Help with various bugs on my computer

Hi, I have spent the last 2 days scanning, deleting, rebooting, rescanning my computer. I have gone through many of the threads on here trying to fix the various problems I have came across. I ran HJT and would like to know if someone could read over it and tell me if I missed anything. Any help would be greatly appreciated. Thanks. Here is my HJT log.
Lisa

Logfile of HijackThis v1.99.1
Scan saved at 5:52:32 PM, on 2/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {34985592-4E4C-420A-8A25-5F070715920C} - C:\WINDOWS\system32\byxvwvt.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\dttcsrcw.dll (file missing)
O2 - BHO: (no name) - {74ECEEAE-D6B9-45F0-B6FF-9D5F3E238DC7} - C:\WINDOWS\system32\awvvu.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3C403675-B43C-410B-BF56-D4D1FB68356C} (ActiveXPortal Control) - http://72.29.84.224/OCX/gwnet.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1452/ftp.coupons.com/r3302/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://aolsvc.aol.com/onlinegames/shapo/shapo.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {DBA8E419-0D5F-439B-A3CC-D01C768D9B51} (DVCDownloaderControl Object) - http://aolsvc.aol.com/onlinegames/sonydavincicode/DVCDownloaderControl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000140 (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Comments

  • zamizami Finland
    edited February 2007
    Hi There!
    I am currently working on your log.
    I will get back to you as soon as possible.
    ~zami~
  • zamizami Finland
    edited February 2007
    Hi.

    Lets start with this:

    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt and a fresh HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    ***************************************

    Please download Combofix to your desktop.
    Double click combofix.exe and follow the prompts.
    When it's done running it will produce a log for you. Please post that log in your next reply

    Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ***************************************

    With all other windows closed, start your HijackThis and Click "Do a System Scan Only"
    Click in the check-box to the left of each of the following entries, if found:

    O2 - BHO: (no name) - {34985592-4E4C-420A-8A25-5F070715920C} - C:\WINDOWS\system32\byxvwvt.dll (file missing)
    O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\dttcsrcw.dll (file missing)
    O2 - BHO: (no name) - {74ECEEAE-D6B9-45F0-B6FF-9D5F3E238DC7} - C:\WINDOWS\system32\awvvu.dll (file missing)
    O16 - DPF: {3C403675-B43C-410B-BF56-D4D1FB68356C} (ActiveXPortal Control) - http://72.29.84.224/OCX/gwnet.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/14...2/cpbrkpie.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab

    Select Fix Checked

    In your next reply, please include the following logs: a Fresh HijackThis, Combofix log and VundoFix report. Thanks.
  • edited February 2007
    Hi. Thanks for your response to my post. Here are the logs you requested.

    vundofix log:

    VundoFix V6.3.5

    Checking Java version...

    Java version is 1.5.0.5

    Java version is 1.5.0.6

    Java version is 1.5.0.9

    Scan started at 9:03:26 AM 2/3/2007

    Listing files found while scanning....

    C:\WINDOWS\system32\dttcsrcw.dll

    Beginning removal...

    Performing Repairs to the registry.
    Done!

    ----
    combofix log:

    "Compaq_Owner" - 07-02-03 9:35:57 Service Pack 2
    ComboFix 07.02.03 - Running from: "C:\Documents and Settings\Compaq_Owner\Desktop"

    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\unsvchosts.lzma
    C:\WINDOWS\install.exe
    C:\WINDOWS\system32\unsvchosts.exe
    C:\Program Files\Common Files\{309B3~1
    C:\Program Files\outlook
    C:\Program Files\winupdates
    C:\WINDOWS\system32\svchosts.exe
    C:\Program Files\Common Files\{009B3~1


    ((((((((((((((((((((((((((((((( Files Created from 2007-01-03 to 2007-02-03 ))))))))))))))))))))))))))))))))))


    2007-02-03 09:39 <DIR> d
    C:\WINDOWS\ERDNT
    2007-02-02 17:51 <DIR> d
    C:\Program Files\Hijackthis
    2007-02-02 17:36 <DIR> d
    C:\VundoFix Backups
    2007-02-02 17:10 <DIR> d
    C:\WINDOWS\system32\Kaspersky Lab
    2007-02-02 17:01 <DIR> d
    C:\WINDOWS\system32\ActiveScan
    2007-02-02 16:53 <DIR> d
    C:\Program Files\SpywareBlaster
    2007-02-02 15:16 <DIR> d
    C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
    2007-02-02 14:11 <DIR> d
    C:\DOCUME~1\COMPAQ~1\Application Data\Lavasoft
    2007-02-02 14:10 <DIR> d
    C:\Program Files\Lavasoft
    2007-02-01 21:13 277,158 ---hs---- C:\WINDOWS\system32\ddayy.dll
    2007-02-01 20:11 277,251 ---hs---- C:\WINDOWS\system32\jkhff.dll
    2007-02-01 19:10 277,120 ---hs---- C:\WINDOWS\system32\jkhhh.dll
    2007-02-01 18:09 277,179 ---hs---- C:\WINDOWS\system32\pmkhh.dll
    2007-02-01 17:07 277,161 ---hs---- C:\WINDOWS\system32\ddcyx.dll
    2007-02-01 16:06 74 ---hs---- C:\WINDOWS\system32\hjkmp.ini2
    2007-02-01 16:06 277,087 ---hs---- C:\WINDOWS\system32\pmkjh.dll
    2007-02-01 15:05 277,258 ---hs---- C:\WINDOWS\system32\pmnno.dll
    2007-02-01 14:05 277,163 ---hs---- C:\WINDOWS\system32\sstqq.dll
    2007-02-01 14:00 <DIR> d
    C:\DOCUME~1\evan\Application Data\AVG7
    2007-02-01 09:14 <DIR> dr-h
    C:\$VAULT$.AVG
    2007-02-01 08:10 <DIR> d
    C:\DOCUME~1\LOCALS~1\Application Data\AVG7
    2007-02-01 08:10 <DIR> d
    C:\DOCUME~1\COMPAQ~1\Application Data\AVG7
    2007-02-01 08:09 816,672 --a
    C:\WINDOWS\system32\drivers\avg7core.sys
    2007-02-01 08:09 4,224 --a
    C:\WINDOWS\system32\drivers\avg7rsw.sys
    2007-02-01 08:09 3,968 --a
    C:\WINDOWS\system32\drivers\avgclean.sys
    2007-02-01 08:09 28,416 --a
    C:\WINDOWS\system32\drivers\avg7rsxp.sys
    2007-02-01 08:09 18,240 --a
    C:\WINDOWS\system32\drivers\avgmfx86.sys
    2007-02-01 08:09 <DIR> d
    C:\DOCUME~1\ALLUSE~1\Application Data\Grisoft
    2007-02-01 08:09 <DIR> d
    C:\DOCUME~1\ALLUSE~1\Application Data\avg7
    2007-02-01 08:03 76,560 --a
    C:\WINDOWS\system32\drivers\tmcomm.sys
    2007-01-31 22:19 277,232 ---hs---- C:\WINDOWS\system32\jkhhe.dll
    2007-01-31 22:19 277,232 ---hs---- C:\WINDOWS\system32\awtsq.dll
    2007-01-31 20:17 277,094 ---hs---- C:\WINDOWS\system32\mljjj.dll
    2007-01-31 20:17 277,094 ---hs---- C:\WINDOWS\system32\jkhhg.dll
    2007-01-31 19:16 277,283 ---hs---- C:\WINDOWS\system32\mlljj.dll
    2007-01-31 19:16 277,283 ---hs---- C:\WINDOWS\system32\mljgd.dll
    2007-01-31 18:15 277,280 ---hs---- C:\WINDOWS\system32\ssqpq.dll
    2007-01-31 18:15 277,280 ---hs---- C:\WINDOWS\system32\mljgg.dll
    2007-01-31 16:13 277,051 ---hs---- C:\WINDOWS\system32\ssttu.dll
    2007-01-31 16:13 277,051 ---hs---- C:\WINDOWS\system32\ddcyy.dll
    2007-01-31 15:12 277,082 ---hs---- C:\WINDOWS\system32\vtsqo.dll
    2007-01-31 15:12 277,082 ---hs---- C:\WINDOWS\system32\jkkll.dll
    2007-01-31 14:11 277,270 ---hs---- C:\WINDOWS\system32\jkkji.dll
    2007-01-31 14:11 277,270 ---hs---- C:\WINDOWS\system32\awvvt.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\yayyxxy.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\yayywtq.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\xxyyyax.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\xxywtsp.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\xxyvwuu.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\xxyaxww.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\wvusrrs.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\vtuvspq.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\vturspo.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\tuvwwxu.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\tuvuuuv.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\ssqolmk.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\ssqolkk.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\rqrrqnk.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\rqrqrrr.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\pmnoolk.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\opnonop.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\opnlkhi.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\nnnljhf.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\mljkhge.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\mljgfgg.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\ljjjkkl.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\ljjihgg.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\khfffeb.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\khffdcb.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\jkkllll.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\jkkjjkk.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\hgghhgd.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\hggfcby.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\hggeffe.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\hggddbb.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\hggddba.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\gebyvsq.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\fcccyyv.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\efcbcdd.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\efcbccb.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\ddcdefg.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\ddcdaax.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\cbxyaya.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\byxwurs.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\byxvtqq.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\byxuvuv.dll
    2007-01-31 10:37 0 --a
    C:\WINDOWS\system32\awtsrol.dll
    2007-01-30 14:39 <DIR> d
    C:\CRAYOLA
    2007-01-29 17:21 32,768 --a
    C:\DOCUME~1\evan\setup.exe
    2007-01-28 17:02 720,896 --a
    C:\WINDOWS\iun6002ev.exe
    2007-01-28 17:02 <DIR> d
    C:\Program Files\Bejeweled 2 Deluxe
    2007-01-25 23:38 <DIR> d
    C:\WINDOWS\ie7updates
    2007-01-25 12:34 <DIR> d
    C:\DOCUME~1\evan\Application Data\SecondLife
    2007-01-20 02:15 <DIR> d
    C:\DOCUME~1\COMPAQ~1\Application Data\Creative
    2007-01-16 22:17 <DIR> d
    C:\DOCUME~1\evan\Application Data\Apple Computer
    2007-01-16 11:48 <DIR> d
    C:\DOCUME~1\evan\Application Data\HP
    2007-01-15 20:31 <DIR> d
    C:\DOCUME~1\evan\Application Data\Sun
    2007-01-15 20:26 <DIR> d
    C:\DOCUME~1\evan\WINDOWS
    2007-01-15 20:26 <DIR> d
    C:\DOCUME~1\evan\Application Data\Symantec
    2007-01-15 20:26 <DIR> d
    C:\DOCUME~1\evan\Application Data\Real
    2007-01-15 20:26 <DIR> d
    C:\DOCUME~1\evan\Application Data\Intuit
    2007-01-15 17:46 <DIR> d
    C:\Program Files\IMVU2
    2007-01-08 10:20 4 --ah
    C:\WINDOWS\uccspecb.sys
    2007-01-07 13:40 <DIR> d
    C:\DOCUME~1\ALLUSE~1\Application Data\MumboJumbo
    2007-01-05 07:36 <DIR> d
    C:\WINDOWS\WBEM
    2007-01-05 07:36 <DIR> d
    C:\WINDOWS\system32\en-US
    2007-01-05 07:35 <DIR> d--h-c--- C:\WINDOWS\ie7
    2007-01-05 07:34 121,856
    C:\WINDOWS\system32\xmllite.dll
    2007-01-05 07:34 <DIR> d
    C:\WINDOWS\network diagnostic
    2007-01-05 07:31 <DIR> d
    C:\Program Files\MSXML 4.0
    2007-01-05 07:31 <DIR> d
    C:\a90bf03d79fa7f790118


