221

hijacklog i jusdt got
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:48 PM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\keyexp\KEYEXP.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

222

O4 - HKLM..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [HPHUPD06] c:\Program Files\HP{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM..\Run: [Reminder] “C:\Windows\Creator\Remind_XP.exe”
O4 - HKLM..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM..\Run: [AOL Spyware Protection] “C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe”
O4 - HKLM..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1158686903\ee\AOLSoftware.exe
O4 - HKLM..\Run: [ProfileWatcher] C:\Program Files\ProfileWatcher\profilewatcher.exe
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [COMODO Firewall Pro] “C:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKLM..\Run: [d43d865d] rundll32.exe “C:\WINDOWS\system32\qcjsefif.dll”,b
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU..\Run: [LogitechSoftwareUpdate] “C:\Program Files\Logitech\Video\ManifestEngine.exe” boot
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe
O4 - HKCU..\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Keyboard Express 2000.lnk = C:\Program Files\keyexp\KEYEXP.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add To HP Organize… - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {112857FE-03FF-11D5-9A3F-0080C8D85044} (GameDesire Solitaires) - http://67.15.101.3/g_bin/eng/solitaire_2_0_0_28.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.33/g_bin/eng/cards_2_0_0_75.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.33/g_bin/eng/boards_2_0_0_34.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167880678454
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab55579.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.33/g_bin/eng/mahjong_2_0_0_29.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Program Files\InterMute\SpySubtract\CWShredder.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


End of file - 10302 bytes

223

Okay kill the files then post a new DSS log.

224

your not going to like this … this is the log from the moveit
DllUnregisterServer procedure not found in C:\WINDOWS\system32\vtuvvuv.dll
C:\WINDOWS\system32\vtuvvuv.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\vtuvvuv.dll scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\system32\mljjg.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\mljjg.dll scheduled to be moved on reboot.
File/Folder not found.

Created on 11/05/2007 19:56:21

225

here is the dds
Deckard’s System Scanner v20071014.68
Run by HP_Owner on 2007-11-05 20:03:29
Computer is in Normal Mode.

Total Physical Memory: 504 MiB (512 MiB recommended).

– HijackThis (run as HP_Owner.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:38 PM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\keyexp\KEYEXP.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Documents and Settings\HP_Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP_Owner.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {37AA797F-4221-44D7-A0DE-E859E65A8028} - (no file)
O2 - BHO: (no name) - {5E04F07E-7FFC-45B3-A374-37607849CF88} - C:\Program Files\NetMeeting\horewodeC:\DOCUME~1\HP_Owner\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\vtuvvuv.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - (no file)
O2 - BHO: (no name) - {A86E21D4-5EC1-4942-8EE6-8AE996492206} - C:\WINDOWS\system32\mljjg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: {168d632e-a710-e7db-4744-5d4c856b38ee} - {ee83b658-c4d5-4474-bd7e-017ae236d861} - C:\WINDOWS\system32\rfnpgdds.dll
O2 - BHO: (no name) - {FCA2FF4F-FB29-46B7-BBC8-754A87CD1303} - C:\Program Files\NetMeeting\horewodeC:\WINDOWS\system32\g2\caws83122.exe.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

226

O4 - HKLM..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [HPHUPD06] c:\Program Files\HP{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM..\Run: [Reminder] “C:\Windows\Creator\Remind_XP.exe”
O4 - HKLM..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM..\Run: [AOL Spyware Protection] “C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe”
O4 - HKLM..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1158686903\ee\AOLSoftware.exe
O4 - HKLM..\Run: [ProfileWatcher] C:\Program Files\ProfileWatcher\profilewatcher.exe
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [COMODO Firewall Pro] “C:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKLM..\Run: [d43d865d] rundll32.exe “C:\WINDOWS\system32\qcjsefif.dll”,b
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU..\Run: [LogitechSoftwareUpdate] “C:\Program Files\Logitech\Video\ManifestEngine.exe” boot
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe
O4 - HKCU..\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Keyboard Express 2000.lnk = C:\Program Files\keyexp\KEYEXP.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add To HP Organize… - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {112857FE-03FF-11D5-9A3F-0080C8D85044} (GameDesire Solitaires) - http://67.15.101.3/g_bin/eng/solitaire_2_0_0_28.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.33/g_bin/eng/cards_2_0_0_75.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.33/g_bin/eng/boards_2_0_0_34.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167880678454
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab55579.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.33/g_bin/eng/mahjong_2_0_0_29.cab

