[Feish13]

Here is my HJT log, let me know if there is anything else you need, thanks.

Logfile of HijackThis v1.99.1
Scan saved at 11:03:20 AM, on 4/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Defender\MpCmdRun.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tmp3.tmp.dll
O2 - BHO: CVirtualDNSObj Object - {86C510E9-97EF-4749-914F-0280247BE3A6} - C:\WINDOWS\VirtualDNS.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {dede51ed-5539-4f4c-8b04-1dc865461365} - C:\WINDOWS\system32\imapnst.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\wvvwus.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://63.102.226.24...va/cfs40320.cab
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt3_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinn...5/pool/pool.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase7617.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102024256968
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: imapnst - C:\WINDOWS\SYSTEM32\imapnst.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

[Advertisements]

Hi Feish13,

I am currently working on your log under expert supervision and be back ASAP. Thanks.

Anthony.

[Anthony10]

Hi Feish13,

I am currently working on your log under expert supervision and be back ASAP. Thanks.

Anthony.

[Anthony10]

Hi Feish13,

Do you use the program Titan Poker ?

--------

Please download VundoFix.exe to your Desktop.

- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

----------

Go here and download and run FindAWF.

When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here with the contents of C:\vundofix.txt and a new HijackThis log.

Anthony.

[Feish13]

Here are the three logs that you asked for...


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 10:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 07:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

11/03/2006 07:20 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 05:00 AM 15,360 ctfmon.exe
03/09/2007 04:48 PM 37,391 lsasss.exe
07/09/2001 03:50 AM 155,648 NeroCheck.exe
3 File(s) 208,399 bytes

Directory of C:\PROGRA~1\BROADJ~1\CLIENT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\LOGITECH\IMAGES~1\BAK

12/10/2002 07:32 PM 155,648 ISStart.exe
12/10/2002 07:31 PM 61,440 LogiTray.exe
2 File(s) 217,088 bytes

Directory of C:\PROGRA~1\COMMON~1\LOGITECH\QCDRIV~2\BAK

12/10/2002 06:54 PM 127,022 LVCOMS.EXE
1 File(s) 127,022 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~3.0_0\BIN\BAK

11/10/2005 02:03 PM 36,975 jusched.exe
1 File(s) 36,975 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Dec 26 2006 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
36913 Apr 3 2007 "C:\Program Files\QuickTime\qttask.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
36913 Apr 3 2007 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
36913 Apr 3 2007 "C:\WINDOWS\system32\lsasss.exe"
37391 Mar 9 2007 "C:\WINDOWS\system32\bak\lsasss.exe"
37391 Mar 9 2007 "C:\WINDOWS\system32\NeroCheck.exe1175504105"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
36913 Apr 3 2007 "C:\Program Files\Logitech\ImageStudio\ISStart.exe"
155648 Dec 10 2002 "C:\Program Files\Logitech\ImageStudio\bak\ISStart.exe"
36913 Apr 3 2007 "C:\Program Files\Logitech\ImageStudio\LogiTray.exe"
61440 Dec 10 2002 "C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe"
102400 Jun 10 2002 "C:\WINDOWS\system32\LVComS.exe"
102400 Jun 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver\LVComS.exe"
90112 Sep 20 2002 "C:\Program Files\Common Files\Logitech\QCDriver2\LVComS.exe"
36913 Apr 3 2007 "C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE"
127022 Dec 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver3\bak\LVCOMS.EXE"
36975 Dec 6 2004 "C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe"
36975 Jun 3 2005 "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
36913 Apr 3 2007 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"


end of report




VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 7:59:14 PM 4/6/2007

Listing files found while scanning....

C:\WINDOWS\system32\tmp3.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tmp3.tmp.dll
C:\WINDOWS\system32\tmp3.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!



Logfile of HijackThis v1.99.1
Scan saved at 8:10:00 PM, on 4/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: CVirtualDNSObj Object - {86C510E9-97EF-4749-914F-0280247BE3A6} - C:\WINDOWS\VirtualDNS.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {dede51ed-5539-4f4c-8b04-1dc865461365} - C:\WINDOWS\system32\imapnst.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\wvvwus.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://63.102.226.24...va/cfs40320.cab
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt3_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinn...5/pool/pool.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase7617.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102024256968
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: imapnst - C:\WINDOWS\SYSTEM32\imapnst.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe



Anything else let me know, thanks...

