11 diff trojans:trojan.downloader-gen/svchost-fake [RESOLVED]

Hi lilhellyan,

Sorry for the late reply, but as you can see we handle more than our fair share of logs. if you still have problems please follow the steps bellow:

IMPORTANT Hijackthis needs to be placed in its own folder. Please follow the steps bellow for creating folder and moving HijackThis to the folder.Click My Computer, then C:\
In the menu bar, click File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" .
Now you have an C:\HJT\ folder. Move HijackThis.zip in there please, then double click on it to extract and install HijackThis.exe to the new folder..
You can create a shortcut to your desktop by doing the following right-click HijackThis.exe and select "Send To" from the options and then choose "Desktop".

Please post new HijackThis log.

hi! thanks for resonding. i think i have gotten rid of some of the 11 viruses... there are 4 that i am havin trouble with.
vstub.
libhide.
msnetax.
totour.

everytimei delete them.. on my next startup there they are.. lol... they also make my internet page say.. this page can not be displayed til the next startup and . when i try to download the LSP fix when i click RUN to download my compter shuts down without warning. that happens when i try to download basically anything.if u need to know anymore let me know.. thanks so much

FOTGOT THE HIJACK FILE>> LOL sorry




Logfile of HijackThis v1.99.1
Scan saved at 8:19:27 AM, on 4/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System.exe
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVG7\avginet.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\__c0016665.dat",setvm
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: __c004F348 - C:\WINDOWS\system32\__c004F348.dat
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\suzanne johnson\ie_updater.exe (file missing)

Hello lilhellyan

Lets try this, If you are not able to download programs from Normal Mode we will try downloading from SafeMode with networking.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

First, restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode with networking. Use your up arrow key to highlight "SafeMode with Networking" then hit Enter.

1.) Download ComboFix from Here to your Desktop.

2.) Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Now, restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. Use your up arrow key to highlight "SafeMode" then hit Enter. (Do NOT chose SafeMode with networking)

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum

While in Normal Mode run Combofix,

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post back to let me know of the results, also include the requested scan reports in your reply.

Yay i think i might have done it.. should i run a virus scan now?? here are all the reports. TY SO MUCH.. i thoughti had run the SDfix first but i seen i didn't do it right... so i done it after the combofix.



SDFix: Version 1.79

Run by suzanne johnson - Wed 04/18/2007 - 13:02:43.26

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\SUZANN~1\Desktop\SDFix

Safe Mode:
Checking Services:

Name:
Microsoft IEUpdater22
NDnet1

ImagePath:
C:\Documents and Settings\suzanne johnson\ie_updater.exe /start
\??\C:\WINDOWS\system32\ksys.sys

Microsoft IEUpdater22 - Deleted
NDnet1 - Deleted


ndis.sys Infected!

Patched File copied to Backups Folder
Attempting to replace ndis.sys with original version...

Original ndis.sys Restored


Restoring Windows Registry Values
Restoring Windows Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\CP1041.NLS - Deleted
C:\WINDOWS\SoftwareDistribution\AuthCabs\7971f918-a847-4430-9279-4a52d1efe18d\MST13.tmp - Deleted
C:\WINDOWS\certmkr42.ini - Deleted
C:\WINDOWS\ntmaspi32.dll - Deleted
C:\WINDOWS\obclient.ini - Deleted



Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Explorer"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\SUZANN~1\Desktop\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\WINDOWS\twain.dll
C:\WINDOWS\twain_32.dll
C:\WINDOWS\system32\mfc42.dll
C:\WINDOWS\system32\msvcirt.dll
C:\WINDOWS\system32\msvcp60.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\BIT269.tmp
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\sam.tmp.LOG
C:\WINDOWS\system32\config\security.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Finished



"suzanne johnson" - 07-04-18 12:43:39 Service Pack 2
ComboFix 07-04-18.2V - Running from: C:\Documents and Settings\suzanne johnson\Desktop\


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\8_exception.nls
C:\DOCUME~1\SUZANN~1\APPLIC~1\Microsoft\20509.dat
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\WINDOWS\system32\ksys.sys
C:\WINDOWS\system32\msnetax.dll
C:\WINDOWS\system.exe
C:\WINDOWS\system32\totour.exe
C:\Documents and Settings\All Users.\documents\settings
C:\cp1467.nls
C:\cp1041.nls

C:\WINDOWS\system32\winlogon.exe . . . is infected!!

C:\WINDOWS\system32\winlogon.exe . . . is infected!!


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_EXAMPLE
-------\LEGACY_NTLDR
-------\LEGACY_POOF
-------\LEGACY_RUNTIME


((((((((((((((((((((((((((((((( Files Created from 2007-03-18 to 2007-04-18 ))))))))))))))))))))))))))))))))))


2007-04-18 12:42 <DIR> d-------- C:\DOCUME~1\SUZANN~1\Report.txt
2007-04-18 12:15 466 --a------ C:\CFCleanUp.bat
2007-04-18 12:10 <DIR> d-------- C:\DOCUME~1\SUZANN~1\RunThis.bat
2007-04-16 17:10 266,766 --a------ C:\WINDOWS\system32\__c0016665.dat
2007-04-15 16:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-13 22:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-04-13 19:14 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Yahoo!
2007-04-13 19:01 1,185,922 --a------ C:\DOCUME~1\LOCALS~1\APPLIC~1\Install.dat
2007-04-10 16:11 266,766 --a------ C:\WINDOWS\system32\__c0055EA0.dat
2007-04-06 21:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-04-06 21:18 <DIR> d-------- C:\DOCUME~1\SUZANN~1\APPLIC~1\SUPERAntiSpyware.com
2007-04-06 16:39 <DIR> d-------- C:\DOCUME~1\SUZANN~1\APPLIC~1\Error Safe Free
2007-04-02 14:53 266,766 --a------ C:\WINDOWS\system32\__c009151C.dat
2007-03-30 09:25 30,222 --a------ C:\WINDOWS\system32\__c004F348.dat
2007-03-23 14:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-18 07:21 -------- d-------- C:\DOCUME~1\SUZANN~1\APPLIC~1\yahoo!
2007-04-17 21:01 30222 --a------ C:\WINDOWS\system32\__c004f348.dat
2007-04-17 20:52 -------- d-------- C:\Program Files\yahoo!
2007-04-17 16:32 -------- d-------- C:\Program Files\Common Files\scanner
2007-04-17 16:29 -------- d-------- C:\Program Files\real
2007-04-17 16:28 -------- d-------- C:\Program Files\java
2007-04-16 21:21 82944 --a------ C:\WINDOWS\system32\ws2_32.dll
2007-04-16 17:10 266766 --a------ C:\WINDOWS\system32\__c0016665.dat
2007-04-14 16:50 -------- d--h----- C:\Program Files\installshield installation information
2007-04-14 16:46 502272 --a------ C:\WINDOWS\system32\winlogon.exe
2007-04-13 15:19 955 --a------ C:\DOCUME~1\SUZANN~1\APPLIC~1\0fdc4289-1671-4622-8195-0e4be519d163
2007-04-13 15:19 778 --a------ C:\DOCUME~1\SUZANN~1\APPLIC~1\f697e00c-dca7-4539-a466-eb405ebd7eb8
2007-04-13 15:19 778 --a------ C:\DOCUME~1\SUZANN~1\APPLIC~1\ba7e5a6c-f825-480b-8304-43b9a5418df1
2007-04-13 15:19 1042 --a------ C:\DOCUME~1\SUZANN~1\APPLIC~1\35975506-ebdd-46b1-9e27-cb71cfa686f6
2007-04-13 13:26 -------- d-------- C:\Program Files\myemoticons
2007-04-12 06:39 82944 --a------ C:\WINDOWS\system32\ws2_32(2).dll
2007-04-12 00:07 281348 --a--c--- C:\WINDOWS\system32\drivers\ndis.sys
2007-04-11 17:10 1213164 --a------ C:\DOCUME~1\SUZANN~1\APPLIC~1\install.xat
2007-04-10 21:26 -------- d-------- C:\Program Files\hardwood spades
2007-04-10 16:11 266766 --a------ C:\WINDOWS\system32\__c0055ea0.dat
2007-04-06 19:35 -------- d-------- C:\Program Files\limewire
2007-04-06 19:35 -------- d-------- C:\Program Files\hardwood hearts
2007-04-06 19:35 -------- d-------- C:\Program Files\hardwood euchre
2007-04-06 19:05 -------- d--h----- C:\DOCUME~1\SUZANN~1\APPLIC~1\move networks
2007-04-06 09:36 -------- d-------- C:\Program Files\msn messenger
2007-04-02 14:53 266766 --a------ C:\WINDOWS\system32\__c009151c.dat
2007-03-18 17:10 -------- d-------- C:\Program Files\silver creek installer
2007-03-18 17:10 -------- d-------- C:\Program Files\hardwood solitaire iii
2007-03-18 17:10 -------- d-------- C:\Program Files\hardwood backgammon
2007-03-17 08:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 10:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 10:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 10:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 08:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-01 00:12 -------- d-------- C:\DOCUME~1\SUZANN~1\APPLIC~1\viewpoint
2007-02-28 00:13 -------- d-------- C:\DOCUME~1\SUZANN~1\APPLIC~1\myspace
2007-02-25 14:01 -------- d-------- C:\Program Files\usb disk win98 driver
2007-02-17 13:46 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2007-02-05 15:17 185344 --a--c--- C:\WINDOWS\system32\upnphost.dll
2007-01-27 01:32 2472 --a------ C:\clean.bat
2007-01-19 12:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"DllRunning"="rundll32.exe \"C:\\WINDOWS\\system32\\__c0016665.dat\",setvm"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000
"NoResolveSearch"=dword:00000001
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"wlnlogon"="C:\\WINDOWS\\System.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c004F348