227

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: vtuvvuv - C:\WINDOWS\SYSTEM32\vtuvvuv.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Program Files\InterMute\SpySubtract\CWShredder.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


End of file - 13040 bytes

– Files created between 2007-10-05 and 2007-11-05 -----------------------------

2007-11-05 19:31:04 85568 --a------ C:\WINDOWS\system32\qcjsefif.dll
2007-11-05 19:28:31 83008 --a------ C:\WINDOWS\system32\rfnpgdds.dll
2007-11-05 19:26:28 381184 —hs---- C:\WINDOWS\system32\gjjlm.bak2
2007-11-05 16:01:27 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Comodo
2007-11-05 08:40:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-11-05 08:29:46 0 d-------- C:\Program Files\Comodo
2007-11-05 04:56:26 325216 --a------ C:\WINDOWS\system32\mljjg.dll
2007-11-04 12:09:59 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-04 12:09:59 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-11-04 12:09:59 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-11-04 12:09:59 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-11-04 06:52:15 36352 --a------ C:\WINDOWS\system32\vtuvvuv.dll
2007-11-02 10:00:03 0 d-------- C:\Program Files\Trend Micro
2007-11-01 21:40:00 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-01 21:39:12 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-11-01 21:39:11 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\SUPERAntiSpyware.com
2007-11-01 21:36:47 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-28 11:13:33 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Move Networks
2007-10-27 08:16:29 5029888 --a------ C:\Documents and Settings\HP_Owner\ntuser.dat
2007-10-22 06:01:37 0 d-------- C:\Temp
2007-10-19 17:28:35 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Yahoo!
2007-10-19 17:28:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-19 17:26:38 0 d-------- C:\Program Files\Yahoo!

228

– Find3M Report ---------------------------------------------------------------

2007-11-05 16:02:47 0 d-------- C:\Program Files\Pure Networks
2007-11-04 21:07:03 0 d-a------ C:\Program Files\Common Files
2007-11-04 12:10:49 6238 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-03 21:37:48 0 d-------- C:\Program Files\Java
2007-11-02 17:13:09 3645 --a------ C:\WINDOWS\viassary-hp.reg
2007-11-02 10:31:22 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\WeatherBug
2007-10-26 15:36:21 0 --a------ C:\Documents and Settings\HP_Owner\Application Data\WGC_Client Preferences
2007-10-22 06:10:26 0 d-------- C:\Program Files\Windows Live Safety Center
2007-09-24 18:44:55 0 d-------- C:\Program Files\America Online 9.0
2007-09-23 20:43:28 0 d-------- C:\Program Files\MSN Gaming Zone
2007-09-12 22:16:11 0 d-------- C:\Program Files\Panicware