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-02-02 18:58
    d
    C:\Program Files\lx_cats
    2007-02-02 18:16
    d
    C:\Program Files\java
    2007-02-02 14:11
    d
    C:\Documents and Settings\Compaq_Owner\Application Data\lavasoft
    2007-02-02 08:46
    d
    C:\Documents and Settings\Compaq_Owner\Application Data\avg7
    2007-02-01 17:33
    d
    C:\Documents and Settings\Compaq_Owner\Application Data\imvu
    2007-02-01 08:09
    d
    C:\Program Files\grisoft
    2007-01-31 11:20 1956 --a
    C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
    2007-01-24 17:50
    d
    C:\Program Files\secondlife
    2007-01-21 16:30
    d
    C:\Program Files\imvu
    2007-01-20 03:06
    d
    C:\Program Files\360share pro
    2007-01-20 02:15
    d
    C:\Documents and Settings\Compaq_Owner\Application Data\creative
    2007-01-09 20:23
    d
    C:\Program Files\yahoo! games
    2007-01-06 20:52
    d
    C:\Program Files\lexmark fax solutions
    2007-01-06 20:52
    d
    C:\Documents and Settings\Compaq_Owner\Application Data\faxctr
    2006-12-23 23:37
    d
    C:\Program Files\windows media connect 2
    2006-12-18 10:40 2989 --a
    C:\Documents and Settings\Compaq_Owner\Application Data\patchupdate_instantsharejpg.log
    2006-11-07 23:06 679424 --a
    C:\WINDOWS\system32\inetcomm.dll
    2006-11-07 21:03 6049280
    C:\WINDOWS\system32\ieframe.dll
    2006-11-07 21:03 50688
    C:\WINDOWS\system32\msfeedsbs.dll
    2006-11-07 21:03 458752
    C:\WINDOWS\system32\msfeeds.dll
    2006-11-07 21:03 413696 --a
    C:\WINDOWS\system32\vbscript.dll
    2006-11-07 21:03 231424 --a
    C:\WINDOWS\system32\webcheck.dll
    2006-11-07 21:03 180736
    C:\WINDOWS\system32\ieui.dll
    2006-11-07 21:03 156160 --a
    C:\WINDOWS\system32\msls31.dll
    2006-11-07 03:27 382976 --a
    C:\WINDOWS\system32\iedkcs32.dll
    2006-11-07 03:27 229376 --a
    C:\WINDOWS\system32\ieaksie.dll
    2006-11-07 03:26 71680 --a
    C:\WINDOWS\system32\admparse.dll
    2006-11-07 03:26 55296 --a
    C:\WINDOWS\system32\iesetup.dll
    2006-11-07 03:26 54784 --a
    C:\WINDOWS\system32\ie4uinit.exe
    2006-11-07 03:26 43008 --a
    C:\WINDOWS\system32\iernonce.dll
    2006-11-07 03:26 152064 --a
    C:\WINDOWS\system32\ieakeng.dll
    2006-11-07 03:26 13312 --a
    C:\WINDOWS\system32\ieudinit.exe
    2006-11-07 03:26 123904 --a
    C:\WINDOWS\system32\advpack.dll
    2006-11-07 03:25 161792 --a
    C:\WINDOWS\system32\ieakui.dll
    2006-11-04 14:14 1245696 --a
    C:\WINDOWS\system32\msxml4.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "Aim6"=""
    "Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
    "HP Software Update"=hex(2):43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,\
    48,50,5c,48,50,20,53,6f,66,74,77,61,72,65,20,55,70,64,61,74,65,5c,48,50,77,\
    75,53,63,68,64,32,2e,65,78,65,00
    "LXCGCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCGtime.dll,_RunDLLEntry@16"
    "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\PalStart.lnk"
    "backup"="C:\\WINDOWS\\pss\\PalStart.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\PALTAL~1\\palstart.exe "
    "item"="PalStart"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Personal Coach.lnk"
    "backup"="C:\\WINDOWS\\pss\\Personal Coach.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\BRODER~1\\MAVISB~1\\MINIMA~1.EXE "
    "item"="Personal Coach"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Compaq Organize.lnk]
    "path"="C:\\Documents and Settings\\Compaq_Owner\\Start Menu\\Programs\\Startup\\Compaq Organize.lnk"
    "backup"="C:\\WINDOWS\\pss\\Compaq Organize.lnkStartup"
    "location"="Startup"
    "command"="C:\\PROGRA~1\\HEWLET~1\\COMPAQ~1\\bin\\DISPLA~1.EXE \"-application\" \"core.hp.main/application.xml\" \"-appname\" \"eLife\""
    "item"="Compaq Organize"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Picaboo.lnk]
    "path"="C:\\Documents and Settings\\Compaq_Owner\\Start Menu\\Programs\\Startup\\Picaboo.lnk"
    "backup"="C:\\WINDOWS\\pss\\Picaboo.lnkStartup"
    "location"="Startup"
    "command"="C:\\PROGRA~1\\Picaboo\\Picaboo\\PICABO~2.EXE /suppressapplication"
    "item"="Picaboo"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"=""
    "hkey"="HKLM"
    "command"=""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="AOLSP Scheduler"
    "hkey"="HKLM"
    "command"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="ccApp"
    "hkey"="HKLM"
    "command"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="CTDetect"
    "hkey"="HKCU"
    "command"="C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe /R"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DllRunning]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="eukkltcu"
    "hkey"="HKLM"
    "command"="rundll32.exe \"C:\\WINDOWS\\system32\\eukkltcu.dll\",setvm"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="ezprint"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Lexmark 2300 Series\\ezprint.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="fm3032"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="AOLSoftware"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Common Files\\AOL\\1160161146\\ee\\AOLSoftware.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="IPHSend"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcgmon.exe]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="lxcgmon"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Lexmark 2300 Series\\lxcgmon.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="msmsgs"
    "hkey"="HKCU"
    "command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="msnmsgr"
    "hkey"="HKCU"
    "command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetZero_uoltray]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="exec"
    "hkey"="HKCU"
    "command"="C:\\Program Files\\NetZero\\exec.exe regrun"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\outlook]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="outlook"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\outlook\\outlook.exe /auto"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"=""
    "hkey"="HKLM"
    "command"=""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="qttask"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spc_w]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="nzspc"
    "hkey"="HKCU"
    "command"="\"C:\\Program Files\\NZSearch\\nzspc.exe\" -w"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="jusched"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="SNDMon"
    "hkey"="HKLM"
    "command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="realsched"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="UrlLstCk"
    "hkey"="HKLM"
    "command"="c:\\Program Files\\Norton Internet Security\\UrlLstCk.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="Save"
    "hkey"="HKCU"
    "command"="\"C:\\Program Files\\Save\\Save.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Media Connect 2]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="WMCCFG"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Windows Media Connect 2\\WMCCFG.exe\" /StartQuiet"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="YahooMessenger"
    "hkey"="HKCU"
    "command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
    "inimapping"="0"