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"location"="Common Startup"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Google Updater.lnk"
"backup"="C:\\WINDOWS\\pss\\Google Updater.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOOGLE~1.EXE -systray -startup"
"item"="Google Updater"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
"location"="Common Startup"
"item"="MyWebSearch Email Plugin"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SpySubtract.lnk"
"backup"="C:\\WINDOWS\\pss\\SpySubtract.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERM~1\\SPYSUB~1\\SpySub.exe -autostart"
"item"="SpySubtract"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^suzanne johnson^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
"location"="Startup"
"item"="MyWebSearch Email Plugin"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSP Scheduler"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLDial"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ashDisp"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clcl3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="clcl3"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\clcl3.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Hpi_Monitor"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\Photo Imaging\\Hpi_Monitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpztsb04"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon03]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hphmon03"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hphmon03.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intel system tool]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="svehost"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\svehost.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IPHSend"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iut75]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="uzcx"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\drivers\\uzcx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Webcam Enhance V2.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="runtfs32"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\runtfs32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mimboot"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mimboot.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm_tray"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mm_tray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MySpaceIM"
"hkey"="HKCU"
"command"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mwsoemon"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pas_check]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pasmon"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PortAOL"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegScanKing.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RegScanKing"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpgs2wnd"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\HP Share-to-Web\\hpgs2wnd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SUPERAntiSpyware"
"hkey"="HKCU"
"command"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB Storage Toolbox]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Res"
"hkey"="HKLM"
"command"="C:\\Program Files\\USB Disk Win98 Driver\\Res.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VaCtrls]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="v7"
"hkey"="HKLM"
"command"="v7"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSASCui"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOLService"=dword:00000002
"CryptSvc"=dword:00000003
"gusvc"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Quick Scan.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-18 12:53:51 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-18 12:53




Logfile of HijackThis v1.99.1
Scan saved at 1:18:38 PM, on 4/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\__c0016665.dat",setvm
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: __c004F348 - C:\WINDOWS\system32\__c004F348.dat
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

hey! thanks sooo much for ur help. i have been trying to fix this pc for i think 7 days now... and today. with ur instructions i fixed it in about 1 hr! ur truely great!!!! and i thank u sooo MUCH! after i done ur instructions.. i done my virus scan(AVG) 1 more time. and it came up some more viruses.. i am not sure the names of them, and they were deleted. i restarted my pc and run scan like 3 more times. NO VIRUSES! you were a great HELP, lilhellyan

Hi lilhellyan

hey! thanks sooo much for ur help. i have been trying to fix this pc for i think 7 days now... and today. with ur instructions i fixed it in about 1 hr! ur truely great!!!! and i thank u sooo MUCH! after i done ur instructions.. i done my virus scan(AVG) 1 more time. and it came up some more viruses.. i am not sure the names of them, and they were deleted. i restarted my pc and run scan like 3 more times. NO VIRUSES! you were a great HELP, lilhellyan

Your computer is still very infected, antvirus programs are not 100% accurate. Please from now on follow my instructions as they are and we will try to clean your computer, but it might take a while.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Step 1

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  
  • C:\WINDOWS\system32\winlogon.exe
• Click on the submit button
  
• Repeat the same instructions for this files too:
  
  • C:\WINDOWS\system32\ws2_32(2).dll
  • C:\WINDOWS\system32\__c0016665.dat
  • C:\WINDOWS\system32\__c004F348.dat
  • C:\Documents and Settings\suzanne johnson\install.xat
  • C:\Documents and Settings\suzanne johnson\Application Data\0fdc4289-1671-4622-8195-0e4be519d163
• Please post the results in your next reply.

Step 2


The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry

• Go Here and download ERUNT
  (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
• Install ERUNT by following the prompts
  (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
• Start ERUNT
  (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
• Choose a location for the backup
  (the default location is C:\WINDOWS\ERDNT which is acceptable).
• Make sure that at least the first two check boxes are ticked
• Press OK
• Press YES to create the folder.

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DllRunning"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"wlnlogon"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c004F348]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^suzanne johnson^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clcl3]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intel system tool]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iut75]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Webcam Enhance V2.1]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pas_check]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VaCtrls]

Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

The above Registry file was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Step 3

Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\system32\__c0016665.dat
  C:\WINDOWS\system32\__c0016665.dat
  C:\WINDOWS\system32\__c0055ea0.dat
  C:\WINDOWS\system32\__c009151c.dat
  C:\Documents and Settings\Local Settings\Application Data\Install.dat
  C:\WINDOWS\system32\clcl3.exe
  C:\WINDOWS\system32\svehost.exe
  c:\windows\system32\drivers\uzcx.exe
  C:\WINDOWS\runtfs32.exe
  C:\WINDOWS\System.exe
  
  
• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
• Click the red Moveit! button.
• Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
• Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step 4

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

• Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
• Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
• On the main screen select the icon "Update" then select the "Update now" link.
  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

• Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  
  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
  If you use Firefox browserClick Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  If you use Opera browserClick Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  Click Exit on the Main menu to close the program.
  For Technical Support, double-click the e-mail address located at the bottom of each menu.
  
  IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
• Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
• AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
• Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

Step 5

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Please post back with jotti files scan reports, OTMoveIt report, AVG Anti-Spyware report scan, and dss scan reports main.txt and extra.txt

Hi, thanks again!

C:\WINDOWS\system32\winlogon.exe
Scan taken on 19 Apr 2007 15:15:16 (GMT) AntiVir
Found nothing ArcaVir
Found nothing Avast
Found nothing AVG Antivirus
Found nothing BitDefender
Found nothing ClamAV
Found nothing Dr.Web
Found nothing F-Prot Antivirus
Found nothing F-Secure Anti-Virus
Found Trojan.Win32.Patched.m Fortinet
Found WLHack.A!tr Kaspersky Anti-Virus
Found Trojan.Win32.Patched.m NOD32
Found nothing Norman Virus Control
Found nothing Panda Antivirus
Found nothing Rising Antivirus
Found nothing VirusBuster
Found nothing VBA32
Found nothing

C:\WINDOWS\system32\ws2_32(2).dll
Scan taken on 19 Apr 2007 15:25:06 (GMT) AntiVir
Found nothing ArcaVir
Found nothing Avast
Found nothing AVG Antivirus
Found nothing BitDefender
Found nothing ClamAV
Found nothing Dr.Web
Found nothing F-Prot Antivirus
Found nothing F-Secure Anti-Virus
Found nothing Fortinet
Found nothing Kaspersky Anti-Virus
Found nothing NOD32
Found nothing Norman Virus Control
Found nothing Panda Antivirus
Found nothing Rising Antivirus
Found nothing VirusBuster
Found nothing VBA32
Found nothing
C:\WINDOWS\system32\__c0016665.dat
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

C:\WINDOWS\system32\__c004F348.dat
Scan taken on 19 Apr 2007 15:30:47 (GMT) AntiVir
Found TR/Crypt.XPACK.Gen ArcaVir
Found nothing Avast
Found nothing AVG Antivirus
Found nothing BitDefender
Found nothing ClamAV
Found nothing Dr.Web
Found BACKDOOR.Trojan (probable variant) F-Prot Antivirus
Found nothing F-Secure Anti-Virus
Found nothing Fortinet
Found nothing Kaspersky Anti-Virus
Found nothing NOD32
Found nothing Norman Virus Control
Found nothing Panda Antivirus
Found nothing Rising Antivirus
Found nothing VirusBuster
Found nothing VBA32
Found nothing

