entries may be present in Safe Mode):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O2 - BHO: (no name) - {B33359D5-C6BC-4CDE-C58E-582CB8AE1D24} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {ECF5F2BD-C78B-4C6F-91BB-2A311FCCA4C7} -
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} -

* Double-click on the nrp46eFix.bat file to run it. Answer affirmatively to any prompts that you may receive.
!! Please note that nrp46eFix.bat will create a Registry backup file on your desktop named nrp46eRegRestore.reg. Do not delete this file until we are done with the removal procedures!!

* Run another full scan with AVG. As before, save the report file.

* Reboot the computer normally, run a new HijackThis scan, and post the log. Also open the new AVG Anti-Spyware report in Windows Notepad and Cut-N-Paste the entire contents of that report.

If you receive any errors during the above procedures, please include the full and exact details of the errors in your next post as well.

.

DMR-

1. I accidentally deleted Norton Antivirus thinking it was PCShield, sorry. The only usual thing I noticed was when I went to open nrp46eFix.bat a Reg.Svr32 box came up. It daid LoadLibrary (C:\WINDOWS\System32/sfg.dll:0Failed-The specified module could not be found. But then it asked me to delete PCShield registry and I did, so i didn't think it was anything wrong. In the meantime, should I install Norton Antivirus again? I am still getting the Sys32 box, here is my requested logs, Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 9:43:22 PM, on 12/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Neil Patel\Desktop\Desktop\HijackThis 1.99.1 [English]\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {B33359D5-C6BC-4CDE-C58E-582CB8AE1D24} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [PCShield] regsvr32 /s C:\WINDOWS\system32\sfg.dll
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.zazi.com/wfplayer/tdserver.cab
O16 - DPF: {11F8D6A0-01C6-4A23-A40F-1C3A560B99EA} (MavenInstallerAXControl Class) - http://client.maven.net/client/mavenInstaller.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {25064DE4-9CC0-11D5-BB86-0050DAC5EBD0} (printQuick Browser Add In) - http://www.pqpc.com/plugin/axversion/1000/printQuick.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://134.193.160.163/activex/AMC.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {935E891B-7F5B-4F5E-B0E4-FF5D03462541} (YaYaEng Control) - http://www.yaya.com/cgi-bin/load.cgi?downloads/122/YaYaEng.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://a320.g.akamai.net/7/320/1456/v50245/www.pulse3d.com/players/english/5.0/win/PulsePlayer5AxWin.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {ECF5F2BD-C78B-4C6F-91BB-2A311FCCA4C7} -
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} -
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = umkc.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = umkc.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = umkc.edu
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 9:21:22 PM 12/7/2006
+ Scan result:

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP642\A0083128.dll -> Adware.Aws : No action taken.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP642\A0083133.dll -> Adware.Chiem : No action taken.
C:\WINDOWS\SYSTEM32\CometTB.dll -> Adware.Comet : No action taken.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP642\A0083130.exe -> Adware.EZula : No action taken.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP642\A0083131.exe -> Adware.EZula : No action taken.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP642\A0083129.DLL -> Adware.IGetNet : No action taken.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP642\A0083132.dll -> Adware.Sahat : No action taken.
C:\WINDOWS\SYSTEM32\py.exe -> Downloader.Small.bji : No action taken.
C:\WINDOWS\SYSTEM32\Freeze.dll -> Dropper.Agent.aoy : No action taken.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP642\A0083127.dll -> Dropper.Agent.og : No action taken.
C:\WINDOWS\SYSTEM32\installer_im.exe -> Dropper.Delf.av : No action taken.
C:\Documents and Settings\Neil Patel\Cookies\neil [email]patel@msnportal.112.2o7[1].txt[/email] -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Neil Patel\Cookies\neil_patel@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Neil Patel\Cookies\neil [email]patel@adbrite[2].txt[/email] -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Neil Patel\Cookies\neil [email]patel@ad1.clickhype[2].txt[/email] -> TrackingCookie.Clickhype : No action taken.
C:\Documents and Settings\Neil Patel\Cookies\neil [email]patel@perf.overture[1].txt[/email] -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Neil Patel\Cookies\neil_patel@data4.perf.overture[2].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Neil Patel\Cookies\neil_patel@ads.pointroll[1].txt -> TrackingCookie.Pointroll : No action taken.
C:\Documents and Settings\Neil Patel\Cookies\neil_patel@questionmarket[1].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Neil Patel\Cookies\neil [email]patel@serving-sys[1].txt[/email] -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Neil Patel\Cookies\neil_patel@tacoda[2].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Neil Patel\Cookies\neil_patel@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP642\A0083125.exe -> Trojan.Fynben.a : No action taken.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP642\A0083123.dll -> Trojan.Goldid : No action taken.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP642\A0083124.dll -> Trojan.Goldid : No action taken.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP642\A0083126.dll -> Trojan.Golid : No action taken.

::Report end

DMR-

I just reinstalled Norton Antivirus, Thanks.

OK- Install the most current updates for Norton and run a full system scan with it. Have it fix everything it finds.

There is some hidden component of the PCShield infection which is recreating the other components after we delete them, but the next step will have to wait until tomorrow- it's 11:55 PM here, and I need to sleep.................

my Norton didn't find anything probably becasue my subscription/updates expired in 2002, just wanted to let you know..

You will need to close/quit all web browser programs and disconnect from the Internet for some of the following, so you should print out the following instructions or save them into a text file with Notepad.

1. Your Norton is useless if it expired that long ago, but you do need to have a good A-V program installed. Please uninstall Norton and download/install AVG antivirus 7.5. The program (and its updates) are entirely free for personal use, and in all honesty I've found AVG to be a better program than Norton in many ways.