[Anthony10]

Hi Feish13,

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixFiles.bat
Please save it on your Desktop.

@echo off

If exist "C:\Program Files\iTunes\bak\iTunesHelper.exe" copy "C:\Program Files\iTunes\bak\iTunesHelper.exe" "C:\Program Files\iTunes"

If exist "C:\Program Files\QuickTime\bak\qttask.exe" copy "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime"

If exist "C:\Program Files\Windows Defender\bak\MSASCui.exe" copy "C:\Program Files\Windows Defender\bak\MSASCui.exe" "C:\Program Files\Windows Defender"

If exist "C:\WINDOWS\system32\bak\lsasss.exe" copy "C:\WINDOWS\system32\bak\lsasss.exe" "C:\WINDOWS\system32"

If exist "C:\WINDOWS\system32\bak\NeroCheck.exe" copy "C:\WINDOWS\system32\bak\NeroCheck.exe" "C:\WINDOWS\system32"

If exist "C:\Program Files\Logitech\ImageStudio\bak\ISStart.exe" copy "C:\Program Files\Logitech\ImageStudio\bak\ISStart.exe" "C:\Program Files\Logitech"

If exist "C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe" copy "C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe" "C:\Program Files\Logitech\ImageStudio"

If exist "C:\Program Files\Common Files\Logitech\QCDriver3\bak\LVCOMS.EXE" copy "C:\Program Files\Common Files\Logitech\QCDriver3\bak\LVCOMS.EXE" "C:\Program Files\Common Files\Logitech\QCDriver3"

If exist "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe" copy "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe" "C:\Program Files\Java\jre1.5.0_06"

-----------

Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

-----------

Double click on FixFiles.bat.
A window will open and close, this is normal.
Reboot into normal.

-----------

Download and run DELDOMAINS right click the link, and select Save Link/Target As) then double click to open the DelDomains.inf .To execute the file: right-click and Select 'Install' from the Menu. You may only see the desktop perhaps flicker when the fix makes the corrections.

(Note, if you use SpywareBlaster and/or IE/Spyads, it may be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.)

------------

Download ResetProtocolDefaults.reg :
http://www.mvps.org/....olDefaults.reg

Locate ResetProtocolDefaults.reg.
Right-click and select : Merge (Ok the prompt) .

------------

Please post a new report of FindAWF and a new HijackThis log.

Anthony.

Edited by Anthony10, 08 April 2007 - 05:38 AM.

[Feish13]

Ok so the link to the last step that you rpovided doesnt work....but I did all of the other steps and attached the logs below, let me know hwat you think. Thanks.


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 10:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 07:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

11/03/2006 07:20 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 05:00 AM 15,360 ctfmon.exe
03/09/2007 04:48 PM 37,391 lsasss.exe
07/09/2001 03:50 AM 155,648 NeroCheck.exe
3 File(s) 208,399 bytes

Directory of C:\PROGRA~1\BROADJ~1\CLIENT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\LOGITECH\IMAGES~1\BAK

12/10/2002 07:32 PM 155,648 ISStart.exe
12/10/2002 07:31 PM 61,440 LogiTray.exe
2 File(s) 217,088 bytes

Directory of C:\PROGRA~1\COMMON~1\LOGITECH\QCDRIV~2\BAK

12/10/2002 06:54 PM 127,022 LVCOMS.EXE
1 File(s) 127,022 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~3.0_0\BIN\BAK

11/10/2005 02:03 PM 36,975 jusched.exe
1 File(s) 36,975 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Dec 26 2006 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
37391 Mar 9 2007 "C:\WINDOWS\system32\lsasss.exe"
37391 Mar 9 2007 "C:\WINDOWS\system32\bak\lsasss.exe"
37391 Mar 9 2007 "C:\WINDOWS\system32\NeroCheck.exe1175504105"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
155648 Dec 10 2002 "C:\Program Files\Logitech\ISStart.exe"
36913 Apr 3 2007 "C:\Program Files\Logitech\ImageStudio\ISStart.exe"
155648 Dec 10 2002 "C:\Program Files\Logitech\ImageStudio\bak\ISStart.exe"
36913 Apr 3 2007 "C:\Program Files\Logitech\ImageStudio\LogiTray.exe"
61440 Dec 10 2002 "C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe"
102400 Jun 10 2002 "C:\WINDOWS\system32\LVComS.exe"
102400 Jun 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver\LVComS.exe"
90112 Sep 20 2002 "C:\Program Files\Common Files\Logitech\QCDriver2\LVComS.exe"
127022 Dec 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE"
127022 Dec 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver3\bak\LVCOMS.EXE"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\jusched.exe"
36975 Dec 6 2004 "C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe"
36975 Jun 3 2005 "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
36913 Apr 3 2007 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"