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{34985592-4E4C-420A-8A25-5F070715920C}"=""

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
    "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
    Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480


    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    C:\WINDOWS\tasks\Symantec NetDetect.job


    ********************************************************************

    catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
    http://www.gmer.net

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    LXCGCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0

    ********************************************************************

    Completion time: 07-02-03 9:44:27


    hijackthis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 9:56:46 AM, on 2/3/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    c:\windows\system\hpsysdrv.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
    O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://aolsvc.aol.com/onlinegames/shapo/shapo.cab
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
    O16 - DPF: {DBA8E419-0D5F-439B-A3CC-D01C768D9B51} (DVCDownloaderControl Object) - http://aolsvc.aol.com/onlinegames/sonydavincicode/DVCDownloaderControl.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


    ----
    Thanks again for looking at my log. Also I would like to include that my homepage has been changed and I cannot get it back to what it was before today.
    Lisa
  • edited February 2007
    Hi again, please disregard the homepage problem, I got it changed back to my previous homepage, just had to change it a couple of time for it to register. Thanks again.
    Lisa
  • zamizami Finland
    edited February 2007
    Let's try this:

    1) Download VirtumundoBegone
    2) Save VirtumundoBeGone.exe to your desktop.
    3) Run VirtumundoBeGone.exe and follow the instructions. Do not worry if you see a BLUE SCREEN "Fatal Error" Message, this is normal and expected.
    4) When it has finished, reboot.

    Post the VBG.txt file it produces and a new HJT log...

    **¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**
    • Now we'll need to remove a couple of registry entries.
    • Click Start » Run » type: Notepad » OK
    • Copy (Ctrl+C) and paste (Ctrl+V) the following text below (inside the box) to Notepad.
    REGEDIT4
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DllRunning]
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
    "{34985592-4E4C-420A-8A25-5F070715920C}"=-
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DllRunning]
    
    • Make sure there are no black spaces before REGEDIT4 and there should be one blank line at the end.
    • Click File at the top and then choose Save As.
    • Change Save As Type to All Files.
    • Name it FixME.reg and save it on your desktop.
    • Double click FixME.reg. It will ask you if you want to merge it to the registry, click Yes.
    **¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**
    == Show hidden files and folders ==
    Some malware files may be "hidden".
    Be sure to show hidden files when looking for these file(s) and/or folder(s).

    **¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**
    == Delete folders/files ==
    1. Reboot Your System in Safe Mode
    Boot to safe mode:
    Instructions here
    2. Using Windows Explorer (Windows Key + E), locate the following files/folders, and DELETE them (if still present):
    C:\Program Files\Save
    C:\WINDOWS\iun6002ev.exe
    C:\a90bf03d79fa7f790118

    After all these done please empty recycle-bin.
    3. Exit Explorer.
    **¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**
    REBOOT BACK INTO NORMAL MODE.
    == Check on status ==
    After you have completed the above, please provide:
    * the VBG.txt file
    * a new HijackThis log
    * and a description of any problems you are having with your PC
    ~zami~
  • edited February 2007
    Hi again and thanks once again for all the help you are giving me. I followed your instructions and did what was requested. Here are the logs and info you requested.

    VBG Log:


    [02/07/2007, 7:32:33] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Compaq_Owner\Desktop\VirtumundoBeGone.exe" )
    [02/07/2007, 7:32:41] - Detected System Information:
    [02/07/2007, 7:32:41] - Windows Version: 5.1.2600, Service Pack 2
    [02/07/2007, 7:32:41] - Current Username: Compaq_Owner (Admin)
    [02/07/2007, 7:32:41] - Windows is in NORMAL mode.
    [02/07/2007, 7:32:41] - Searching for Browser Helper Objects:
    [02/07/2007, 7:32:41] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
    [02/07/2007, 7:32:41] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
    [02/07/2007, 7:32:41] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
    [02/07/2007, 7:32:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [02/07/2007, 7:32:41] - Checking for HKLM\...\Winlogon\Notify\SDHelper
    [02/07/2007, 7:32:41] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
    [02/07/2007, 7:32:41] - BHO 4: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
    [02/07/2007, 7:32:41] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [02/07/2007, 7:32:41] - BHO 6: {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} (AOL Toolbar Launcher)
    [02/07/2007, 7:32:41] - Finished Searching Browser Helper Objects
    [02/07/2007, 7:32:41] - Finishing up...
    [02/07/2007, 7:32:41] - Nothing found! Exiting...



    ~~~~~

    HiJackthis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 7:55:03 AM, on 2/7/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
    C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://games.bellsouth.net/Gh/DeliciousWeb/zylomplayer.cab
    O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://aolsvc.aol.com/onlinegames/shapo/shapo.cab
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
    O16 - DPF: {DBA8E419-0D5F-439B-A3CC-D01C768D9B51} (DVCDownloaderControl Object) - http://aolsvc.aol.com/onlinegames/sonydavincicode/DVCDownloaderControl.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    ~~~

    The only problems I seem to be having now is my IE is running just a little bit slower than it was, other than that everything seems to be running fine.