C:\Documents and Settings\suzanne johnson\install.xat
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

C:\Documents and Settings\suzanne johnson\Application Data\0fdc4289-1671-4622-8195-0e4be519d163
Scan taken on 19 Apr 2007 15:36:36 (GMT) AntiVir
Found nothing ArcaVir
Found nothing Avast
Found nothing AVG Antivirus
Found nothing BitDefender
Found nothing ClamAV
Found nothing Dr.Web
Found nothing F-Prot Antivirus
Found nothing F-Secure Anti-Virus
Found nothing Fortinet
Found nothing Kaspersky Anti-Virus
Found nothing NOD32
Found nothing Norman Virus Control
Found nothing Panda Antivirus
Found nothing Rising Antivirus
Found nothing VirusBuster
Found nothing VBA32
Found nothing

OTMOVEIT RESULTS
File/Folder C:\WINDOWS\system32\__c0016665.dat not found.
File/Folder C:\WINDOWS\system32\__c0016665.dat not found.
C:\WINDOWS\system32\__c0055ea0.dat moved successfully.
C:\WINDOWS\system32\__c009151c.dat moved successfully.
File/Folder C:\Documents and Settings\Local Settings\Application Data\Install.dat not found.
C:\WINDOWS\system32\clcl3.exe moved successfully.
File/Folder C:\WINDOWS\system32\svehost.exe not found.
File/Folder c:\windows\system32\drivers\uzcx.exe not found.
File/Folder C:\WINDOWS\runtfs32.exe not found.
File/Folder C:\WINDOWS\System.exe not found.

Created on 04/19/2007 10:46:30
AGV
"General properties",""
"Report name","Complete Test"
"Start time","4/19/2007 11:39:03 AM"
"End time","4/19/2007 12:47:51 PM (total: 1:08:47.2 hrs)"
"Launch method","Scanning launched manually"
"Scanning result","No threats found"
"Report status","Scanning completed successfully"
" ",""
"Object summary",""
"Scanned","91910"
"Threats Found","0"
"Cleaned","0"
"Moved to vault","0"
"Deleted","0"
"Errors","0"
"C:\WINDOWS\system32\drivers\etc\hosts","Change","Changed"


Deckard's System Scanner v20070411.38
Run by suzanne johnson on 2007-04-19 at 13:06:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2007-04-19 18:06:11 UTC - RP4 - Deckard's System Scanner Restore Point
3: 2007-04-19 03:23:19 UTC - RP3 - Installed Java™ SE Runtime Environment 6 Update 1
2: 2007-04-18 18:47:34 UTC - RP2 - Software Distribution Service 2.0
1: 2007-04-18 12:35:44 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as suzanne johnson.exe) -------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:07:05 PM, on 4/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Documents and Settings\suzanne johnson\Desktop\dss.exe
C:\hjt\suzanne johnson.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: __c004F348 - C:\WINDOWS\system32\__c004F348.dat
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe


-- HijackThis Fixed Entries (C:\hjt\backups\) ----------------------------------

backup-20070418-133121-128 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
backup-20070418-133121-478 O20 - Winlogon Notify: __c004F348 - C:\WINDOWS\system32\__c004F348.dat

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R3 ac97intc (Intel® 82801 Audio Driver Install Service (WDM)) - c:\windows\system32\drivers\ac97intc.sys
R3 AN983 (ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter) - c:\windows\system32\drivers\an983.sys
R3 HCF_MSFT - c:\windows\system32\drivers\hcf_msft.sys
R3 StillCam (Still Serial Digital Camera Driver) - c:\windows\system32\drivers\serscan.sys

S2 Ca533av (Icatch(IV) Video Camera Device) - c:\windows\system32\drivers\ca533av.sys
S3 ati2mpaa - c:\windows\system32\drivers\ati2mpaa.sys
S3 ati2mtaa - c:\windows\system32\drivers\ati2mtaa.sys
S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys
S3 dot4 (MS IEEE-1284.4 Driver) - c:\windows\system32\drivers\dot4.sys
S3 Dot4 HPH09 - c:\windows\system32\drivers\hphid409.sys
S3 Dot4Print (Print Class Driver for IEEE-1284.4) - c:\windows\system32\drivers\dot4prt.sys
S3 Dot4Print HPH09 (Print Class Driver for IEEE-1284.4 HPH09) - c:\windows\system32\drivers\hphipr09.sys
S3 Dot4Storage HPH09 (Storage Class Driver for IEEE-1284.4 (HPH09)) - c:\windows\system32\drivers\hphs2k09.sys
S3 dot4usb (Dot4USB Filter Dot4USB Filter) - c:\windows\system32\drivers\dot4usb.sys
S3 Dot4Usb HPH09 - c:\windows\system32\drivers\hphius09.sys
S3 SABProcEnum - c:\program files\internet explorer\sabprocenum.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys
S3 USBCamera (Icatch(IV) Still Camera Device) - c:\windows\system32\drivers\bulk533.sys
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 AOLService (AOL Spyware Protection Service) - c:\progra~1\common~1\aol\aolspy~1\\aolserv.exe (file missing)
S4 Pml Driver - c:\windows\system32\hphipm09.exe


-- Scheduled Tasks -------------------------------------------------------------

2007-04-13 18:08:06 402 --ah----- C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job<MPSCHE~2.JOB>


-- Files created between 2007-03-19 and 2007-04-19 -----------------------------

2007-04-18 22:23:31 0 d-------- C:\Program Files\Common Files\Java
2007-04-18 16:59:55 266766 --a------ C:\WINDOWS\system32\__c002B0C5.dat<__C002~1.DAT>
2007-04-18 12:42:25 0 d-------- C:\Documents and Settings\suzanne johnson\Report.txt
2007-04-18 12:10:14 0 d-------- C:\Documents and Settings\suzanne johnson\RunThis.bat
2007-04-18 08:15:38 0 d-------- C:\hjt
2007-04-17 21:43:01 0 d-------- C:\a5fa56e9cdaee2c83c98981b27aa<A5FA56~1>
2007-04-17 20:10:03 0 d--h----- C:\WINDOWS\PIF
2007-04-15 16:17:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy<SPYBOT~1>
2007-04-15 14:51:25 0 d-------- C:\WINDOWS\system32\runtime
2007-04-14 21:21:35 0 d-------- C:\Program Files\InterMute<INTERM~1>
2007-04-14 16:51:01 176128 --a------ C:\WINDOWS\system32\RcdScan.dll
2007-04-14 16:51:01 446464 -ra------ C:\WINDOWS\system32\hhactivex.dll<HHACTI~1.DLL>
2007-04-14 16:50:59 89360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-04-14 16:50:56 13632 -----n--- C:\WINDOWS\system32\drivers\omci.sys
2007-04-14 13:08:56 28672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-04-13 22:16:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab<KASPER~1>
2007-04-13 22:16:20 0 d-------- C:\WINDOWS\system32\Kaspersky Lab<KASPER~1>
2007-04-13 20:41:23 0 d-------- C:\Program Files\Lavasoft
2007-04-13 20:20:38 0 d-------- C:\Program Files\MSXML 4.0<MSXML4~1.0>
2007-04-13 20:09:03 0 d-------- C:\Program Files\Google
2007-04-13 20:09:02 0 d-------- C:\Program Files\Microsoft Windows OneCare Live<MICROS~2>
2007-04-13 19:14:09 0 d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-04-13 19:01:47 1185922 --a------ C:\Documents and Settings\LocalService\Application Data\Install.dat
2007-04-13 15:19:11 778 --a------ C:\Documents and Settings\suzanne johnson\Application Data\f697e00c-dca7-4539-a466-eb405ebd7eb8<F697E0~1>
2007-04-13 15:19:07 1042 --a------ C:\Documents and Settings\suzanne johnson\Application Data\35975506-ebdd-46b1-9e27-cb71cfa686f6<359755~1>
2007-04-13 15:19:06 778 --a------ C:\Documents and Settings\suzanne johnson\Application Data\ba7e5a6c-f825-480b-8304-43b9a5418df1<BA7E5A~1>
2007-04-13 15:19:06 955 --a------ C:\Documents and Settings\suzanne johnson\Application Data\0fdc4289-1671-4622-8195-0e4be519d163<0FDC42~1>
2007-04-11 17:10:34 11264 --a------ C:\WINDOWS\abc1006def.exe<ABC100~1.EXE>
2007-04-10 21:26:39 0 d-------- C:\Program Files\SilverCreekCommonFiles<SILVER~2>
2007-04-07 18:40:23 0 d-------- C:\Program Files\MySpace
2007-04-06 21:19:38 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-04-06 21:18:46 0 d-------- C:\Program Files\SUPERAntiSpyware<SUPERA~1>
2007-04-06 21:18:46 0 d-------- C:\Documents and Settings\suzanne johnson\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-04-06 16:39:50 0 d-------- C:\Documents and Settings\suzanne johnson\Application Data\Error Safe Free<ERRORS~1>
2007-04-05 17:36:26 0 d-------- C:\WINDOWS\system32\dlha
2007-04-05 17:36:21 7168 --a------ C:\WINDOWS\clntfs32.exe
2007-04-04 19:31:01 0 d-------- C:\WINDOWS\system32\bak
2007-04-03 20:05:21 31274 --a------ C:\xcrashdump.dat<XCRASH~1.DAT>
2007-03-30 09:25:51 30222 --a------ C:\WINDOWS\system32\__c004F348.dat<__C004~1.DAT>
2007-03-26 15:17:55 0 --a------ C:\WINDOWS\checkip.dat
2007-03-23 14:03:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-03-23 13:59:03 0 d-------- C:\WINDOWS\Cache
2007-03-23 13:56:47 159744 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-03-23 13:56:46 552960 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-03-23 13:56:46 8704 --a------ C:\WINDOWS\system32\vidccleaner.exe<VIDCCL~1.EXE>
2007-03-23 13:55:56 217088 --a------ C:\WINDOWS\system32\skjpeg40.dll
2007-03-23 13:55:55 83968 --a------ C:\WINDOWS\system32\Skbase40.dll
2007-03-23 13:55:53 0 d-------- C:\Program Files\Samsung