end of report




Logfile of HijackThis v1.99.1
Scan saved at 6:01:43 PM, on 4/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\system32\winsys16_070407.dll start
O2 - BHO: CVirtualDNSObj Object - {86C510E9-97EF-4749-914F-0280247BE3A6} - C:\WINDOWS\VirtualDNS.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {dede51ed-5539-4f4c-8b04-1dc865461365} - C:\WINDOWS\system32\imapnst.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\wvvwus.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://63.102.226.24...va/cfs40320.cab
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt3_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinn...5/pool/pool.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase7617.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102024256968
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: imapnst - C:\WINDOWS\SYSTEM32\imapnst.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

[Anthony10]

Hi Feish13,

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixFiles2.bat
Please save it on your Desktop.

@echo off

If exist "C:\WINDOWS\system32\bak\NeroCheck.exe" copy "C:\WINDOWS\system32\bak\NeroCheck.exe" "C:\WINDOWS\system32"

If exist "C:\Program Files\Logitech\ImageStudio\bak\ISStart.exe" copy "C:\Program Files\Logitech\ImageStudio\bak\ISStart.exe" "C:\Program Files\Logitech\ImageStudio"

If exist "C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe" copy "C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe" "C:\Program Files\Logitech\ImageStudio"

If exist "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe" copy "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe" "C:\Program Files\Java\jre1.5.0_06"

-----------

Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

-----------

Double click on FixFiles2.bat.
A window will open and close, this is normal.
Reboot into normal.

-----------

Download ResetProtocolDefaults.reg :
http://www.mvps.org/...colDefaults.reg


Locate ResetProtocolDefaults.reg.
Right-click and select : Merge (Ok the prompt) .

------------

Please post a new report of FindAWF and a new HijackThis log.

Anthony.

Edited by Anthony10, 08 April 2007 - 12:55 PM.

[Feish13]

I completed all of the steps you outlined, and here are the logs you asked for...



Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 10:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 07:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

11/03/2006 07:20 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 05:00 AM 15,360 ctfmon.exe
03/09/2007 04:48 PM 37,391 lsasss.exe
07/09/2001 03:50 AM 155,648 NeroCheck.exe
3 File(s) 208,399 bytes

Directory of C:\PROGRA~1\BROADJ~1\CLIENT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\LOGITECH\IMAGES~1\BAK

12/10/2002 07:32 PM 155,648 ISStart.exe
12/10/2002 07:31 PM 61,440 LogiTray.exe
2 File(s) 217,088 bytes

Directory of C:\PROGRA~1\COMMON~1\LOGITECH\QCDRIV~2\BAK

12/10/2002 06:54 PM 127,022 LVCOMS.EXE
1 File(s) 127,022 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~3.0_0\BIN\BAK

11/10/2005 02:03 PM 36,975 jusched.exe
1 File(s) 36,975 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Dec 26 2006 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
37391 Mar 9 2007 "C:\WINDOWS\system32\lsasss.exe"
37391 Mar 9 2007 "C:\WINDOWS\system32\bak\lsasss.exe"
37391 Mar 9 2007 "C:\WINDOWS\system32\NeroCheck.exe1175504105"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
155648 Dec 10 2002 "C:\Program Files\Logitech\ISStart.exe"
155648 Dec 10 2002 "C:\Program Files\Logitech\ImageStudio\ISStart.exe"
155648 Dec 10 2002 "C:\Program Files\Logitech\ImageStudio\bak\ISStart.exe"
61440 Dec 10 2002 "C:\Program Files\Logitech\ImageStudio\LogiTray.exe"
61440 Dec 10 2002 "C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe"
102400 Jun 10 2002 "C:\WINDOWS\system32\LVComS.exe"
102400 Jun 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver\LVComS.exe"
90112 Sep 20 2002 "C:\Program Files\Common Files\Logitech\QCDriver2\LVComS.exe"
127022 Dec 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE"
127022 Dec 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver3\bak\LVCOMS.EXE"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\jusched.exe"
36975 Dec 6 2004 "C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe"
36975 Jun 3 2005 "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
36913 Apr 3 2007 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"