    Thanks
    Lisa~~
  • edited February 2007
    I also wanted to let you know that of the 3 files you asked that I remove in safe mode, the file C:\Program Files\Save is the only one that I could not find, I removed the other two.
    Thanks again
    Lisa
  • zamizami Finland
    edited February 2007
    Download KillBox
    Unzip the folder to your desktop.
    • Start Killbox.exe
    • Select the Delete on Reboot option.
    • Click on the All Files button.
    • Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

      C:\WINDOWS\system32\jkhhe.dll
      C:\WINDOWS\system32\awtsq.dll
      C:\WINDOWS\system32\mljjj.dll
      C:\WINDOWS\system32\jkhhg.dll
      C:\WINDOWS\system32\mlljj.dll
      C:\WINDOWS\system32\mljgd.dll
      C:\WINDOWS\system32\ssqpq.dll
      C:\WINDOWS\system32\mljgg.dll
      C:\WINDOWS\system32\ddcyy.dll
      C:\WINDOWS\system32\vtsqo.dll
      C:\WINDOWS\system32\jkkll.dll
      C:\WINDOWS\system32\jkkji.dll
      C:\WINDOWS\system32\awvvt.dll
      C:\WINDOWS\system32\yayyxxy.dll
      C:\WINDOWS\system32\yayywtq.dll
      C:\WINDOWS\system32\xxyyyax.dll
      C:\WINDOWS\system32\xxywtsp.dll
      C:\WINDOWS\system32\xxyvwuu.dll
      C:\WINDOWS\system32\xxyaxww.dll
      C:\WINDOWS\system32\wvusrrs.dll
      C:\WINDOWS\system32\vtuvspq.dll
      C:\WINDOWS\system32\vturspo.dll
      C:\WINDOWS\system32\tuvwwxu.dll
      C:\WINDOWS\system32\tuvuuuv.dll
      C:\WINDOWS\system32\ssqolmk.dll
      C:\WINDOWS\system32\ssqolkk.dll
      C:\WINDOWS\system32\rqrrqnk.dll
      C:\WINDOWS\system32\rqrqrrr.dll
      C:\WINDOWS\system32\pmnoolk.dll
      C:\WINDOWS\system32\opnonop.dll
      C:\WINDOWS\system32\opnlkhi.dll
      C:\WINDOWS\system32\nnnljhf.dll
      C:\WINDOWS\system32\mljkhge.dll
      C:\WINDOWS\system32\mljgfgg.dll
      C:\WINDOWS\system32\ljjjkkl.dll
      C:\WINDOWS\system32\ljjihgg.dll
      C:\WINDOWS\system32\khfffeb.dll
      C:\WINDOWS\system32\khffdcb.dll
      C:\WINDOWS\system32\jkkllll.dll
      C:\WINDOWS\system32\jkkjjkk.dll
      C:\WINDOWS\system32\hgghhgd.dll
      C:\WINDOWS\system32\hggfcby.dll
      C:\WINDOWS\system32\hggeffe.dll
      C:\WINDOWS\system32\hggddbb.dll
      C:\WINDOWS\system32\hggddba.dll
      C:\WINDOWS\system32\gebyvsq.dll
      C:\WINDOWS\system32\fcccyyv.dll
      C:\WINDOWS\system32\efcbcdd.dll
      C:\WINDOWS\system32\efcbccb.dll
      C:\WINDOWS\system32\ddcdefg.dll
      C:\WINDOWS\system32\ddcdaax.dll
      C:\WINDOWS\system32\cbxyaya.dll
      C:\WINDOWS\system32\byxwurs.dll
      C:\WINDOWS\system32\byxvtqq.dll
      C:\WINDOWS\system32\byxuvuv.dll
      C:\WINDOWS\system32\awtsrol.dll
      C:\WINDOWS\system32\ddayy.dll
      C:\WINDOWS\system32\jkhff.dll
      C:\WINDOWS\system32\jkhhh.dll
      C:\WINDOWS\system32\pmkhh.dll
      C:\WINDOWS\system32\ddcyx.dll
      C:\WINDOWS\system32\hjkmp.ini2
      C:\WINDOWS\system32\pmkjh.dll
      C:\WINDOWS\system32\pmnno.dll
      C:\WINDOWS\system32\sstqq.dll
      C:\DOCUME~1\evan\setup.exe
      C:\WINDOWS\iun6002ev.exe

    • Go to the File menu of Killbox, and choose Paste from Clipboard.
      NOTE: You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
    • Click the Delete File button that is a red-and-white X. Click Yes at the Delete on Reboot prompt.
      Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
    If your computer does not restart automatically, please restart it manually.
    After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
    Post this log in your next reply.

    ********************************************

    Then run Combofix again:

    Double click combofix.exe and follow the prompts.
    When it's done running it will produce a log for you. Please post that log in your next reply

    Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ********************************************

    In your next reply, please include the following logs: a Fresh HijackThis and Combofix report. Thanks.
  • edited February 2007
    Here are the logs you wanted.


    killbox log:

    Pocket Killbox version 2.0.0.648
    Running on Windows XP as Compaq_Owner(Administrator)
    was started @ Wednesday, February 07, 2007, 1:46 PM

    # 1 [Delete on Reboot]
    Path = C:\WINDOWS\system32\jkhhe.dll


    I Rebooted @ 1:47:18 PM
    Killbox Closed(Exit) @ 1:47:49 PM
    __________________________________________________

    Pocket Killbox version 2.0.0.648
    Running on Windows XP as Compaq_Owner(Administrator)
    was started @ Wednesday, February 07, 2007, 1:52 PM

    Killbox Closed(Exit) @ 1:53:05 PM
    __________________________________________________

    Pocket Killbox version 2.0.0.648
    Running on Windows XP as Compaq_Owner(Administrator)
    was started @ Wednesday, February 07, 2007, 2:05 PM