-- Find3M Report ---------------------------------------------------------------

2007-04-19 11:39:03 0 d-------- C:\Documents and Settings\suzanne johnson\Application Data\AVG7
2007-04-18 22:25:06 0 d-------- C:\Program Files\Java
2007-04-18 17:04:58 0 d-------- C:\Program Files\Common Files\AOL
2007-04-18 12:20:14 0 d---s---- C:\Documents and Settings\suzanne johnson\Application Data\Microsoft<MICROS~1>
2007-04-18 07:21:10 0 d-------- C:\Documents and Settings\suzanne johnson\Application Data\Yahoo!
2007-04-17 20:52:16 0 d-------- C:\Program Files\Yahoo!
2007-04-17 16:32:44 0 d-------- C:\Program Files\Common Files\Scanner
2007-04-17 16:29:43 0 d-------- C:\Program Files\Real
2007-04-16 21:21:16 82944 --a------ C:\WINDOWS\system32\ws2_32.dll
2007-04-14 16:50:57 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-04-14 16:46:34 502272 --a------ C:\WINDOWS\system32\winlogon.exe
2007-04-13 13:26:45 0 d-------- C:\Program Files\MyEmoticons<MYEMOT~1>
2007-04-12 06:39:03 82944 --a------ C:\WINDOWS\system32\ws2_32(2).dll<WS2_32~1.DLL>
2007-04-11 17:10:54 1213164 --a------ C:\Documents and Settings\suzanne johnson\Application Data\Install.xat
2007-04-10 21:26:39 0 d-------- C:\Program Files\Hardwood Spades<HARDWO~2>
2007-04-06 19:35:26 0 d-------- C:\Program Files\LimeWire
2007-04-06 19:35:21 0 d-------- C:\Program Files\Hardwood Hearts<HA7AC8~1>
2007-04-06 19:35:21 0 d-------- C:\Program Files\Hardwood Euchre<HARDWO~1>
2007-04-06 19:26:54 0 d-------- C:\Program Files\Atari
2007-04-06 19:09:50 0 d-------- C:\Documents and Settings\suzanne johnson\Application Data\Atari
2007-04-06 19:05:46 0 d--h----- C:\Documents and Settings\suzanne johnson\Application Data\Move Networks<MOVENE~1>
2007-04-06 09:36:47 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>
2007-03-27 00:25:33 0 d-------- C:\Program Files\Common Files\Adobe
2007-03-18 17:10:16 0 d-------- C:\Program Files\Silver Creek Installer<SILVER~1>
2007-03-18 17:10:15 0 d-------- C:\Program Files\Hardwood Backgammon<HARDWO~4>
2007-03-18 17:10:02 0 d-------- C:\Program Files\Hardwood Solitaire III<HARDWO~3>
2007-03-17 08:43:01 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 10:36:28 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 10:36:28 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 10:36:28 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 08:47:48 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-01 00:12:18 0 d-------- C:\Documents and Settings\suzanne johnson\Application Data\Viewpoint<VIEWPO~1>
2007-02-28 00:13:37 0 d-------- C:\Documents and Settings\suzanne johnson\Application Data\MySpace
2007-02-25 14:01:55 0 d-------- C:\Program Files\USB Disk Win98 Driver<USBDIS~1>
2007-02-17 13:46:32 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll<CMDLIN~2.DLL>
2007-02-05 15:17:02 185344 --a----c- C:\WINDOWS\system32\upnphost.dll
2007-01-27 01:32:57 2472 --a------ C:\clean.bat
2007-01-19 12:53:04 51056 --a------ C:\WINDOWS\system32\sirenacm.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"location"="Common Startup"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Google Updater.lnk"
"backup"="C:\\WINDOWS\\pss\\Google Updater.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOOGLE~1.EXE -systray -startup"
"item"="Google Updater"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SpySubtract.lnk"
"backup"="C:\\WINDOWS\\pss\\SpySubtract.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERM~1\\SPYSUB~1\\SpySub.exe -autostart"
"item"="SpySubtract"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSP Scheduler"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLDial"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Hpi_Monitor"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\Photo Imaging\\Hpi_Monitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpztsb04"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon03]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hphmon03"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hphmon03.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IPHSend"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mimboot"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mimboot.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm_tray"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mm_tray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MySpaceIM"
"hkey"="HKCU"
"command"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PortAOL"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegScanKing.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RegScanKing"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpgs2wnd"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\HP Share-to-Web\\hpgs2wnd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SUPERAntiSpyware"
"hkey"="HKCU"
"command"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB Storage Toolbox]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Res"
"hkey"="HKLM"
"command"="C:\\Program Files\\USB Disk Win98 Driver\\Res.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSASCui"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOLService"=dword:00000002
"CryptSvc"=dword:00000003
"gusvc"=dword:00000002


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000
"NoResolveSearch"=dword:00000001
"NoCDBurning"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c004F348

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-04-19 at 13:07:42 ---------



Deckard's System Scanner v20070411.38
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1.60GHz
Percentage of Memory in Use: 41%
Physical Memory (total/avail): 511.01 MiB / 297.71 MiB
Pagefile Memory (total/avail): 673.85 MiB / 494.99 MiB
Virtual Memory (total/avail): 2047.88 MiB / 2004.84 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 18.61 GiB total, 5.39 GiB free.
D: is CDROM (CDFS)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG 7.5.446 v7.5.446 (GRISOFT)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\suzanne johnson\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SUZANNE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\suzanne johnson
LOGONSERVER=\\SUZANNE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\\system32;C:\WINDOWS;C:\WINDOWS\\system32\\wbem;C:\WINDOWS\\system32;C:\WINDOWS;C:\WINDOWS\\system32\\wbem;C:\Program Files\ATI Technologies\ATI.ACE
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0102
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\SUZANN~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\SUZANN~1\LOCALS~1\Temp
USERDOMAIN=SUZANNE
USERNAME=suzanne johnson
USERPROFILE=C:\Documents and Settings\suzanne johnson
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