end of report




Logfile of HijackThis v1.99.1
Scan saved at 12:22:39 PM, on 4/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\program files\internet explorer\iexplore.exe
C:\program files\internet explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\system32\winsys16_070408.dll start
O2 - BHO: CVirtualDNSObj Object - {86C510E9-97EF-4749-914F-0280247BE3A6} - C:\WINDOWS\VirtualDNS.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {dede51ed-5539-4f4c-8b04-1dc865461365} - C:\WINDOWS\system32\imapnst.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\wvvwus.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://63.102.226.24...va/cfs40320.cab
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt3_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinn...5/pool/pool.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase7617.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102024256968
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: imapnst - C:\WINDOWS\SYSTEM32\imapnst.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

[Anthony10]

Hi Feish13,

Print this topic and read the entire post before proceed.

-----------------

Updating Java and Clearing Cache

• Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
• It will say "Java Plug-in" under the icon.
  Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
• If you are unable to update you can manually update by going here:
  • http://www.java.com/en/download/manual.jsp
• After the reboot, go back into the Control Panel and double-click the Java Icon.
• Under Temporary Internet Files, click the Delete Files button.
• There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
  Downloaded Applications
  Other Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Java Control Panel.

-------------

Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).

If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.

-------------------

Download the trial version of AVG Anti-Spyware 7.5 from here and install it.

If you have an exisiting copy of Ewido (which this software replaces), agree to the uninstall notification and uninstall Ewido. Reboot after. Then click the AVG download file again to install the software. (If you have a paid version of Ewido installed, go here to follow the steps to upgrade that now.)

After installation, double-click the icon on your Desktop to launch AVG Anti-Spyware 7.5.

On the top of the main screen click Shield. Then click the word active to change it to inactive.

You will need to also update AVG Anti-Spyware 7.5 to the latest definition files. On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed.

Now close AVG Anti-Spyware 7.5 (don't scan just yet).

--------------------

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
Save it to your Desktop.

-------------------

Open HijackThis, run a scan, place a check next to the following entries and then click fix checked :

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\system32\winsys16_070408.dll start

O2 - BHO: CVirtualDNSObj Object - {86C510E9-97EF-4749-914F-0280247BE3A6} - C:\WINDOWS\VirtualDNS.dll
O2 - BHO: (no name) - {dede51ed-5539-4f4c-8b04-1dc865461365} - C:\WINDOWS\system32\imapnst.dll

O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\wvvwus.dll",realset

O20 - AppInit_DLLs:
O20 - Winlogon Notify: imapnst - C:\WINDOWS\SYSTEM32\imapnst.dll

------------------

Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).

--------------------

Make sure all windows are closed and run AVG Anti-Spyware 7.5. Click Scanner, then click on the Scan tab. Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine. Then click Apply all actions.

Once the scan has finished, click the Save report button, then click Save Report As. This will create a text file. Make sure you know where to find this file again.

---------------------

Please double-click Killbox.exe to run it.
Select: Delete on Reboot then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\winsys16_070408.dll
C:\WINDOWS\VirtualDNS.dll
C:\WINDOWS\system32\imapnst.dll
C:\WINDOWS\system32\lsasss.exe
C:\WINDOWS\wvvwus.dll
C:\WINDOWS\SYSTEM32\imapnst.dll

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

------------------

Post your AVG log please, along with a new HijackThis scan. You can use separate posts if needed.

Anthony.

[Feish13]

I completed all of the steps and here are the AVG Log and HiJackThis Log...


AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:12:52 PM 4/9/2007

+ Scan result:



C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP594\A0055374.exe -> Adware.Casino : Ignored.
C:\Program Files\Hijackthis\backups\backup-20070409-211727-769.dll -> Adware.Webdir : Ignored.
C:\WINDOWS\VirtualDNS.dll -> Adware.Webdir : Ignored.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton fisher@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton [email protected][1].txt -> TrackingCookie.Reliablestats : Cleaned.


::Report end





Logfile of HijackThis v1.99.1
Scan saved at 10:25:39 PM, on 4/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {dede51ed-5539-4f4c-8b04-1dc865461365} - C:\WINDOWS\system32\imapnst.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://63.102.226.24...va/cfs40320.cab
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt3_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinn...5/pool/pool.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase7617.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102024256968
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: imapnst - imapnst.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

[Anthony10]

Hi Feish13,

Print this topic and read the entire post before proceed.