    # 1 [Delete on Reboot]
    Path = C:\WINDOWS\system32\awtsq.dll


    # 2 [Delete on Reboot]
    Path = C:\WINDOWS\system32\mljjj.dll


    # 3 [Delete on Reboot]
    Path = C:\WINDOWS\system32\jkhhg.dll


    # 4 [Delete on Reboot]
    Path = C:\WINDOWS\system32\mlljj.dll


    # 5 [Delete on Reboot]
    Path = C:\WINDOWS\system32\mljgd.dll


    # 6 [Delete on Reboot]
    Path = C:\WINDOWS\system32\ssqpq.dll


    # 7 [Delete on Reboot]
    Path = C:\WINDOWS\system32\mljgg.dll


    # 8 [Delete on Reboot]
    Path = C:\WINDOWS\system32\ddcyy.dll


    # 9 [Delete on Reboot]
    Path = C:\WINDOWS\system32\vtsqo.dll


    # 10 [Delete on Reboot]
    Path = C:\WINDOWS\system32\jkkll.dll


    # 11 [Delete on Reboot]
    Path = C:\WINDOWS\system32\jkkji.dll


    # 12 [Delete on Reboot]
    Path = C:\WINDOWS\system32\awvvt.dll


    # 13 [Delete on Reboot]
    Path = C:\WINDOWS\system32\yayyxxy.dll


    # 14 [Delete on Reboot]
    Path = C:\WINDOWS\system32\yayywtq.dll


    # 15 [Delete on Reboot]
    Path = C:\WINDOWS\system32\xxyyyax.dll


    # 16 [Delete on Reboot]
    Path = C:\WINDOWS\system32\xxywtsp.dll


    # 17 [Delete on Reboot]
    Path = C:\WINDOWS\system32\xxyvwuu.dll


    # 18 [Delete on Reboot]
    Path = C:\WINDOWS\system32\xxyaxww.dll


    # 19 [Delete on Reboot]
    Path = C:\WINDOWS\system32\wvusrrs.dll


    # 20 [Delete on Reboot]
    Path = C:\WINDOWS\system32\vtuvspq.dll


    # 21 [Delete on Reboot]
    Path = C:\WINDOWS\system32\vturspo.dll


    # 22 [Delete on Reboot]
    Path = C:\WINDOWS\system32\tuvwwxu.dll


    # 23 [Delete on Reboot]
    Path = C:\WINDOWS\system32\tuvuuuv.dll


    # 24 [Delete on Reboot]
    Path = C:\WINDOWS\system32\ssqolmk.dll


    # 25 [Delete on Reboot]
    Path = C:\WINDOWS\system32\ssqolkk.dll


    # 26 [Delete on Reboot]
    Path = C:\WINDOWS\system32\rqrrqnk.dll


    # 27 [Delete on Reboot]
    Path = C:\WINDOWS\system32\rqrqrrr.dll


    # 28 [Delete on Reboot]
    Path = C:\WINDOWS\system32\pmnoolk.dll


    # 29 [Delete on Reboot]
    Path = C:\WINDOWS\system32\opnonop.dll


    # 30 [Delete on Reboot]
    Path = C:\WINDOWS\system32\opnlkhi.dll


    # 31 [Delete on Reboot]
    Path = C:\WINDOWS\system32\nnnljhf.dll


    # 32 [Delete on Reboot]
    Path = C:\WINDOWS\system32\mljkhge.dll


    # 33 [Delete on Reboot]
    Path = C:\WINDOWS\system32\mljgfgg.dll


    # 34 [Delete on Reboot]
    Path = C:\WINDOWS\system32\ljjjkkl.dll


    # 35 [Delete on Reboot]
    Path = C:\WINDOWS\system32\ljjihgg.dll


    # 36 [Delete on Reboot]
    Path = C:\WINDOWS\system32\khfffeb.dll


    # 37 [Delete on Reboot]
    Path = C:\WINDOWS\system32\khffdcb.dll


    # 38 [Delete on Reboot]
    Path = C:\WINDOWS\system32\jkkllll.dll


    # 39 [Delete on Reboot]
    Path = C:\WINDOWS\system32\jkkjjkk.dll


    # 40 [Delete on Reboot]
    Path = C:\WINDOWS\system32\hgghhgd.dll


    # 41 [Delete on Reboot]
    Path = C:\WINDOWS\system32\hggfcby.dll


    # 42 [Delete on Reboot]
    Path = C:\WINDOWS\system32\hggeffe.dll


    # 43 [Delete on Reboot]
    Path = C:\WINDOWS\system32\hggddbb.dll


    # 44 [Delete on Reboot]
    Path = C:\WINDOWS\system32\hggddba.dll


    # 45 [Delete on Reboot]
    Path = C:\WINDOWS\system32\gebyvsq.dll


    # 46 [Delete on Reboot]
    Path = C:\WINDOWS\system32\fcccyyv.dll


    # 47 [Delete on Reboot]
    Path = C:\WINDOWS\system32\efcbcdd.dll


    # 48 [Delete on Reboot]
    Path = C:\WINDOWS\system32\efcbccb.dll


    # 49 [Delete on Reboot]
    Path = C:\WINDOWS\system32\ddcdefg.dll


    # 50 [Delete on Reboot]
    Path = C:\WINDOWS\system32\ddcdaax.dll


    # 51 [Delete on Reboot]
    Path = C:\WINDOWS\system32\cbxyaya.dll


    # 52 [Delete on Reboot]
    Path = C:\WINDOWS\system32\byxwurs.dll


    # 53 [Delete on Reboot]
    Path = C:\WINDOWS\system32\byxvtqq.dll


    # 54 [Delete on Reboot]
    Path = C:\WINDOWS\system32\byxuvuv.dll


    # 55 [Delete on Reboot]
    Path = C:\WINDOWS\system32\awtsrol.dll


    # 56 [Delete on Reboot]
    Path = C:\WINDOWS\system32\ddayy.dll


    # 57 [Delete on Reboot]
    Path = C:\WINDOWS\system32\jkhff.dll


    # 58 [Delete on Reboot]
    Path = C:\WINDOWS\system32\jkhhh.dll


    # 59 [Delete on Reboot]
    Path = C:\WINDOWS\system32\pmkhh.dll


    # 60 [Delete on Reboot]
    Path = C:\WINDOWS\system32\ddcyx.dll


    # 61 [Delete on Reboot]
    Path = C:\WINDOWS\system32\hjkmp.ini2


    # 62 [Delete on Reboot]
    Path = C:\WINDOWS\system32\pmkjh.dll


    # 63 [Delete on Reboot]
    Path = C:\WINDOWS\system32\pmnno.dll


    # 64 [Delete on Reboot]
    Path = C:\WINDOWS\system32\sstqq.dll


    # 65 [Delete on Reboot]
    Path = C:\DOCUME~1\evan\setup.exe


    PendingFileRenameOperations Registry Data has been Removed by External Process! @ 2:06:35 PM
    Killbox Closed(Exit) @ 2:08:02 PM
    __________________________________________________

    Pocket Killbox version 2.0.0.648
    Running on Windows XP as Compaq_Owner(Administrator)
    was started @ Wednesday, February 07, 2007, 2:09 PM

    ~~~~~~~~~~~~

    combofix log:

    Pocket Killbox version 2.0.0.648
    Running on Windows XP as Compaq_Owner(Administrator)
    was started @ Wednesday, February 07, 2007, 1:46 PM

    # 1 [Delete on Reboot]
    Path = C:\WINDOWS\system32\jkhhe.dll


    I Rebooted @ 1:47:18 PM
    Killbox Closed(Exit) @ 1:47:49 PM
    __________________________________________________

    Pocket Killbox version 2.0.0.648
    Running on Windows XP as Compaq_Owner(Administrator)
    was started @ Wednesday, February 07, 2007, 1:52 PM

    Killbox Closed(Exit) @ 1:53:05 PM
    __________________________________________________

    Pocket Killbox version 2.0.0.648
    Running on Windows XP as Compaq_Owner(Administrator)
    was started @ Wednesday, February 07, 2007, 2:05 PM