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{00000012-890e-4aac-afd9-eff6954a34dd}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{06dfedaa-6196-11d5-bfc8-00508b4a487d}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{37AA797F-4221-44D7-A0DE-E859E65A8028}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{5E04F07E-7FFC-45B3-A374-37607849CF88}]
C:\Program Files\NetMeeting\horewodeC:\DOCUME~1\HP_Owner\LOCALS~1\Temp\CEMG555077.exe.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{634BBAB7-3F60-4426-944F-A62B9007F67F}]
11/04/2007 06:52 AM 36352 --a------ C:\WINDOWS\system32\vtuvvuv.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{A86E21D4-5EC1-4942-8EE6-8AE996492206}]
11/05/2007 04:56 AM 325216 --a------ C:\WINDOWS\system32\mljjg.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{ee83b658-c4d5-4474-bd7e-017ae236d861}]
11/05/2007 07:28 PM 83008 --a------ C:\WINDOWS\system32\rfnpgdds.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{FCA2FF4F-FB29-46B7-BBC8-754A87CD1303}]
C:\Program Files\NetMeeting\horewodeC:\WINDOWS\system32\g2\caws83122.exe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“hpsysdrv”=“c:\windows\system\hpsysdrv.exe” [05/07/1998 03:04 PM]
“HotKeysCmds”=“C:\WINDOWS\system32\hkcmd.exe” [11/02/2004 02:59 PM]
“AGRSMMSG”=“AGRSMMSG.exe” [06/29/2004 04:06 PM C:\WINDOWS\AGRSMMSG.exe]
“HPHUPD06”=“c:\Program Files\HP{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe” [06/07/2004 05:53 PM]
“HPHmon06”=“C:\WINDOWS\system32\hphmon06.exe” [06/07/2004 05:42 PM]
“KBD”=“C:\HP\KBD\KBD.EXE” [02/11/2003 06:02 PM]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [02/15/2005 09:09 AM]
“Recguard”=“C:\WINDOWS\SMINST\RECGUARD.EXE” [04/14/2004 07:43 PM]
“AlcxMonitor”=“ALCXMNTR.EXE” [09/07/2004 07:47 PM C:\WINDOWS\ALCXMNTR.EXE]
“PS2”=“C:\WINDOWS\system32\ps2.exe” [10/25/2004 08:17 PM]
“LSBWatcher”=“c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe” [10/14/2004 08:54 PM]
“Reminder”=“C:\Windows\Creator\Remind_XP.exe” [12/14/2004 01:23 AM]
“Share-to-Web Namespace Daemon”=“C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe” [07/03/2001 09:11 AM]
“AOLDialer”=“C:\Program Files\Common Files\AOL\ACS\AOLDial.exe” [10/23/2006 04:50 AM]
“AOL Spyware Protection”=“C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe” [10/18/2004 03:42 PM]
“LVCOMSX”=“C:\WINDOWS\system32\LVCOMSX.EXE” [07/19/2005 04:32 PM]
“LogitechVideoRepair”=“C:\Program Files\Logitech\Video\ISStart.exe” [06/08/2005 02:24 PM]
“LogitechVideoTray”=“C:\Program Files\Logitech\Video\LogiTray.exe” [06/08/2005 02:14 PM]
“UserFaultCheck”=“C:\WINDOWS\system32\dumprep 0 -u”
“HostManager”=“C:\Program Files\Common Files\AOL\1158686903\ee\AOLSoftware.exe” [09/25/2006 04:52 PM]
“ProfileWatcher”=“C:\Program Files\ProfileWatcher\profilewatcher.exe”
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [03/14/2007 06:05 PM]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [04/27/2007 08:41 AM]
“NapsterShell”=“C:\Program Files\Napster\napster.exe”
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [09/06/2007 02:06 AM]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [09/25/2007 12:11 AM]
“COMODO Firewall Pro”=“C:\Program Files\Comodo\Firewall\CPF.exe” [11/05/2007 08:29 AM]
“d43d865d”=“C:\WINDOWS\system32\qcjsefif.dll” [11/05/2007 07:31 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [08/04/2004 10:00 AM]
“Weather”=“C:\Program Files\AWS\WeatherBug\Weather.exe” [01/06/2006 09:57 AM]
“LogitechSoftwareUpdate”=“C:\Program Files\Logitech\Video\ManifestEngine.exe” [06/08/2005 01:44 PM]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [06/09/2007 05:53 PM]
“Acme.PCHButton”=“C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe” [02/15/2005 09:25 AM]
“Yahoo! Pager”=“C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe” [08/30/2007 04:43 PM]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [06/21/2007 01:06 PM]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup
Keyboard Express 2000.lnk - C:\Program Files\keyexp\KEYEXP.EXE [6/2/2006 6:35:10 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [3/17/2006 7:00:32 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/5/2004 2:28:24 AM]
HPAiODevice(hp psc 700 series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe [4/30/2002 4:26:44 PM]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2/15/2005 9:23:13 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]
“{634BBAB7-3F60-4426-944F-A62B9007F67F}”= C:\WINDOWS\system32\vtuvvuv.dll [11/04/2007 06:52 AM 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvvuv]
vtuvvuv.dll 11/04/2007 06:52 AM 36352 C:\WINDOWS\system32\vtuvvuv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{946850c5-1e27-11d9-baf0-806d6172696f}]
AutoRun\command- D:\setup.exe

– End of Deckard’s System Scanner: finished at 2007-11-05 20:04:31 ------------

229

Something strange is going on here. Did you kill the files?