---------------

Updating Java and Clearing Cache

• Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
• It will say "Java Plug-in" under the icon.
  Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
• If you are unable to update you can manually update by going here:
  • http://www.java.com/en/download/manual.jsp
• After the reboot, go back into the Control Panel and double-click the Java Icon.
• Under Temporary Internet Files, click the Delete Files button.
• There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
  Downloaded Applications
  Other Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Java Control Panel.

-------------------

Open HijackThis, run a scan, place a check next to the following entries and then click fix checked :

O2 - BHO: (no name) - {dede51ed-5539-4f4c-8b04-1dc865461365} - C:\WINDOWS\system32\imapnst.dll (file missing)

O20 - Winlogon Notify: imapnst - imapnst.dll (file missing)

------------------

Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).

---------------------

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

• Click on Scanner on the toolbar.
• Click on the Settings tab.
  • Under How to act?
    • Click on Recommended Action and choose Quarantine from the popup menu.
  • Under How to scan?
    • All checkboxes should be ticked.
  • Under Possibly unwanted software:
    • All checkboxes should be ticked.
  • Under Reports:
    • Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan?
    • Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.
• When the scan has finished, follow the instructions below.
  IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)
    
• When done, click the Save Scan Report button. (4)
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode and post the report of AVG Anti-Spyware and a new HijackThis log.

Anthony.

[Feish13]

Sorry took me a bit longer then expected to get around to this, I completed all of the steps, and here are the logs as requested....

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:51:10 PM 4/16/2007

+ Scan result:



HKLM\SOFTWARE\AntivirusGold -> Adware.AntiVirusGolden : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP594\A0055374.exe -> Adware.Casino : Cleaned with backup (quarantined).
C:\Program Files\MyWay\myBar\1.bin\NPMYWAY.DLL -> Adware.MyWaySpeed : Cleaned with backup (quarantined).
C:\Documents and Settings\Clayton Fisher\Local Settings\Temp\tmp160.tmp.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Documents and Settings\Clayton Fisher\Local Settings\Temp\tmp3.tmp.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\!KillBox\VirtualDNS.dll -> Adware.Webdir : Cleaned with backup (quarantined).
C:\Program Files\Hijackthis\backups\backup-20070409-211727-769.dll -> Adware.Webdir : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP595\A0057459.dll -> Adware.Webdir : Cleaned with backup (quarantined).
C:\!KillBox\lsasss.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP588\A0053240.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP588\A0053241.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP588\A0053242.EXE -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP588\A0053243.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP588\A0053244.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP588\A0053245.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP588\A0053246.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP588\A0053247.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP588\A0053248.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP588\A0053249.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP588\A0053250.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP588\A0053251.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP590\A0053257.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP590\A0053258.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP590\A0053259.EXE -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP590\A0053260.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP590\A0053261.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP590\A0053262.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP590\A0053263.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP590\A0053264.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP590\A0053265.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP592\A0055258.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP592\A0055259.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP592\A0055260.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP592\A0055261.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP592\A0055262.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP592\A0055263.EXE -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP593\A0055284.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP593\A0055285.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP595\A0057461.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\WINDOWS\system32\NeroCheck.exe1175504105 -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\WINDOWS\system32\bak\lsasss.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Documents and Settings\Clayton Fisher\Local Settings\Temp\tmp162.tmp.exe -> Downloader.Agent.bjk : Cleaned with backup (quarantined).
C:\Documents and Settings\Clayton Fisher\Local Settings\Temp\tmpA.tmp.exe -> Downloader.Agent.bjk : Cleaned with backup (quarantined).
C:\!KillBox\imapnst.dll -> Downloader.ConHook.an : Cleaned with backup (quarantined).
C:\Program Files\Hijackthis\backups\backup-20070409-211727-322.dll -> Downloader.ConHook.an : Cleaned with backup (quarantined).
C:\Program Files\Hijackthis\backups\backup-20070409-211855-539.dll -> Downloader.ConHook.an : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP595\A0057460.dll -> Downloader.ConHook.an : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP592\A0055246.dll -> Logger.Agent.pn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP592\A0055256.dll -> Logger.Agent.pn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP592\A0055269.dll -> Logger.Agent.pn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP593\A0055281.dll -> Logger.Agent.pn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP593\A0055292.dll -> Logger.Agent.pn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP594\A0055411.dll -> Logger.Agent.pn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP594\A0055412.dll -> Logger.Agent.pn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP594\A0055413.scr -> Logger.Agent.pn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP594\A0055414.dll -> Logger.Agent.pn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP594\A0055419.dll -> Logger.Agent.pn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP594\A0056418.dll -> Logger.Agent.pn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP594\A0056425.dll -> Logger.Agent.pn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP595\A0056439.dll -> Logger.Agent.pn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP595\A0057441.dll -> Logger.Agent.pn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP595\A0057442.dll -> Logger.Agent.pn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP595\A0057444.scr -> Logger.Agent.pn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP595\A0057445.dll -> Logger.Agent.pn : Cleaned with backup (quarantined).
C:\WINDOWS\system32\AlxRes070409.exe -> Logger.Agent.pn : Cleaned with backup (quarantined).
C:\WINDOWS\system32\scrsys070409.scr -> Logger.Agent.pn : Cleaned with backup (quarantined).
C:\WINDOWS\system32\scrsys16_070409.scr -> Logger.Agent.pn : Cleaned with backup (quarantined).
C:\WINDOWS\system32\winsys16_070409.dll -> Logger.Agent.pn : Cleaned with backup (quarantined).
C:\WINDOWS\system32\winsys32_070409.dll -> Logger.Agent.pn : Cleaned with backup (quarantined).
C:\Documents and Settings\Clayton Fisher\Cookies\clayton fisher@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton fisher@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton fisher@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton fisher@adengage[1].txt -> TrackingCookie.Adengage : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton fisher@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton [email protected][2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton fisher@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton fisher@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Clayton Fisher\Local Settings\Temp\Cookies\clayton fisher@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton fisher@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Clayton Fisher\Local Settings\Temp\Cookies\clayton fisher@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton [email protected][1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton fisher@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Clayton Fisher\Local Settings\Temp\Cookies\clayton fisher@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton fisher@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton fisher@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Clayton Fisher\Local Settings\Temp\Cookies\clayton fisher@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton [email protected][2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton fisher@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton [email protected][1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton fisher@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Clayton Fisher\Local Settings\Temp\Cookies\clayton [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Clayton Fisher\Local Settings\Temp\Cookies\clayton fisher@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton fisher@linksynergy[2].txt -> TrackingCookie.Linksynergy : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton [email protected][2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton [email protected][1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton fisher@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Clayton Fisher\Local Settings\Temp\Cookies\clayton fisher@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton [email protected][2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton [email protected][1].txt -> TrackingCookie.Porntrack : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton fisher@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton fisher@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton [email protected][1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Clayton Fisher\Local Settings\Temp\Cookies\clayton [email protected][1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton fisher@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton [email protected][2].txt -> TrackingCookie.Sexcounter : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton fisher@sexlist[1].txt -> TrackingCookie.Sexlist : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton [email protected][1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton fisher@sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton [email protected][2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton [email protected][1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton [email protected][2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton fisher@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton [email protected][1].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton fisher@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Clayton Fisher\Local Settings\Temp\Cookies\clayton fisher@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton [email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Clayton Fisher\Local Settings\Temp\Cookies\clayton [email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Clayton Fisher\Cookies\clayton fisher@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Clayton Fisher\Local Settings\Temp\Cookies\clayton fisher@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP592\A0054242.dll -> Trojan.Agent.agv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{28CD7667-0267-4CD2-B735-16CDECEB7F27}\RP592\A0054241.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\VundoFix Backups\tmp3.tmp.dll.bad -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\tmp13.tmp.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\Documents and Settings\Clayton Fisher\Local Settings\Temp\tmp161.tmp.exe -> Trojan.BHO.o : Cleaned with backup (quarantined).
C:\Documents and Settings\Clayton Fisher\Local Settings\Temp\tmp5.tmp.exe -> Trojan.BHO.o : Cleaned with backup (quarantined).
C:\WINDOWS\system32\tmp161.tmp.dll -> Trojan.BHO.o : Cleaned with backup (quarantined).
C:\WINDOWS\system32\tmp5.tmp.dll -> Trojan.BHO.o : Cleaned with backup (quarantined).