    # 1 [Delete on Reboot]
    Path = C:\WINDOWS\system32\awtsq.dll


    # 2 [Delete on Reboot]
    Path = C:\WINDOWS\system32\mljjj.dll


    # 3 [Delete on Reboot]
    Path = C:\WINDOWS\system32\jkhhg.dll


    # 4 [Delete on Reboot]
    Path = C:\WINDOWS\system32\mlljj.dll


    # 5 [Delete on Reboot]
    Path = C:\WINDOWS\system32\mljgd.dll


    # 6 [Delete on Reboot]
    Path = C:\WINDOWS\system32\ssqpq.dll


    # 7 [Delete on Reboot]
    Path = C:\WINDOWS\system32\mljgg.dll


    # 8 [Delete on Reboot]
    Path = C:\WINDOWS\system32\ddcyy.dll


    # 9 [Delete on Reboot]
    Path = C:\WINDOWS\system32\vtsqo.dll


    # 10 [Delete on Reboot]
    Path = C:\WINDOWS\system32\jkkll.dll


    # 11 [Delete on Reboot]
    Path = C:\WINDOWS\system32\jkkji.dll


    # 12 [Delete on Reboot]
    Path = C:\WINDOWS\system32\awvvt.dll


    # 13 [Delete on Reboot]
    Path = C:\WINDOWS\system32\yayyxxy.dll


    # 14 [Delete on Reboot]
    Path = C:\WINDOWS\system32\yayywtq.dll


    # 15 [Delete on Reboot]
    Path = C:\WINDOWS\system32\xxyyyax.dll


    # 16 [Delete on Reboot]
    Path = C:\WINDOWS\system32\xxywtsp.dll


    # 17 [Delete on Reboot]
    Path = C:\WINDOWS\system32\xxyvwuu.dll


    # 18 [Delete on Reboot]
    Path = C:\WINDOWS\system32\xxyaxww.dll


    # 19 [Delete on Reboot]
    Path = C:\WINDOWS\system32\wvusrrs.dll


    # 20 [Delete on Reboot]
    Path = C:\WINDOWS\system32\vtuvspq.dll


    # 21 [Delete on Reboot]
    Path = C:\WINDOWS\system32\vturspo.dll


    # 22 [Delete on Reboot]
    Path = C:\WINDOWS\system32\tuvwwxu.dll


    # 23 [Delete on Reboot]
    Path = C:\WINDOWS\system32\tuvuuuv.dll


    # 24 [Delete on Reboot]
    Path = C:\WINDOWS\system32\ssqolmk.dll


    # 25 [Delete on Reboot]
    Path = C:\WINDOWS\system32\ssqolkk.dll


    # 26 [Delete on Reboot]
    Path = C:\WINDOWS\system32\rqrrqnk.dll


    # 27 [Delete on Reboot]
    Path = C:\WINDOWS\system32\rqrqrrr.dll


    # 28 [Delete on Reboot]
    Path = C:\WINDOWS\system32\pmnoolk.dll


    # 29 [Delete on Reboot]
    Path = C:\WINDOWS\system32\opnonop.dll


    # 30 [Delete on Reboot]
    Path = C:\WINDOWS\system32\opnlkhi.dll


    # 31 [Delete on Reboot]
    Path = C:\WINDOWS\system32\nnnljhf.dll


    # 32 [Delete on Reboot]
    Path = C:\WINDOWS\system32\mljkhge.dll


    # 33 [Delete on Reboot]
    Path = C:\WINDOWS\system32\mljgfgg.dll


    # 34 [Delete on Reboot]
    Path = C:\WINDOWS\system32\ljjjkkl.dll


    # 35 [Delete on Reboot]
    Path = C:\WINDOWS\system32\ljjihgg.dll


    # 36 [Delete on Reboot]
    Path = C:\WINDOWS\system32\khfffeb.dll


    # 37 [Delete on Reboot]
    Path = C:\WINDOWS\system32\khffdcb.dll


    # 38 [Delete on Reboot]
    Path = C:\WINDOWS\system32\jkkllll.dll


    # 39 [Delete on Reboot]
    Path = C:\WINDOWS\system32\jkkjjkk.dll


    # 40 [Delete on Reboot]
    Path = C:\WINDOWS\system32\hgghhgd.dll


    # 41 [Delete on Reboot]
    Path = C:\WINDOWS\system32\hggfcby.dll


    # 42 [Delete on Reboot]
    Path = C:\WINDOWS\system32\hggeffe.dll


    # 43 [Delete on Reboot]
    Path = C:\WINDOWS\system32\hggddbb.dll


    # 44 [Delete on Reboot]
    Path = C:\WINDOWS\system32\hggddba.dll


    # 45 [Delete on Reboot]
    Path = C:\WINDOWS\system32\gebyvsq.dll


    # 46 [Delete on Reboot]
    Path = C:\WINDOWS\system32\fcccyyv.dll


    # 47 [Delete on Reboot]
    Path = C:\WINDOWS\system32\efcbcdd.dll


    # 48 [Delete on Reboot]
    Path = C:\WINDOWS\system32\efcbccb.dll


    # 49 [Delete on Reboot]
    Path = C:\WINDOWS\system32\ddcdefg.dll


    # 50 [Delete on Reboot]
    Path = C:\WINDOWS\system32\ddcdaax.dll


    # 51 [Delete on Reboot]
    Path = C:\WINDOWS\system32\cbxyaya.dll


    # 52 [Delete on Reboot]
    Path = C:\WINDOWS\system32\byxwurs.dll


    # 53 [Delete on Reboot]
    Path = C:\WINDOWS\system32\byxvtqq.dll


    # 54 [Delete on Reboot]
    Path = C:\WINDOWS\system32\byxuvuv.dll


    # 55 [Delete on Reboot]
    Path = C:\WINDOWS\system32\awtsrol.dll


    # 56 [Delete on Reboot]
    Path = C:\WINDOWS\system32\ddayy.dll


    # 57 [Delete on Reboot]
    Path = C:\WINDOWS\system32\jkhff.dll


    # 58 [Delete on Reboot]
    Path = C:\WINDOWS\system32\jkhhh.dll


    # 59 [Delete on Reboot]
    Path = C:\WINDOWS\system32\pmkhh.dll


    # 60 [Delete on Reboot]
    Path = C:\WINDOWS\system32\ddcyx.dll


    # 61 [Delete on Reboot]
    Path = C:\WINDOWS\system32\hjkmp.ini2


    # 62 [Delete on Reboot]
    Path = C:\WINDOWS\system32\pmkjh.dll


    # 63 [Delete on Reboot]
    Path = C:\WINDOWS\system32\pmnno.dll


    # 64 [Delete on Reboot]
    Path = C:\WINDOWS\system32\sstqq.dll


    # 65 [Delete on Reboot]
    Path = C:\DOCUME~1\evan\setup.exe


    PendingFileRenameOperations Registry Data has been Removed by External Process! @ 2:06:35 PM
    Killbox Closed(Exit) @ 2:08:02 PM
    __________________________________________________

    Pocket Killbox version 2.0.0.648
    Running on Windows XP as Compaq_Owner(Administrator)
    was started @ Wednesday, February 07, 2007, 2:09 PM


    ~~~~~~~~~

    Hijackthis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:19:01 PM, on 2/7/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    c:\windows\system\hpsysdrv.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://games.bellsouth.net/Gh/DeliciousWeb/zylomplayer.cab
    O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://aolsvc.aol.com/onlinegames/shapo/shapo.cab
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
    O16 - DPF: {DBA8E419-0D5F-439B-A3CC-D01C768D9B51} (DVCDownloaderControl Object) - http://aolsvc.aol.com/onlinegames/sonydavincicode/DVCDownloaderControl.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe



    Thanks for your help
    Lisa
  • edited February 2007
    Ok, somehow I managed to post the killbox log for the combofix log. Sorry about that. Here is the combofix log:

    "Compaq_Owner" - 07-02-07 14:24:00 Service Pack 2
    ComboFix 07.02.03 - Running from: "C:\Documents and Settings\Compaq_Owner\Desktop\cleaning tools"

    ((((((((((((((((((((((((((((((( Files Created from 2007-01-07 to 2007-02-07 ))))))))))))))))))))))))))))))))))