2. Disable System Restore. Instructions for doing so (and an explanation of why you are doing it) are given here.

3. Your latest log indicates that you have not fully disabled SpyBot's Tea Timer feature. Please do that now; Tea Timer will block the fixes we are trying to perform!:

Open SpyBot, open the Tools menu on the right pane and click on Resident and uncheck Resident "Tea timer"(Protection of over-all system settings) active. Exit SpyBot once you have finished.

4. Please download the Killbox by Option^Explicit and save it to your desktop or another convenient folder.

5. Close all running instances of Internet Explorer.

6. Run another HijackThis scan and have it fix the following entries (note that not all of the entries may be present in Safe Mode). Close HijackThis once it completes the fixes:

O2 - BHO: (no name) - {B33359D5-C6BC-4CDE-C58E-582CB8AE1D24} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O4 - HKCU\..\Run: [PCShield] regsvr32 /s C:\WINDOWS\system32\sfg.dll
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -
O16 - DPF: {ECF5F2BD-C78B-4C6F-91BB-2A311FCCA4C7} -
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} -

7. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

* Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

* Double-click ATF-Cleaner.exe to run the program.
- Click the Main menu option.
- Check the Select All box. (Uncheck cookies if you do not want them removed).
- Click the Empty Selected button.

If you use Firefox browser:

- Click the Firefox menu option.
- Check the Select All box. (Uncheck cookies if you do not want them removed).
- Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, click No at the prompt.
- Click Exit on the Main menu to close the program.

* Double-click on the KillBox icon to open the program.

- In the "Full Path of File to Delete" box, copy and paste the following: C:\WINDOWS\system32\sfg.dll
- Select the "Standard File Kill" and "Unregister dll before deleting" options.
- Click the icon with the red circle and white "X" to perform the deletion.
- Repeat the above for the following file: C:\WINDOWS\system32\jboexihc.dll
- Close KillBox.

* Run a full system scan with AVG Antivirus. Have it fix all items it finds.

* Run AVG Anti-Spyware.

- Click on the "Scanner" icon just to the right of the Update icon. In the Scanner window, click on the "Settings" tab.
- Under "How to act?", click on "Recommended actions" and choose "Delete" from the resulting menu.
- All boxes under "How to scan" and "Possibly unwanted..." should be checked.
- Under "Reports", check "Automatically generate report after every scan".
- Under "What to scan", select "Scan every file".
- Click on the "Scan" tab, and then click on "Complete System Scan" to start scanning. It usually takes at least 40 minutes to complete a full scan.

- Once the scan is complete, a window listing all infected objects (if any are found) will be displayed. Below the list of infected objects, make sure the Set all elements to: option is set to Delete and then click the Apply all actions button.

- After the malicious items are deleted, you will be given the option to save the scan report; do that. The report is saved as a text file in the C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports folder. (The actual filename is a combination of the date and time of the scan.)

8. Reboot the computer normally, run a new HijackThis scan, and post the log. Also open the new AVG Anti-Spyware report in Windows Notepad and Cut-N-Paste the entire contents of that report.

If you receive any errors during the above procedures, please include the full and exact details of the errors in your next post as well.

Hi DMR:

I am pleased to tell you that I no longer get the System32 box on startup!!!! I only encountered one problem the last time I did your steps, it was when I was using Killbox.exe a box came up titled File Error and in it it said "This File does not exist." for both entries I typed in there. Anyways, I don't know how you did it but i want to say thank you, thank you, thank you, for all your patience and you were extremely helpful and easy to understand. You're a genius mate. Here are your requested logs. Thanks. :cheesy: :cheesy: :cheesy:

Logfile of HijackThis v1.99.1
Scan saved at 6:21:40 PM, on 12/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Documents and Settings\Neil Patel\Desktop\Desktop\HijackThis 1.99.1 [English]\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.zazi.com/wfplayer/tdserver.cab
O16 - DPF: {11F8D6A0-01C6-4A23-A40F-1C3A560B99EA} (MavenInstallerAXControl Class) - http://client.maven.net/client/mavenInstaller.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {25064DE4-9CC0-11D5-BB86-0050DAC5EBD0} (printQuick Browser Add In) - http://www.pqpc.com/plugin/axversion/1000/printQuick.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://134.193.160.163/activex/AMC.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {935E891B-7F5B-4F5E-B0E4-FF5D03462541} (YaYaEng Control) - http://www.yaya.com/cgi-bin/load.cgi?downloads/122/YaYaEng.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://a320.g.akamai.net/7/320/1456/v50245/www.pulse3d.com/players/english/5.0/win/PulsePlayer5AxWin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = umkc.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = umkc.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = umkc.edu
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 6:04:29 PM 12/8/2006
+ Scan result:

Nothing found.

::Report end

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 6:04:29 PM 12/8/2006
+ Scan result:

Nothing found.

Ahhh- we like that! Glad we could help, Neil- great work on your part as well :)

Now that your logs are clean and the System32 box is gone, you'll want to re-enable SpyBot's Tea Timer again, as well as Windows' System Restore feature:

SpyBot: Click on the Tools menu on the right pane, click on Resident, and check Resident "Tea timer"(Protection of over-all system settings) active. Exit SpyBot once you have finished.

System Restore: Right-click on the My Computer icon on your desktop and choose the "Properties" option. In the System Properties window, click on the System Restore tab, uncheck the box next to the "Turn off System Restore" option, and hit the "OK" button. There will be a slight delay as Restore reactivates; the Properties window will automatically close when the operation is complete.