suzanne johnson (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\USBToolbox\setup.exe
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ArcSoft PhotoImpression --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35B8CC58-F128-4169-82EB-0E6CB0C3AFE6}\setup.exe" -l0x9 -uninst
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{EA9FAF16-0E5C-42C4-9742-9AF8D5F6D69B}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Charter Pipeline® Self-Installation --> "C:\Program Files\Support.com\unins000.exe"
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Digimax Master --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AEC0CEBC-0FC7-4716-8222-1C4A742719B1}\Setup.exe" -l0x9 -removeonly
Digital Camera --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1205500-2179-11D7-B0B9-0000E24D4B29}\setup.exe"
Digital Camera --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D00353E1-9A80-11D8-A6E6-0000E24CCC1B}\setup.exe"
ERUNT 1.1j --> "C:\Program Files\ERUNT\unins000.exe"
Hardwood Euchre --> C:\Program Files\Hardwood Euchre\Euchre.exe -Uninstall
Hardwood Hearts --> C:\Program Files\Hardwood Hearts\Hearts.exe -Uninstall
Hardwood Spades --> C:\Program Files\Hardwood Spades\Spades.exe -Uninstall
HijackThis 1.99.1 --> C:\DOCUME~1\SUZANN~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe /uninstall
HP Photo Imaging Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Uninstall.isu" -c"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\hpiunCX.dll
HP Photo Printing Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Printing\Uninstall.isu" -c"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Printing\hpiunPC.dll
hp photosmart printer series (Remove only) --> C:\Program Files\hp photosmart\printer\hphuni03.exe
HP Share-to-Web --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{748F4870-8350-11D3-B0BF-080009FB4A19}\Setup.exe" --MAIN -l9
Icatch(IV) Camera Driver --> Rundll32 advpack.dll,LaunchINFSectionEx C:\WINDOWS\CA533A.ini, Ca533AUnInstall
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LimeWire 4.12.4 --> "C:\Program Files\LimeWire\uninstall.exe"
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85D3CC30-8859-481A-9654-FD9B74310BEF}\setup.exe" -l0x9 -uninst
Ruckus Buck's Dangerous Mines --> C:\Program Files\Ruckus Buck's Dangerous Mines\DangerousMines.exe -Uninstall
S500/S600 USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{514DF7BB-D192-417C-BB60-58BF1FD34253}\Setup.exe" anything
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Third Grade Adventures --> C:\WINDOWS\uninst.exe -fC:\TLCWIN\3RDADV\uninstal\DeIsL1.isu
Ultimate Family Tree 3.0 --> C:\WINDOWS\IsUninst.exe -fC:\UFT\Uninst.isu
USB Disk Win98 Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4E79A62F-7A2D-4058-BCE0-94E6B9E2F162}\Setup.exe"
USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C8F7C1E5-0150-11D6-A96C-00D05908F85D}\Setup.exe" -l0x9
USB Mass Storage Toolbox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{62B002C5-1AB3-11D8-8092-00E018B21FC0}\Setup.exe"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Win-Family 6.0 --> C:\WINDOWS\wf6remov.exe
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Installer Clean Up --> MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Safety Scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Live Sign-in Assistant --> MsiExec.exe /I{F652D238-5F29-42D5-BAF3-0115EF977EC2}
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Mail --> C:\WINDOWS\system32\regsvr32.exe /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- End of Deckard's System Scanner: finished at 2007-04-19 at 13:07:42 ---------

Hello lilhellyan

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.
Step 1
CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go to UploadMalware to upload a suspicious file for analysis.

• Enter your username from this forum
• Copy and paste the link to this thread
• Browse for this filenames: C:\WINDOWS\system32\winlogon.exe
  • C:\WINDOWS\clntfs32.exe
• In the comments, please mention that I asked you to upload this file
• Click on Send File

Step 2

It seems i wasn't clear in my instructions I didn't asked you to run scan with AVG Antivirus, i asked you to scan with AVG Anti-Spyware, which is not the same program as your antivirus and you need to download it. Please follow the steps bellow exactly as they are written:

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

• Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
• Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
• On the main screen select the icon "Update" then select the "Update now" link.
  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

• Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
  If you use Firefox browserClick Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  If you use Opera browserClick Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  Click Exit on the Main menu to close the program.
  For Technical Support, double-click the e-mail address located at the bottom of each menu.
  
  IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
• Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
• AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
• Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

Step 3

Copy the text below from the codebox into Notepad and Save it to the Desktop with the name find.bat and Save As: All Files

dir \winlogon.exe /a h /s > File.txt

Double click the find.bat and wait for the dos window to close, a File.txt will appear on the desktop. Post the contents of the File.txt back in this thread.

Please download Process Explorer by Systernals from HERE scroll down at the page where you will see the link for downloading, download it and extract it to your Desktop. We will use this tool later.

Run another scan with dss and post back with the contents of main.txt, AVG Anti-Spyware report scan, and the contents of File.txt.

If there is something you don't understand please do not hesitate to ask me before proceeding with the steps above.

Hi! thanks again. i know your working very hard helping me. and i thank you soo much. do u know how i got the stuff on my pc? if u have any ideas let me know? here are the new reports


AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:58:15 PM 4/19/2007

+ Scan result:



C:\Documents and Settings\suzanne johnson\My Documents\use when comp messes up\SDFix\backups\backups.zip/backups/ntmaspi32.dll -> Backdoor.Small.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8691ADB9-D483-4893-A683-E106BCBF2A18}\RP1\A0000031.dll -> Backdoor.Small.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8691ADB9-D483-4893-A683-E106BCBF2A18}\RP1\A0000359.dll -> Backdoor.Small.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8691ADB9-D483-4893-A683-E106BCBF2A18}\RP1\A0000366.dll -> Backdoor.Small.or : Cleaned with backup (quarantined).
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\clcl3.exe -> Downloader.Agent.es : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8691ADB9-D483-4893-A683-E106BCBF2A18}\RP1\A0000011.exe -> Dropper.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8691ADB9-D483-4893-A683-E106BCBF2A18}\RP1\A0000033.exe -> Dropper.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8691ADB9-D483-4893-A683-E106BCBF2A18}\RP1\A0000054.exe -> Dropper.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8691ADB9-D483-4893-A683-E106BCBF2A18}\RP1\A0000067.exe -> Dropper.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8691ADB9-D483-4893-A683-E106BCBF2A18}\RP1\A0000163.exe -> Dropper.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8691ADB9-D483-4893-A683-E106BCBF2A18}\RP2\A0000409.exe -> Dropper.Small : Cleaned with backup (quarantined).
C:\WINDOWS\abc1006def.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8691ADB9-D483-4893-A683-E106BCBF2A18}\RP1\A0000357.sys -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8691ADB9-D483-4893-A683-E106BCBF2A18}\RP1\A0000365.sys -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\ksys.sys.vir -> Rootkit.Agent.eb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8691ADB9-D483-4893-A683-E106BCBF2A18}\RP1\A0000151.sys -> Rootkit.Agent.eb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8691ADB9-D483-4893-A683-E106BCBF2A18}\RP1\A0000042.dll -> Trojan.Agent.afg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8691ADB9-D483-4893-A683-E106BCBF2A18}\RP1\A0000152.dll -> Trojan.Agent.afg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8691ADB9-D483-4893-A683-E106BCBF2A18}\RP1\A0000009.exe -> Trojan.Agent.yr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8691ADB9-D483-4893-A683-E106BCBF2A18}\RP1\A0000052.dll -> Trojan.Agent.yr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8691ADB9-D483-4893-A683-E106BCBF2A18}\RP1\A0000059.dll -> Trojan.Agent.yr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8691ADB9-D483-4893-A683-E106BCBF2A18}\RP1\A0000060.exe -> Trojan.Agent.yr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8691ADB9-D483-4893-A683-E106BCBF2A18}\RP1\A0000143.dll -> Trojan.Agent.yr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8691ADB9-D483-4893-A683-E106BCBF2A18}\RP1\A0000144.exe -> Trojan.Agent.yr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8691ADB9-D483-4893-A683-E106BCBF2A18}\RP2\A0000417.exe -> Trojan.Agent.yr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8691ADB9-D483-4893-A683-E106BCBF2A18}\RP2\A0000418.dll -> Trojan.Agent.yr : Cleaned with backup (quarantined).
C:\Documents and Settings\suzanne johnson\Desktop\music\01 Track 1.wma -> Trojan.Wimad.a : Cleaned with backup (quarantined).