    2007-02-07 13:46 <DIR> d
    C:\!KillBox
    2007-02-05 09:15 <DIR> d
    C:\DOCUME~1\evan\Application Data\yahoo!
    2007-02-03 10:43 <DIR> d
    C:\DOCUME~1\ALLUSE~1\Application Data\Zylom
    2007-02-03 09:39 <DIR> d
    C:\WINDOWS\ERDNT
    2007-02-02 17:51 <DIR> d
    C:\Program Files\Hijackthis
    2007-02-02 17:36 <DIR> d
    C:\VundoFix Backups
    2007-02-02 17:10 <DIR> d
    C:\WINDOWS\system32\Kaspersky Lab
    2007-02-02 17:01 <DIR> d
    C:\WINDOWS\system32\ActiveScan
    2007-02-02 16:53 <DIR> d
    C:\Program Files\SpywareBlaster
    2007-02-02 15:16 <DIR> d
    C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
    2007-02-02 14:11 <DIR> d
    C:\DOCUME~1\COMPAQ~1\Application Data\Lavasoft
    2007-02-02 14:10 <DIR> d
    C:\Program Files\Lavasoft
    2007-02-01 14:00 <DIR> d
    C:\DOCUME~1\evan\Application Data\AVG7
    2007-02-01 09:14 <DIR> dr-h
    C:\$VAULT$.AVG
    2007-02-01 08:10 <DIR> d
    C:\DOCUME~1\LOCALS~1\Application Data\AVG7
    2007-02-01 08:10 <DIR> d
    C:\DOCUME~1\COMPAQ~1\Application Data\AVG7
    2007-02-01 08:09 816,672 --a
    C:\WINDOWS\system32\drivers\avg7core.sys
    2007-02-01 08:09 4,224 --a
    C:\WINDOWS\system32\drivers\avg7rsw.sys
    2007-02-01 08:09 3,968 --a
    C:\WINDOWS\system32\drivers\avgclean.sys
    2007-02-01 08:09 28,416 --a
    C:\WINDOWS\system32\drivers\avg7rsxp.sys
    2007-02-01 08:09 18,240 --a
    C:\WINDOWS\system32\drivers\avgmfx86.sys
    2007-02-01 08:09 <DIR> d
    C:\DOCUME~1\ALLUSE~1\Application Data\Grisoft
    2007-02-01 08:09 <DIR> d
    C:\DOCUME~1\ALLUSE~1\Application Data\avg7
    2007-02-01 08:03 76,560 --a
    C:\WINDOWS\system32\drivers\tmcomm.sys
    2007-01-31 16:13 277,051 ---hs---- C:\WINDOWS\system32\ssttu.dll
    2007-01-30 14:39 <DIR> d
    C:\CRAYOLA
    2007-01-28 17:02 <DIR> d
    C:\Program Files\Bejeweled 2 Deluxe
    2007-01-25 23:38 <DIR> d
    C:\WINDOWS\ie7updates
    2007-01-25 12:34 <DIR> d
    C:\DOCUME~1\evan\Application Data\SecondLife
    2007-01-20 02:15 <DIR> d
    C:\DOCUME~1\COMPAQ~1\Application Data\Creative
    2007-01-16 22:17 <DIR> d
    C:\DOCUME~1\evan\Application Data\Apple Computer
    2007-01-16 11:48 <DIR> d
    C:\DOCUME~1\evan\Application Data\HP
    2007-01-15 20:31 <DIR> d
    C:\DOCUME~1\evan\Application Data\Sun
    2007-01-15 20:26 <DIR> d
    C:\DOCUME~1\evan\WINDOWS
    2007-01-15 20:26 <DIR> d
    C:\DOCUME~1\evan\Application Data\Symantec
    2007-01-15 20:26 <DIR> d
    C:\DOCUME~1\evan\Application Data\Real
    2007-01-15 20:26 <DIR> d
    C:\DOCUME~1\evan\Application Data\Intuit
    2007-01-15 17:46 <DIR> d
    C:\Program Files\IMVU2
    2007-01-08 10:20 4 --ah
    C:\WINDOWS\uccspecb.sys
    2007-01-07 13:40 <DIR> d
    C:\DOCUME~1\ALLUSE~1\Application Data\MumboJumbo


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-02-05 08:56
    d
    C:\Program Files\eudemons online
    2007-02-04 17:11
    d
    C:\DOCUME~1\COMPAQ~1\Application Data\imvu
    2007-02-02 18:58
    d
    C:\Program Files\lx_cats
    2007-02-02 18:16
    d
    C:\Program Files\java
    2007-02-01 08:09
    d
    C:\Program Files\grisoft
    2007-01-31 11:20 1956 --a
    C:\DOCUME~1\COMPAQ~1\Application Data\wklnhst.dat
    2007-01-24 17:50
    d
    C:\Program Files\secondlife
    2007-01-21 16:30
    d
    C:\Program Files\imvu
    2007-01-20 03:06
    d
    C:\Program Files\360share pro
    2007-01-09 20:23
    d
    C:\Program Files\yahoo! games
    2007-01-06 20:52
    d
    C:\Program Files\lexmark fax solutions
    2007-01-06 20:52
    d
    C:\DOCUME~1\COMPAQ~1\Application Data\faxctr
    2007-01-05 07:31
    d
    C:\Program Files\msxml 4.0
    2006-12-23 23:37
    d
    C:\Program Files\windows media connect 2
    2006-12-18 10:40 2989 --a
    C:\DOCUME~1\COMPAQ~1\Application Data\patchupdate_instantsharejpg.log
    2006-11-07 23:06 679424 --a
    C:\WINDOWS\system32\inetcomm.dll
    2006-11-07 21:03 6049280
    C:\WINDOWS\system32\ieframe.dll
    2006-11-07 21:03 50688
    C:\WINDOWS\system32\msfeedsbs.dll
    2006-11-07 21:03 458752
    C:\WINDOWS\system32\msfeeds.dll
    2006-11-07 21:03 413696 --a
    C:\WINDOWS\system32\vbscript.dll
    2006-11-07 21:03 231424 --a
    C:\WINDOWS\system32\webcheck.dll
    2006-11-07 21:03 180736
    C:\WINDOWS\system32\ieui.dll
    2006-11-07 21:03 156160 --a
    C:\WINDOWS\system32\msls31.dll
    2006-11-07 03:27 382976 --a
    C:\WINDOWS\system32\iedkcs32.dll
    2006-11-07 03:27 229376 --a
    C:\WINDOWS\system32\ieaksie.dll
    2006-11-07 03:26 71680 --a
    C:\WINDOWS\system32\admparse.dll
    2006-11-07 03:26 55296 --a
    C:\WINDOWS\system32\iesetup.dll
    2006-11-07 03:26 54784 --a
    C:\WINDOWS\system32\ie4uinit.exe
    2006-11-07 03:26 43008 --a
    C:\WINDOWS\system32\iernonce.dll
    2006-11-07 03:26 152064 --a
    C:\WINDOWS\system32\ieakeng.dll
    2006-11-07 03:26 13312 --a
    C:\WINDOWS\system32\ieudinit.exe
    2006-11-07 03:26 123904 --a
    C:\WINDOWS\system32\advpack.dll
    2006-11-07 03:25 161792 --a
    C:\WINDOWS\system32\ieakui.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "Aim6"=""
    "Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
    "HP Software Update"=hex(2):43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,\
    48,50,5c,48,50,20,53,6f,66,74,77,61,72,65,20,55,70,64,61,74,65,5c,48,50,77,\
    75,53,63,68,64,32,2e,65,78,65,00
    "LXCGCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCGtime.dll,_RunDLLEntry@16"
    "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\PalStart.lnk"
    "backup"="C:\\WINDOWS\\pss\\PalStart.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\PALTAL~1\\palstart.exe "
    "item"="PalStart"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Personal Coach.lnk"
    "backup"="C:\\WINDOWS\\pss\\Personal Coach.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\BRODER~1\\MAVISB~1\\MINIMA~1.EXE "
    "item"="Personal Coach"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Compaq Organize.lnk]
    "path"="C:\\Documents and Settings\\Compaq_Owner\\Start Menu\\Programs\\Startup\\Compaq Organize.lnk"
    "backup"="C:\\WINDOWS\\pss\\Compaq Organize.lnkStartup"
    "location"="Startup"
    "command"="C:\\PROGRA~1\\HEWLET~1\\COMPAQ~1\\bin\\DISPLA~1.EXE \"-application\" \"core.hp.main/application.xml\" \"-appname\" \"eLife\""
    "item"="Compaq Organize"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Picaboo.lnk]
    "path"="C:\\Documents and Settings\\Compaq_Owner\\Start Menu\\Programs\\Startup\\Picaboo.lnk"
    "backup"="C:\\WINDOWS\\pss\\Picaboo.lnkStartup"
    "location"="Startup"
    "command"="C:\\PROGRA~1\\Picaboo\\Picaboo\\PICABO~2.EXE /suppressapplication"
    "item"="Picaboo"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"=""
    "hkey"="HKLM"
    "command"=""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="AOLSP Scheduler"
    "hkey"="HKLM"
    "command"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="ccApp"
    "hkey"="HKLM"
    "command"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="CTDetect"
    "hkey"="HKCU"
    "command"="C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe /R"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="ezprint"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Lexmark 2300 Series\\ezprint.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="fm3032"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="AOLSoftware"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Common Files\\AOL\\1160161146\\ee\\AOLSoftware.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="IPHSend"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcgmon.exe]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="lxcgmon"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Lexmark 2300 Series\\lxcgmon.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="msmsgs"
    "hkey"="HKCU"
    "command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="msnmsgr"
    "hkey"="HKCU"
    "command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetZero_uoltray]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="exec"
    "hkey"="HKCU"
    "command"="C:\\Program Files\\NetZero\\exec.exe regrun"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\outlook]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="outlook"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\outlook\\outlook.exe /auto"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"=""
    "hkey"="HKLM"
    "command"=""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="qttask"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spc_w]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="nzspc"
    "hkey"="HKCU"
    "command"="\"C:\\Program Files\\NZSearch\\nzspc.exe\" -w"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="jusched"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="SNDMon"
    "hkey"="HKLM"
    "command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="realsched"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="UrlLstCk"
    "hkey"="HKLM"
    "command"="c:\\Program Files\\Norton Internet Security\\UrlLstCk.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Media Connect 2]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="WMCCFG"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Windows Media Connect 2\\WMCCFG.exe\" /StartQuiet"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="YahooMessenger"
    "hkey"="HKCU"
    "command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
    "inimapping"="0"