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 7:55:04 PM, on 4/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\tmp5.tmp.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {dede51ed-5539-4f4c-8b04-1dc865461365} - C:\WINDOWS\system32\dmocode.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\pmllih.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://63.102.226.24...va/cfs40320.cab
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt3_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinn...5/pool/pool.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase7617.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102024256968
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: dmocode - C:\WINDOWS\SYSTEM32\dmocode.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

[Anthony10]

Hi Feish13,

Open HijackThis, run a scan, place a check next to the following entries and then click fix checked :

O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\tmp5.tmp.dll (file missing)
O2 - BHO: (no name) - {dede51ed-5539-4f4c-8b04-1dc865461365} - C:\WINDOWS\system32\dmocode.dll

O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\pmllih.dll",realset

O20 - Winlogon Notify: dmocode - C:\WINDOWS\SYSTEM32\dmocode.dll

---------------------

Please double-click Killbox.exe to run it.
Select: Delete on Reboot then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\dmocode.dll
C:\WINDOWS\pmllih.dll

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

------------------

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post along with a new HijackThis scan. You can use separate posts if needed.

Anthony.

[Feish13]

I did the steps you asked for, and here are the two logs you asked for......

Adobe Reader 6.0.2
ArcSoft PhotoImpression 4
ATI Display Driver
AVG Anti-Spyware 7.5
AVI Codec Pack
Battlefield 2 Server
Battlefield 2™
BroadJump Client Foundation
CardRd81
CCScore
C-Media 3D Audio
C-Media WDM Audio Driver
CR2
DivX Content Uploader
DivX Web Player
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
ESSTUTOR
ESSvpaht
ESSvpot
Google Toolbar for Internet Explorer
Hijackthis 1.99.1
HijackThis 1.99.1
HLPIndex
HLPPDOCK
HLPRFO
iPod for Windows 2005-02-22
iPod for Windows 2006-03-23
iTunes
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java™ SE Runtime Environment 6 Update 1
Kodak EasyShare software
KSU
LaserTank
LimeWire 4.9.30
LiveUpdate 1.90 (Symantec Corporation)
Logitech Desktop Messenger
Logitech ImageStudio
Logitech QuickCam
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft ActiveX Control Pad
Microsoft Office Standard Edition 2003
MSN
MSN Messenger 7.5
Nero - Burning Rom
Notifier
OTtBP
OTtBPSDK
Panda ActiveScan
QuickTime
QuickTime
Royal Vegas Poker
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
SFR
SHASTA
SKIN0001
SKINXSDK
TotalBF2 Map Pack 3
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
VIA Rhine-Family Fast Ethernet Adapter
VPRINTOL
Windows Defender
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Live Safety scanner
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WIRELESS
Xvid 1.1.2 final uninstall






Logfile of HijackThis v1.99.1
Scan saved at 7:07:44 PM, on 4/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\svehost.exe
C:\WINDOWS\system32\clcl7.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {dede51ed-5539-4f4c-8b04-1dc865461365} - C:\WINDOWS\system32\dmocode.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\ljkhff.dll",realset
O4 - HKLM\..\Run: [clcl7] C:\WINDOWS\system32\clcl7.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://63.102.226.24...va/cfs40320.cab
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt3_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinn...5/pool/pool.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase7617.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102024256968
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: dmocode - dmocode.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

[Anthony10]

Hi,

Run ATF-Cleaner, and select "Select All", then click Empty Selected (and close ATF).

If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.

------------------

Open HijackThis, run a scan, place a check next to the following entries and then click fix checked :

O2 - BHO: (no name) - {dede51ed-5539-4f4c-8b04-1dc865461365} - C:\WINDOWS\system32\dmocode.dll (file missing)

O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\ljkhff.dll",realset
O4 - HKLM\..\Run: [clcl7] C:\WINDOWS\system32\clcl7.exe

O20 - Winlogon Notify: dmocode - dmocode.dll (file missing)

------------------

Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).

---------------------

Make sure all windows are closed and run AVG Anti-Spyware 7.5. Click Scanner, then click on the Scan tab. Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine. Then click Apply all actions.

Once the scan has finished, click the Save report button, then click Save Report As. This will create a text file. Make sure you know where to find this file again.

---------------------

Please double-click Killbox.exe to run it.
Select: Delete on Reboot then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\svehost.exe
C:\WINDOWS\ljkhff.dll
C:\WINDOWS\system32\clcl7.exe

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

------------------

Post your AVG log please, along with a new HijackThis scan. You can use separate posts if needed.

Anthony.