::Report end


Volume in drive C has no label.
Volume Serial Number is 9C55-3ABB

Directory of C:\WINDOWS\ServicePackFiles\i386

08/04/2004 02:56 AM 502,272 winlogon.exe
1 File(s) 502,272 bytes

Directory of C:\WINDOWS\system32

04/14/2007 04:46 PM 502,272 winlogon.exe
1 File(s) 502,272 bytes



Deckard's System Scanner v20070411.38
Run by suzanne johnson on 2007-04-19 at 19:11:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as suzanne johnson.exe) -------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:13:13 PM, on 4/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Documents and Settings\suzanne johnson\Desktop\dss.exe
C:\hjt\SUZANN~1.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: __c004F348 - C:\WINDOWS\system32\__c004F348.dat
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe


-- Files created between 2007-03-19 and 2007-04-19 -----------------------------

2007-04-19 17:38:32 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-18 22:23:31 0 d-------- C:\Program Files\Common Files\Java
2007-04-18 16:59:55 266766 --a------ C:\WINDOWS\system32\__c002B0C5.dat<__C002~1.DAT>
2007-04-18 12:42:25 0 d-------- C:\Documents and Settings\suzanne johnson\Report.txt
2007-04-18 12:10:14 0 d-------- C:\Documents and Settings\suzanne johnson\RunThis.bat
2007-04-18 08:15:38 0 d-------- C:\hjt
2007-04-17 21:43:01 0 d-------- C:\a5fa56e9cdaee2c83c98981b27aa<A5FA56~1>
2007-04-17 20:10:03 0 d--h----- C:\WINDOWS\PIF
2007-04-15 16:17:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy<SPYBOT~1>
2007-04-15 14:51:25 0 d-------- C:\WINDOWS\system32\runtime
2007-04-14 21:21:35 0 d-------- C:\Program Files\InterMute<INTERM~1>
2007-04-14 16:51:01 176128 --a------ C:\WINDOWS\system32\RcdScan.dll
2007-04-14 16:51:01 446464 -ra------ C:\WINDOWS\system32\hhactivex.dll<HHACTI~1.DLL>
2007-04-14 16:50:59 89360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-04-14 16:50:56 13632 -----n--- C:\WINDOWS\system32\drivers\omci.sys
2007-04-14 13:08:56 28672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-04-13 22:16:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab<KASPER~1>
2007-04-13 22:16:20 0 d-------- C:\WINDOWS\system32\Kaspersky Lab<KASPER~1>
2007-04-13 20:41:23 0 d-------- C:\Program Files\Lavasoft
2007-04-13 20:20:38 0 d-------- C:\Program Files\MSXML 4.0<MSXML4~1.0>
2007-04-13 20:09:03 0 d-------- C:\Program Files\Google
2007-04-13 20:09:02 0 d-------- C:\Program Files\Microsoft Windows OneCare Live<MICROS~2>
2007-04-13 19:14:09 0 d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-04-13 19:01:47 1185922 --a------ C:\Documents and Settings\LocalService\Application Data\Install.dat
2007-04-13 15:19:11 778 --a------ C:\Documents and Settings\suzanne johnson\Application Data\f697e00c-dca7-4539-a466-eb405ebd7eb8<F697E0~1>
2007-04-13 15:19:07 1042 --a------ C:\Documents and Settings\suzanne johnson\Application Data\35975506-ebdd-46b1-9e27-cb71cfa686f6<359755~1>
2007-04-13 15:19:06 778 --a------ C:\Documents and Settings\suzanne johnson\Application Data\ba7e5a6c-f825-480b-8304-43b9a5418df1<BA7E5A~1>
2007-04-13 15:19:06 955 --a------ C:\Documents and Settings\suzanne johnson\Application Data\0fdc4289-1671-4622-8195-0e4be519d163<0FDC42~1>
2007-04-10 21:26:39 0 d-------- C:\Program Files\SilverCreekCommonFiles<SILVER~2>
2007-04-07 18:40:23 0 d-------- C:\Program Files\MySpace
2007-04-06 21:19:38 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-04-06 21:18:46 0 d-------- C:\Program Files\SUPERAntiSpyware<SUPERA~1>
2007-04-06 21:18:46 0 d-------- C:\Documents and Settings\suzanne johnson\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-04-06 16:39:50 0 d-------- C:\Documents and Settings\suzanne johnson\Application Data\Error Safe Free<ERRORS~1>
2007-04-05 17:36:26 0 d-------- C:\WINDOWS\system32\dlha
2007-04-05 17:36:21 7168 --a------ C:\WINDOWS\clntfs32.exe
2007-04-04 19:31:01 0 d-------- C:\WINDOWS\system32\bak
2007-04-03 20:05:21 31274 --a------ C:\xcrashdump.dat<XCRASH~1.DAT>
2007-03-30 09:25:51 30222 --a------ C:\WINDOWS\system32\__c004F348.dat<__C004~1.DAT>
2007-03-26 15:17:55 0 --a------ C:\WINDOWS\checkip.dat
2007-03-23 14:03:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-03-23 13:59:03 0 d-------- C:\WINDOWS\Cache
2007-03-23 13:56:47 159744 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-03-23 13:56:46 552960 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-03-23 13:56:46 8704 --a------ C:\WINDOWS\system32\vidccleaner.exe<VIDCCL~1.EXE>
2007-03-23 13:55:56 217088 --a------ C:\WINDOWS\system32\skjpeg40.dll
2007-03-23 13:55:55 83968 --a------ C:\WINDOWS\system32\Skbase40.dll
2007-03-23 13:55:53 0 d-------- C:\Program Files\Samsung


-- Find3M Report ---------------------------------------------------------------

2007-04-19 11:39:03 0 d-------- C:\Documents and Settings\suzanne johnson\Application Data\AVG7
2007-04-18 22:25:06 0 d-------- C:\Program Files\Java
2007-04-18 17:04:58 0 d-------- C:\Program Files\Common Files\AOL
2007-04-18 12:20:14 0 d---s---- C:\Documents and Settings\suzanne johnson\Application Data\Microsoft<MICROS~1>
2007-04-18 07:21:10 0 d-------- C:\Documents and Settings\suzanne johnson\Application Data\Yahoo!
2007-04-17 20:52:16 0 d-------- C:\Program Files\Yahoo!
2007-04-17 16:32:44 0 d-------- C:\Program Files\Common Files\Scanner
2007-04-17 16:29:43 0 d-------- C:\Program Files\Real
2007-04-16 21:21:16 82944 --a------ C:\WINDOWS\system32\ws2_32.dll
2007-04-14 16:50:57 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-04-14 16:46:34 502272 --a------ C:\WINDOWS\system32\winlogon.exe
2007-04-13 13:26:45 0 d-------- C:\Program Files\MyEmoticons<MYEMOT~1>
2007-04-12 06:39:03 82944 --a------ C:\WINDOWS\system32\ws2_32(2).dll<WS2_32~1.DLL>
2007-04-11 17:10:54 1213164 --a------ C:\Documents and Settings\suzanne johnson\Application Data\Install.xat
2007-04-10 21:26:39 0 d-------- C:\Program Files\Hardwood Spades<HARDWO~2>
2007-04-06 19:35:26 0 d-------- C:\Program Files\LimeWire
2007-04-06 19:35:21 0 d-------- C:\Program Files\Hardwood Hearts<HA7AC8~1>
2007-04-06 19:35:21 0 d-------- C:\Program Files\Hardwood Euchre<HARDWO~1>
2007-04-06 19:26:54 0 d-------- C:\Program Files\Atari
2007-04-06 19:09:50 0 d-------- C:\Documents and Settings\suzanne johnson\Application Data\Atari
2007-04-06 19:05:46 0 d--h----- C:\Documents and Settings\suzanne johnson\Application Data\Move Networks<MOVENE~1>
2007-04-06 09:36:47 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>
2007-03-27 00:25:33 0 d-------- C:\Program Files\Common Files\Adobe
2007-03-18 17:10:16 0 d-------- C:\Program Files\Silver Creek Installer<SILVER~1>
2007-03-18 17:10:15 0 d-------- C:\Program Files\Hardwood Backgammon<HARDWO~4>
2007-03-18 17:10:02 0 d-------- C:\Program Files\Hardwood Solitaire III<HARDWO~3>
2007-03-17 08:43:01 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 10:36:28 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 10:36:28 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 10:36:28 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 08:47:48 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-01 00:12:18 0 d-------- C:\Documents and Settings\suzanne johnson\Application Data\Viewpoint<VIEWPO~1>
2007-02-28 00:13:37 0 d-------- C:\Documents and Settings\suzanne johnson\Application Data\MySpace
2007-02-25 14:01:55 0 d-------- C:\Program Files\USB Disk Win98 Driver<USBDIS~1>
2007-02-17 13:46:32 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll<CMDLIN~2.DLL>
2007-02-05 15:17:02 185344 --a----c- C:\WINDOWS\system32\upnphost.dll
2007-01-27 01:32:57 2472 --a------ C:\clean.bat
2007-01-19 12:53:04 51056 --a------ C:\WINDOWS\system32\sirenacm.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"location"="Common Startup"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Google Updater.lnk"
"backup"="C:\\WINDOWS\\pss\\Google Updater.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOOGLE~1.EXE -systray -startup"
"item"="Google Updater"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SpySubtract.lnk"
"backup"="C:\\WINDOWS\\pss\\SpySubtract.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERM~1\\SPYSUB~1\\SpySub.exe -autostart"
"item"="SpySubtract"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSP Scheduler"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLDial"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Hpi_Monitor"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\Photo Imaging\\Hpi_Monitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpztsb04"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon03]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hphmon03"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hphmon03.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IPHSend"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mimboot"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mimboot.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm_tray"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mm_tray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MySpaceIM"
"hkey"="HKCU"
"command"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PortAOL"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegScanKing.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RegScanKing"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpgs2wnd"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\HP Share-to-Web\\hpgs2wnd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SUPERAntiSpyware"
"hkey"="HKCU"
"command"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB Storage Toolbox]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Res"
"hkey"="HKLM"
"command"="C:\\Program Files\\USB Disk Win98 Driver\\Res.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSASCui"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOLService"=dword:00000002
"CryptSvc"=dword:00000003
"gusvc"=dword:00000002