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{34985592-4E4C-420A-8A25-5F070715920C}"=""

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
    "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
    Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
    Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480


    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    C:\WINDOWS\tasks\Symantec NetDetect.job


    ********************************************************************

    catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
    http://www.gmer.net

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    LXCGCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0

    ********************************************************************

    Completion time: 07-02-07 14:25:12
    C:\ComboFix2.txt ... 07-02-07 14:17
    C:\ComboFix3.txt ... 07-02-07 13:58
  • zamizami Finland
    edited February 2007
    Hi. There's some crap still on your computer, lets clean it:
    • Start Killbox.exe
    • Select the Delete on Reboot option.
    • Click on the All Files button.
    • Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

      C:\WINDOWS\system32\ssttu.dll
    • Go to the File menu of Killbox, and choose Paste from Clipboard.
      NOTE: You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
    • Click the Delete File button that is a red-and-white X. Click Yes at the Delete on Reboot prompt.
      Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
    If your computer does not restart automatically, please restart it manually.
    After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
    Post this log in your next reply.

    ***************************

    Now we'll need to remove a couple of registry entries.

    Please open Notepad, and copy/paste the code in the box below into a new text file.
    Save it as fix.reg (set Filetype to "All Files") and save it on your Desktop.
    REGEDIT4
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
    

    Now Locate and DoubleClick fix.reg-> Allow it to merge into the Registry!

    Help

    ***************************

    Please follow the instructions provided, you may want to print out these instructions and use them as a reference:
    AVG Anti-Spyware only works on Windows 2000 and Windows XP (32-Bit)

    First download AVG Anti-Spyware 7.5 from HERE and save that file to your desktop.
    This is a 30 day trial of the program
    • Once you have downloaded AVG Anti-Spyware 7.5, locate the icon on the desktop and double-click it to launch the set up program.
    • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
    • On the main screen select the icon "Update" then select the "Update now" link.
      * Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
    • Under "Reports"
      * Select "Automatically generate report after every scan"
      * Un-Select "Only if threats were found"
    Close AVG Anti-Spyware, Do Not run a scan yet!
    • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
      Use your up arrow key to highlight SafeMode then hit enter.
      IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
    • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
    • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
      Once the scan is complete do the following:
    • If you have any infections you will prompted, then select "Apply all actions"
    • Next select the "Reports" icon at the top.
    • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system
      (make sure to remember where you saved that file, this is important).
    • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

    ***************************

    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
    Please follow these steps to remove older version Java components and update.

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 .
    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Check the box that says: "Accept License Agreement".
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the download to install the newest version.
    ***************************

    In your next reply, please include the following logs: AVG A-S log, a Fresh HijackThis and Killbox report. Thanks.
  • edited February 2007
    Hi again here are the items you wanted.

    Killbox :


    Pocket Killbox version 2.0.0.648
    Running on Windows XP as Compaq_Owner(Administrator)
    was started @ Thursday, February 08, 2007, 6:49 PM

    # 1 [Delete on Reboot]
    Path = C:\WINDOWS\system32\ssttu.dll


    I Rebooted @ 6:50:25 PM
    Killbox Closed(Exit) @ 6:50:26 PM
    __________________________________________________

    Pocket Killbox version 2.0.0.648
    Running on Windows XP as Compaq_Owner(Administrator)
    was started @ Thursday, February 08, 2007, 6:52 PM



    ~~~~~~~~~~~~~~


    AVG report:

    AVG Anti-Spyware - Scan Report

    + Created at: 7:20:18 AM 2/9/2007

    + Scan result:



    C:\Program Files\Hijackthis\backups\backup-20070203-095556-907.dll -> Adware.Coupons : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP314\A0067739.ocx -> Adware.Coupons : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\gtdownls_95.ocx -> Adware.Gdown : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-18\Dc1\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-18\Dc1\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-18\Dc2\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-18\Dc2\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP310\A0065815.dll -> Adware.Softomate : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP310\A0065826.exe -> Adware.Softomate : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP310\A0065887.exe -> Adware.Softomate : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP311\A0067146.dll -> Adware.Softomate : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP311\A0067147.exe -> Adware.Softomate : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP311\A0067162.dll -> Adware.Softomate : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP311\A0067163.exe -> Adware.Softomate : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP311\A0067390.dll -> Adware.Softomate : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP313\A0067630.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
    C:\VundoFix Backups\byxvwvt.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP311\A0067401.exe -> Backdoor.Rbot : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP314\A0067700.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
    C:\Program Files\Hijackthis\backups\backup-20070203-095556-797.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup (quarantined).
    C:\Program Files\MyKazaaGold\giFT\giFT.dll -> Not-A-Virus.PornTool.Win32.Porn2Peer.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\evan\Cookies\evan@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
    C:\Documents and Settings\evan\Cookies\evan@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@com[1].txt -> TrackingCookie.Com : Cleaned.
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@cpvfeed[3].txt -> TrackingCookie.Cpvfeed : Cleaned.
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@stats1.reliablestats[3].txt -> TrackingCookie.Reliablestats : Cleaned.
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
    C:\Documents and Settings\evan\Cookies\evan@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP313\A0067608.dll -> Trojan.Agent.acl : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP311\A0067151.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP312\A0067497.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP311\A0067127.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP311\A0067129.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP311\A0067145.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP312\A0067513.exe -> Worm.VB.dw : Cleaned with backup (quarantined).


    ::Report end


    ~~~~~~~~

    Hijackthis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 7:40:45 AM, on 2/9/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\internet explorer\iexplore.exe
    c:\windows\system\hpsysdrv.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://games.bellsouth.net/Gh/DeliciousWeb/zylomplayer.cab
    O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://aolsvc.aol.com/onlinegames/shapo/shapo.cab
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
    O16 - DPF: {DBA8E419-0D5F-439B-A3CC-D01C768D9B51} (DVCDownloaderControl Object) - http://aolsvc.aol.com/onlinegames/sonydavincicode/DVCDownloaderControl.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe



    Thanks for your help. Does it look like there is an end in sight or is it still completely messed up?

    Lisa~~
  • zamizami Finland
    edited February 2007
    Looks good! Your log is clean!
    How's the system running now?
    You can delete all of the tools that I had you download for us to use.
    I'd recommend keeping AVG Anti-Spyware, as it's an excellent program that will compliment your antivirus protection.

    Lastly, Let's reset system restore:

    Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
    The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files:
    You will lose all previous restore points which are likely to be infected.
    Please note you need Administrator Access to do clean the restore points.

    1. Turn off System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    2. Reboot.

    3. Turn ON System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check *Turn off System Restore*.
    Click Apply, and then click OK.
    NOTE: only do this ONCE,NOT on a regular basis
  • edited February 2007
    Hi. Everything seems to be running great now. I appreciate all of your time and all of the help you have given me. Sorry it took so long to reply, Ive had sick kids for the past few days. Thank you so much!

    Lisa
  • zamizami Finland
    edited February 2007
    Since this issue appears resolved, this Topic is closed, glad we could help .

    If you need this topic reopened, please request this by sending the moderating team
    a PM, with the address of the thread. This applies only to the original topic starter.

    Everyone else please begin a New Topic.
This discussion has been closed.