230

I am very concerned about this firewall and me… everytime i try to use the forum it makes me allow several IEXPLORE.EXE some i know are not good… ive allowed some to come on that are suspicious behavior… i can see them on a log…but if i don’t allow them it closes my internet connection down… i seen them on a lof that comodo had but i don’t know how to disallow them now… do you think this firewall is too hard for me… are there any that are for people that are computer illiterate… im not a dumb person really im not in fact i tutor jr. age kids in algebra! but the stuff here is getting to me and i am not smart about any of it… so for now i keep allowing things just so i can stay on here with you… let me know and i am getting some pop ups again… ugh!
thanks SaysSusie
PS while sending this i saw the new post… i tried to kill the files you game me did you see the moveit report… to me it looks like they could not be fouond!

231

this is the one i was referring to!

232

Okay, I think system restore is bitting us.

So do the following in the exact order

Turn off system restore

Steps to turn off System Restore

  1. Click Start, right-click My Computer, and then click Properties.
  2. In the System Properties dialog box, click the System Restore tab.
  3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
  4. Click OK.
  5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
    You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.

Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes

Reboot

Run hjt and fix If it’s there. If not you may recieve the same error you had this a.m. but we’ll worry about that later. Don’t bother posting the log from this one.

O4 - HKLM..\Run: [d43d865d] rundll32.exe “C:\WINDOWS\system32\qcjsefif.dll”,b

In otmoveit kill these

C:\WINDOWS\system32\rfnpgdds.dll
C:\WINDOWS\system32\gjjlm.bak2
C:\WINDOWS\system32\vtuvvuv.dll
C:\WINDOWS\system32\mljjg.dll

Post a new DSS log.

Ask any questions now because I need you to do this all at once with no internet.

233

new dds

Deckard’s System Scanner v20071014.68
Run by HP_Owner on 2007-11-05 21:10:12
Computer is in Normal Mode.

Total Physical Memory: 504 MiB (512 MiB recommended).

– HijackThis (run as HP_Owner.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:26 PM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\keyexp\KEYEXP.EXE
C:\Documents and Settings\HP_Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP_Owner.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {27756381-DAAA-4DB4-8157-DB99962D3D27} - C:\WINDOWS\system32\mljjg.dll
O2 - BHO: (no name) - {37AA797F-4221-44D7-A0DE-E859E65A8028} - (no file)
O2 - BHO: (no name) - {5E04F07E-7FFC-45B3-A374-37607849CF88} - C:\Program Files\NetMeeting\horewodeC:\DOCUME~1\HP_Owner\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\vtuvvuv.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: {168d632e-a710-e7db-4744-5d4c856b38ee} - {ee83b658-c4d5-4474-bd7e-017ae236d861} - C:\WINDOWS\system32\rfnpgdds.dll (file missing)
O2 - BHO: (no name) - {FCA2FF4F-FB29-46B7-BBC8-754A87CD1303} - C:\Program Files\NetMeeting\horewodeC:\WINDOWS\system32\g2\caws83122.exe.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

234

O4 - HKLM..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [HPHUPD06] c:\Program Files\HP{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM..\Run: [Reminder] “C:\Windows\Creator\Remind_XP.exe”
O4 - HKLM..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM..\Run: [AOL Spyware Protection] “C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe”
O4 - HKLM..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1158686903\ee\AOLSoftware.exe
O4 - HKLM..\Run: [ProfileWatcher] C:\Program Files\ProfileWatcher\profilewatcher.exe
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [COMODO Firewall Pro] “C:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU..\Run: [LogitechSoftwareUpdate] “C:\Program Files\Logitech\Video\ManifestEngine.exe” boot
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe
O4 - HKCU..\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Keyboard Express 2000.lnk = C:\Program Files\keyexp\KEYEXP.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add To HP Organize… - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {112857FE-03FF-11D5-9A3F-0080C8D85044} (GameDesire Solitaires) - http://67.15.101.3/g_bin/eng/solitaire_2_0_0_28.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.33/g_bin/eng/cards_2_0_0_75.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.33/g_bin/eng/boards_2_0_0_34.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167880678454
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab55579.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.33/g_bin/eng/mahjong_2_0_0_29.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: vtuvvuv - C:\WINDOWS\SYSTEM32\vtuvvuv.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Program Files\InterMute\SpySubtract\CWShredder.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