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000
"NoResolveSearch"=dword:00000001
"NoCDBurning"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c004F348

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-04-19 at 19:14:06 ---------

Hello lilhellyan,

We are making some progress here

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Step 1

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  
  • C:\WINDOWS\system32\skjpeg40.dll
• Click on the submit button
  
• Repeat the same instructions for this file too:
  
  • C:\WINDOWS\system32\Skbase40.dll
• Please post the results in your next reply.

Step 2

Please re-open HiJackThis and click on "Do a system scan only". Check the boxes next to all the entries listed below.

O20 - Winlogon Notify: __c004F348 - C:\WINDOWS\system32\__c004F348.dat

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\system32\__c002B0C5.dat
  C:\a5fa56e9cdaee2c83c98981b27aa
  C:\Documents and Settings\LocalService\Application Data\Install.dat
  C:\Documents and Settings\suzanne johnson\Application Data\f697e00c-dca7-4539-a466-eb405ebd7eb8
  C:\Documents and Settings\suzanne johnson\Application Data\35975506-ebdd-46b1-9e27-cb71cfa686f6
  C:\Documents and Settings\suzanne johnson\Application Data\ba7e5a6c-f825-480b-8304-43b9a5418df1
  C:\Documents and Settings\suzanne johnson\Application Data\0fdc4289-1671-4622-8195-0e4be519d163
  C:\WINDOWS\clntfs32.exe
  C:\WINDOWS\system32\__c004F348.dat
  
  
  
  
• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
• Click the red Moveit! button.
• Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
• Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step 3

Optionals:

The next program is very likely the reason your system is infested with malware. Even when a program like this is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove this programs from your system.


Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

LimeWire 4.12.4

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\LimeWire << Delete this folder if you uninstalled LimeWire 4.12.4

Close Windows Explorer.

Step 4

The next steps you will need to follow them exactly as they are written, so make sure to read them completely and copy and paste this post to a new text document or print it for reference later when you boot in Safe Mode

Boot in Safe Mode, DO NOT boot in Safe Mode with Networking!
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. Use your up arrow key to highlight SafeMode then hit Enter.

Using Windows Explorer navigate to C:\WINDOWS\ServicePackFiles\i386 locate winlogon.exe right click on it and select Copy;

Now on the Desktop double click on procexp.exe (Process Explorer the program that you previously installed)

Locate smss.exe , now right click that process and select "Kill Process"

Next, locate the process winlogon.exe, right click that process and select "Kill Process"

Now, navigate to C:\WINDOWS\system32 find winlogon.exe right click on it and select delete.

When winlogon.exe is gone, right click on inside the System32 folder and select paste, this should place clean copy of winlogon.exe.

Pull the plug out of the back of the computer to force a shutdown, wait for a while, few minutes, and start the machine again.

Step 5

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  • C:\WINDOWS\system32\winlogon.exe
• Click on the submit button
  
• Please post the results in your next reply.

Post back with jotti file scan results, OTMoveIt report, new dss scan report main.txt
If you have any questions please feel free to ask me before you proceed with the above instructions!

Hi! thanks again. i know your working very hard helping me. and i thank you soo much. do u know how i got the stuff on my pc? if u have any ideas let me know?

Let's clean your computer first, then i will post you some informations and readings that will help you to keep your computer safer

Best regards,

Additional scan, after you perform the above instructions, reboot your computer in Safe Mode again and follow the steps bellow:


Scan for Hidden Data Streams

• Open HiJackThis
• Click on the "Open the Misc Toll section"
• Click on "Open ADS Spy.."
  • Uncheck "Quick scan (Windows base folder only)"
  • Uncheck "Ignore safe system info streams"
• Click on "Scan"
• Click on "Save Log..."
• Copy and past the List from the notepad into your next post

HI Snowhite! hope i have been doin everything right. i know ur takin alot of time to find all the info on how to get me outta this mess!! and i THANK YA SOO MUCH! here are the new scans:)


C:\WINDOWS\system32\skjpeg40.dll
Scan taken on 20 Apr 2007 23:37:28 (GMT) AntiVir
Found nothing ArcaVir
Found nothing Avast
Found nothing AVG Antivirus
Found nothing BitDefender
Found nothing ClamAV
Found nothing Dr.Web
Found nothing F-Prot Antivirus
Found nothing F-Secure Anti-Virus
Found nothing Fortinet
Found nothing Kaspersky Anti-Virus
Found nothing NOD32
Found nothing Norman Virus Control
Found nothing Panda Antivirus
Found nothing Rising Antivirus
Found nothing VirusBuster
Found nothing VBA32
Found nothing

C:\WINDOWS\system32\Skbase40.dll
Scan taken on 20 Apr 2007 23:39:16 (GMT) AntiVir
Found nothing ArcaVir
Found nothing Avast
Found nothing AVG Antivirus
Found nothing BitDefender
Found nothing ClamAV
Found nothing Dr.Web
Found nothing F-Prot Antivirus
Found nothing F-Secure Anti-Virus
Found nothing Fortinet
Found nothing Kaspersky Anti-Virus
Found nothing NOD32
Found nothing Norman Virus Control
Found nothing Panda Antivirus
Found nothing Rising Antivirus
Found nothing VirusBuster
Found nothing VBA32
Found nothing

OTMOVE IT RESULTS
C:\WINDOWS\system32\__c002B0C5.dat moved successfully.
C:\a5fa56e9cdaee2c83c98981b27aa moved successfully.
C:\Documents and Settings\LocalService\Application Data\Install.dat moved successfully.
C:\Documents and Settings\suzanne johnson\Application Data\f697e00c-dca7-4539-a466-eb405ebd7eb8 moved successfully.
C:\Documents and Settings\suzanne johnson\Application Data\35975506-ebdd-46b1-9e27-cb71cfa686f6 moved successfully.
C:\Documents and Settings\suzanne johnson\Application Data\ba7e5a6c-f825-480b-8304-43b9a5418df1 moved successfully.
C:\Documents and Settings\suzanne johnson\Application Data\0fdc4289-1671-4622-8195-0e4be519d163 moved successfully.
C:\WINDOWS\clntfs32.exe moved successfully.
File move failed. C:\WINDOWS\system32\__c004F348.dat scheduled to be moved on reboot.

Created on 04/20/2007 18:47:44

Scan taken on 21 Apr 2007 01:10:04 (GMT) AntiVir
Found nothing ArcaVir
Found nothing Avast
Found nothing AVG Antivirus
Found nothing BitDefender
Found nothing ClamAV
Found nothing Dr.Web
Found nothing F-Prot Antivirus
Found nothing F-Secure Anti-Virus
Found nothing Fortinet
Found nothing Kaspersky Anti-Virus
Found nothing NOD32
Found nothing Norman Virus Control
Found nothing Panda Antivirus
Found nothing Rising Antivirus
Found nothing VirusBuster
Found nothing VBA32
Found nothing


Deckard's System Scanner v20070411.38
Run by suzanne johnson on 2007-04-20 at 20:13:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as suzanne johnson.exe) -------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:14:04 PM, on 4/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\suzanne johnson\Desktop\dss.exe
C:\hjt\SUZANN~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com...ageUploader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: __c004F348 - C:\WINDOWS\system32\__c004F348.dat (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe


