I seriously cannot get rid of this damn thing. I've tried KillBox-ing it, I tried Ewido, I tried SpyBot Search and Destroy, I tried SpywareDoctor, I deleted its prefetch files, I did a Hijack This and deleted it from there, but it's still apparently hiding out somewhere on my computer and I can't seem to find its source to permanently delete it. It pops up a little icon in the icon tray (you know, next to the clock) with a "speech bubble" telling me I have spyware (which I shouldn't, I just updated SpywareDoctor and did a scan today) about every 15-20 minutes or so. It's starting to drive me crazy. Here's my current HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:46:39 PM, on 2/8/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Documents and Settings\MysticalChicken\My Documents\My Music\Last.fm Player\Last.fm\LastFM.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/en-us/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1ILEOi+UdWpSlz2q9Dzn13Emww/YwHECjUPqKhQ8zIT/pBVr9qOWPbSttPHD5ZXEp1LZqy5jUMQzpVwT50a/rsPZJOXtJ1/phYiJTtklI6JNGROJxmgDHHQLw8BrX7+PyzajQ3I4=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=runonce&pver=6.0&plcid=0x0409
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: Shell=explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N4 - Mozilla: user_pref("browser.startup.homepage", "http://jgarofalo.zzn.com"); (C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\prefs.js)
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\MysticalChicken\Application Data\Mozilla\Profiles\default\b44zsjhn.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E8DC686-B013-3CB3-2ED1-093E956091AC} - C:\WINDOWS\System32\ikgsuad.dll
O2 - BHO: (no name) - {10D38E88-6F7A-386F-9B96-096364AEBACF} - C:\WINDOWS\System32\umfkwzm.dll
O2 - BHO: (no name) - {1DD197D6-E08F-6CD5-07EF-007FC5499E9E} - C:\WINDOWS\System32\uwmfqmg.dll
O2 - BHO: (no name) - {203F4903-8665-9AD7-CD88-0B1CF055A5F0} - C:\WINDOWS\System32\xftwss.dll
O2 - BHO: (no name) - {23F792C7-195D-6DAE-7262-081148C86FEC} - C:\WINDOWS\System32\yjtjagk.dll
O2 - BHO: (no name) - {29D5C222-2437-D841-4D4E-060327A6B956} - C:\WINDOWS\System32\ksktrbb.dll
O2 - BHO: (no name) - {2BC5E3B2-7C57-A108-BE78-0ABE5CEF3103} - C:\WINDOWS\System32\axjkfkj.dll
O2 - BHO: (no name) - {2C1E58F7-F933-94A4-58F8-09275BB7F296} - C:\WINDOWS\System32\ixjmfxm.dll
O2 - BHO: (no name) - {348FD776-AA97-23D2-8471-0831C2B7E2D8} - C:\WINDOWS\System32\fogfxb.dll
O2 - BHO: (no name) - {35996FC5-6D28-4342-7C62-03E93AA66848} - C:\WINDOWS\System32\ngwxvui.dll
O2 - BHO: (no name) - {39B4BA90-BD6A-FFC6-4EDB-06242229975D} - C:\WINDOWS\System32\pbijvec.dll
O2 - BHO: (no name) - {45A4902E-4479-4EAE-A186-8D0F7E4C78DE} - C:\Program Files\Starware322\bin\Starware322.dll
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: (no name) - {5257CDB8-F317-0F98-BD8D-07EFE8E2110A} - C:\WINDOWS\System32\qmbcwlg.dll
O2 - BHO: (no name) - {5324621F-38BF-4CC9-85F3-01770C3D8E41} - C:\WINDOWS\System32\gvapgpe.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: (no name) - {6A8D46E7-2B94-B5EF-6DCD-03EC68D690A2} - C:\WINDOWS\System32\bfhgrfh.dll
O2 - BHO: (no name) - {6F59F76C-165B-CE59-C86F-01CB8BDF1261} - C:\WINDOWS\System32\nzsmsfc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: Starware322 - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - C:\Program Files\Starware322\bin\Starware322.dll
O4 - HKLM\..\Run: [ProDsl.exe] ProDsl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Personal Security Center Monitor] C:\WINDOWS\System32\psc_mon.exe
O4 - HKLM\..\Run: [dnodbql.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\dnodbql.dll,vgxgqcd
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .aspx: C:\Program Files\\Netscape\\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140587785733
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140587770655
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

If anyone can find what I need to get rid of, that'd be really helpful. Also, if there's anything else that needs deleting, tell me.

EDIT: I just did a CCleaner (I'd forgotten about it) and that didn't work either.

10 Years
Discussion Span
Last Post by crunchie

My bad, it's actually WinAntiSpyware 2006, not 2007. Apparently it's part of something called UltimateCleaner 2007, which I guess installed itself on my computer automatically. I can't find that to get rid of it either.


Okay, I think I finally got rid of it. I've been on the computer for several hours and it hasn't popped up once.


Run this one too;

Please download VundoFix.exe
to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.