End of file - 13008 bytes

– Files created between 2007-10-05 and 2007-11-05 -----------------------------

2007-11-05 19:31:04 85568 --a------ C:\WINDOWS\system32\qcjsefif.dll
2007-11-05 16:01:27 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Comodo
2007-11-05 08:40:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-11-05 08:29:46 0 d-------- C:\Program Files\Comodo
2007-11-05 04:56:26 325216 --a------ C:\WINDOWS\system32\mljjg.dll
2007-11-04 12:09:59 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-04 12:09:59 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-11-04 12:09:59 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-11-04 12:09:59 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-11-04 06:52:15 36352 --a------ C:\WINDOWS\system32\vtuvvuv.dll
2007-11-02 10:00:03 0 d-------- C:\Program Files\Trend Micro
2007-11-01 21:40:00 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-01 21:39:12 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-11-01 21:39:11 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\SUPERAntiSpyware.com
2007-11-01 21:36:47 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-28 11:13:33 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Move Networks
2007-10-27 08:16:29 5029888 --a------ C:\Documents and Settings\HP_Owner\ntuser.dat
2007-10-22 06:01:37 0 d-------- C:\Temp
2007-10-19 17:28:35 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Yahoo!
2007-10-19 17:28:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-19 17:26:38 0 d-------- C:\Program Files\Yahoo!

235

– Find3M Report ---------------------------------------------------------------

2007-11-05 16:02:47 0 d-------- C:\Program Files\Pure Networks
2007-11-04 21:07:03 0 d-a------ C:\Program Files\Common Files
2007-11-04 12:10:49 6238 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-03 21:37:48 0 d-------- C:\Program Files\Java
2007-11-02 17:13:09 3645 --a------ C:\WINDOWS\viassary-hp.reg
2007-11-02 10:31:22 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\WeatherBug
2007-10-26 15:36:21 0 --a------ C:\Documents and Settings\HP_Owner\Application Data\WGC_Client Preferences
2007-10-22 06:10:26 0 d-------- C:\Program Files\Windows Live Safety Center
2007-09-24 18:44:55 0 d-------- C:\Program Files\America Online 9.0
2007-09-23 20:43:28 0 d-------- C:\Program Files\MSN Gaming Zone
2007-09-12 22:16:11 0 d-------- C:\Program Files\Panicware