-- Files created between 2007-03-20 and 2007-04-20 -----------------------------

2007-04-20 19:59:54 502272 --a------ C:\WINDOWS\system32\winlogon.exe
2007-04-20 14:06:16 0 d-------- C:\virtualroots<VIRTUA~1>
2007-04-20 14:06:16 0 d-------- C:\Program Files\HP
2007-04-19 17:38:32 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-18 22:23:31 0 d-------- C:\Program Files\Common Files\Java
2007-04-18 12:42:25 0 d-------- C:\Documents and Settings\suzanne johnson\Report.txt
2007-04-18 12:10:14 0 d-------- C:\Documents and Settings\suzanne johnson\RunThis.bat
2007-04-18 08:15:38 0 d-------- C:\hjt
2007-04-17 20:10:03 0 d--h----- C:\WINDOWS\PIF
2007-04-15 16:17:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy<SPYBOT~1>
2007-04-15 14:51:25 0 d-------- C:\WINDOWS\system32\runtime
2007-04-14 21:21:35 0 d-------- C:\Program Files\InterMute<INTERM~1>
2007-04-14 16:51:01 176128 --a------ C:\WINDOWS\system32\RcdScan.dll
2007-04-14 16:51:01 446464 -ra------ C:\WINDOWS\system32\hhactivex.dll<HHACTI~1.DLL>
2007-04-14 16:50:59 89360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-04-14 16:50:56 13632 -----n--- C:\WINDOWS\system32\drivers\omci.sys
2007-04-14 13:08:56 28672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-04-13 22:16:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab<KASPER~1>
2007-04-13 22:16:20 0 d-------- C:\WINDOWS\system32\Kaspersky Lab<KASPER~1>
2007-04-13 20:41:23 0 d-------- C:\Program Files\Lavasoft
2007-04-13 20:20:38 0 d-------- C:\Program Files\MSXML 4.0<MSXML4~1.0>
2007-04-13 20:09:03 0 d-------- C:\Program Files\Google
2007-04-13 20:09:02 0 d-------- C:\Program Files\Microsoft Windows OneCare Live<MICROS~2>
2007-04-13 19:14:09 0 d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-04-10 21:26:39 0 d-------- C:\Program Files\SilverCreekCommonFiles<SILVER~2>
2007-04-07 18:40:23 0 d-------- C:\Program Files\MySpace
2007-04-06 21:19:38 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-04-06 21:18:46 0 d-------- C:\Program Files\SUPERAntiSpyware<SUPERA~1>
2007-04-06 21:18:46 0 d-------- C:\Documents and Settings\suzanne johnson\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-04-06 16:39:50 0 d-------- C:\Documents and Settings\suzanne johnson\Application Data\Error Safe Free<ERRORS~1>
2007-04-05 17:36:26 0 d-------- C:\WINDOWS\system32\dlha
2007-04-04 19:31:01 0 d-------- C:\WINDOWS\system32\bak
2007-04-03 20:05:21 31274 --a------ C:\xcrashdump.dat<XCRASH~1.DAT>
2007-03-26 15:17:55 0 --a------ C:\WINDOWS\checkip.dat
2007-03-23 14:03:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-03-23 13:59:03 0 d-------- C:\WINDOWS\Cache
2007-03-23 13:56:47 159744 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-03-23 13:56:46 552960 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-03-23 13:56:46 8704 --a------ C:\WINDOWS\system32\vidccleaner.exe<VIDCCL~1.EXE>
2007-03-23 13:55:56 217088 --a------ C:\WINDOWS\system32\skjpeg40.dll
2007-03-23 13:55:55 83968 --a------ C:\WINDOWS\system32\Skbase40.dll
2007-03-23 13:55:53 0 d-------- C:\Program Files\Samsung


-- Find3M Report ---------------------------------------------------------------

2007-04-20 19:44:22 0 d-------- C:\Program Files\LimeWire
2007-04-20 12:02:10 0 d-------- C:\Documents and Settings\suzanne johnson\Application Data\AVG7
2007-04-18 22:25:06 0 d-------- C:\Program Files\Java
2007-04-18 17:04:58 0 d-------- C:\Program Files\Common Files\AOL
2007-04-18 12:20:14 0 d---s---- C:\Documents and Settings\suzanne johnson\Application Data\Microsoft<MICROS~1>
2007-04-18 07:21:10 0 d-------- C:\Documents and Settings\suzanne johnson\Application Data\Yahoo!
2007-04-17 20:52:16 0 d-------- C:\Program Files\Yahoo!
2007-04-17 16:32:44 0 d-------- C:\Program Files\Common Files\Scanner
2007-04-17 16:29:43 0 d-------- C:\Program Files\Real
2007-04-16 21:21:16 82944 --a------ C:\WINDOWS\system32\ws2_32.dll
2007-04-14 16:50:57 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-04-13 13:26:45 0 d-------- C:\Program Files\MyEmoticons<MYEMOT~1>
2007-04-12 06:39:03 82944 --a------ C:\WINDOWS\system32\ws2_32(2).dll<WS2_32~1.DLL>
2007-04-11 17:10:54 1213164 --a------ C:\Documents and Settings\suzanne johnson\Application Data\Install.xat
2007-04-10 21:26:39 0 d-------- C:\Program Files\Hardwood Spades<HARDWO~2>
2007-04-06 19:35:21 0 d-------- C:\Program Files\Hardwood Hearts<HA7AC8~1>
2007-04-06 19:35:21 0 d-------- C:\Program Files\Hardwood Euchre<HARDWO~1>
2007-04-06 19:26:54 0 d-------- C:\Program Files\Atari
2007-04-06 19:09:50 0 d-------- C:\Documents and Settings\suzanne johnson\Application Data\Atari
2007-04-06 19:05:46 0 d--h----- C:\Documents and Settings\suzanne johnson\Application Data\Move Networks<MOVENE~1>
2007-04-06 09:36:47 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>
2007-03-27 00:25:33 0 d-------- C:\Program Files\Common Files\Adobe
2007-03-18 17:10:16 0 d-------- C:\Program Files\Silver Creek Installer<SILVER~1>
2007-03-18 17:10:15 0 d-------- C:\Program Files\Hardwood Backgammon<HARDWO~4>
2007-03-18 17:10:02 0 d-------- C:\Program Files\Hardwood Solitaire III<HARDWO~3>
2007-03-17 08:43:01 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 10:36:28 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 10:36:28 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 10:36:28 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 08:47:48 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-01 00:12:18 0 d-------- C:\Documents and Settings\suzanne johnson\Application Data\Viewpoint<VIEWPO~1>
2007-02-28 00:13:37 0 d-------- C:\Documents and Settings\suzanne johnson\Application Data\MySpace
2007-02-25 14:01:55 0 d-------- C:\Program Files\USB Disk Win98 Driver<USBDIS~1>
2007-02-17 13:46:32 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll<CMDLIN~2.DLL>
2007-02-05 15:17:02 185344 --a----c- C:\WINDOWS\system32\upnphost.dll
2007-01-27 01:32:57 2472 --a------ C:\clean.bat


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"location"="Common Startup"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Google Updater.lnk"
"backup"="C:\\WINDOWS\\pss\\Google Updater.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOOGLE~1.EXE -systray -startup"
"item"="Google Updater"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SpySubtract.lnk"
"backup"="C:\\WINDOWS\\pss\\SpySubtract.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERM~1\\SPYSUB~1\\SpySub.exe -autostart"
"item"="SpySubtract"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSP Scheduler"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLDial"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Hpi_Monitor"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\Photo Imaging\\Hpi_Monitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpztsb04"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon03]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hphmon03"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hphmon03.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IPHSend"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mimboot"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mimboot.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm_tray"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mm_tray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MySpaceIM"
"hkey"="HKCU"
"command"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PortAOL"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegScanKing.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RegScanKing"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpgs2wnd"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\HP Share-to-Web\\hpgs2wnd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SUPERAntiSpyware"
"hkey"="HKCU"
"command"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB Storage Toolbox]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Res"
"hkey"="HKLM"
"command"="C:\\Program Files\\USB Disk Win98 Driver\\Res.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSASCui"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOLService"=dword:00000002
"CryptSvc"=dword:00000003
"gusvc"=dword:00000002


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000
"NoResolveSearch"=dword:00000001
"NoCDBurning"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c004F348

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-04-20 at 20:14:36 ---------

Hello lilhellyan,

Please follow the steps from Post #13 about Scan for Hidden Data Streams

Please let me know did you encounter any problems, errors while you were scanning with combofix ?
Did combofix displayed error messages during the run?

Also, is the third scan from jotti, from winlogon.exe? It is very important that you have clean winlogon.exe at your system..

Please follow the steps bellow:

Please re-open HiJackThis and click on "Do a system scan only". Check the boxes next to all the entries listed below.

O20 - Winlogon Notify: __c004F348 - C:\WINDOWS\system32\__c004F348.dat (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

Please post back with ADS SPY scan report, Gmer report and answer to my questions.