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{00000012-890e-4aac-afd9-eff6954a34dd}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{06dfedaa-6196-11d5-bfc8-00508b4a487d}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{27756381-DAAA-4DB4-8157-DB99962D3D27}]
11/05/2007 04:56 AM 325216 --a------ C:\WINDOWS\system32\mljjg.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{37AA797F-4221-44D7-A0DE-E859E65A8028}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{5E04F07E-7FFC-45B3-A374-37607849CF88}]
C:\Program Files\NetMeeting\horewodeC:\DOCUME~1\HP_Owner\LOCALS~1\Temp\CEMG555077.exe.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{634BBAB7-3F60-4426-944F-A62B9007F67F}]
11/04/2007 06:52 AM 36352 --a------ C:\WINDOWS\system32\vtuvvuv.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{ee83b658-c4d5-4474-bd7e-017ae236d861}]
C:\WINDOWS\system32\rfnpgdds.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{FCA2FF4F-FB29-46B7-BBC8-754A87CD1303}]
C:\Program Files\NetMeeting\horewodeC:\WINDOWS\system32\g2\caws83122.exe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“hpsysdrv”=“c:\windows\system\hpsysdrv.exe” [05/07/1998 03:04 PM]
“HotKeysCmds”=“C:\WINDOWS\system32\hkcmd.exe” [11/02/2004 02:59 PM]
“AGRSMMSG”=“AGRSMMSG.exe” [06/29/2004 04:06 PM C:\WINDOWS\AGRSMMSG.exe]
“HPHUPD06”=“c:\Program Files\HP{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe” [06/07/2004 05:53 PM]
“HPHmon06”=“C:\WINDOWS\system32\hphmon06.exe” [06/07/2004 05:42 PM]
“KBD”=“C:\HP\KBD\KBD.EXE” [02/11/2003 06:02 PM]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [02/15/2005 09:09 AM]
“Recguard”=“C:\WINDOWS\SMINST\RECGUARD.EXE” [04/14/2004 07:43 PM]
“AlcxMonitor”=“ALCXMNTR.EXE” [09/07/2004 07:47 PM C:\WINDOWS\ALCXMNTR.EXE]
“PS2”=“C:\WINDOWS\system32\ps2.exe” [10/25/2004 08:17 PM]
“LSBWatcher”=“c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe” [10/14/2004 08:54 PM]
“Reminder”=“C:\Windows\Creator\Remind_XP.exe” [12/14/2004 01:23 AM]
“Share-to-Web Namespace Daemon”=“C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe” [07/03/2001 09:11 AM]
“AOLDialer”=“C:\Program Files\Common Files\AOL\ACS\AOLDial.exe” [10/23/2006 04:50 AM]
“AOL Spyware Protection”=“C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe” [10/18/2004 03:42 PM]
“LVCOMSX”=“C:\WINDOWS\system32\LVCOMSX.EXE” [07/19/2005 04:32 PM]
“LogitechVideoRepair”=“C:\Program Files\Logitech\Video\ISStart.exe” [06/08/2005 02:24 PM]
“LogitechVideoTray”=“C:\Program Files\Logitech\Video\LogiTray.exe” [06/08/2005 02:14 PM]
“UserFaultCheck”=“C:\WINDOWS\system32\dumprep 0 -u”
“HostManager”=“C:\Program Files\Common Files\AOL\1158686903\ee\AOLSoftware.exe” [09/25/2006 04:52 PM]
“ProfileWatcher”=“C:\Program Files\ProfileWatcher\profilewatcher.exe”
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [03/14/2007 06:05 PM]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [04/27/2007 08:41 AM]
“NapsterShell”=“C:\Program Files\Napster\napster.exe”
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [09/06/2007 02:06 AM]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [09/25/2007 12:11 AM]
“COMODO Firewall Pro”=“C:\Program Files\Comodo\Firewall\CPF.exe” [11/05/2007 08:29 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [08/04/2004 10:00 AM]
“Weather”=“C:\Program Files\AWS\WeatherBug\Weather.exe” [01/06/2006 09:57 AM]
“LogitechSoftwareUpdate”=“C:\Program Files\Logitech\Video\ManifestEngine.exe” [06/08/2005 01:44 PM]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [06/09/2007 05:53 PM]
“Acme.PCHButton”=“C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe” [02/15/2005 09:25 AM]
“Yahoo! Pager”=“C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe” [08/30/2007 04:43 PM]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [06/21/2007 01:06 PM]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup
Keyboard Express 2000.lnk - C:\Program Files\keyexp\KEYEXP.EXE [6/2/2006 6:35:10 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [3/17/2006 7:00:32 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/5/2004 2:28:24 AM]
HPAiODevice(hp psc 700 series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe [4/30/2002 4:26:44 PM]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2/15/2005 9:23:13 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]
“{634BBAB7-3F60-4426-944F-A62B9007F67F}”= C:\WINDOWS\system32\vtuvvuv.dll [11/04/2007 06:52 AM 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvvuv]
vtuvvuv.dll 11/04/2007 06:52 AM 36352 C:\WINDOWS\system32\vtuvvuv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{946850c5-1e27-11d9-baf0-806d6172696f}]
AutoRun\command- D:\setup.exe

– End of Deckard’s System Scanner: finished at 2007-11-05 21:11:24 ------------

236

I need you to into windows explorer and find this file

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

To get there click the + beside the c:
click the + beside program files folder
click the + beside Trend Micro
click the + beside HijackThis

in the right hand panel, find hijackthis.exe
right click on it, select rename
in the box that appears on the file name type sasiesusie.exe

I think we ran into the granddaddy and he’s hiding from hjt. the coward. You can stay on line with me to do this. When you are done confirm that the new name is there. Leave windows explorer open for now.

237

ok the one i see in program files is renamed sasiesusie.exe. The one out on my desktop is still called highjacksusie… should that have changed as well? did i need to reboot? and im sooo ashamed of that Granddaddy… what a bad boy!
let me know
tytytyty hugs
Sasy or is it susie do i even know anymore! lol

238

Are you looking in the right hand panel, because the logs ar comming out as hijackthis.exe

239

i did the steps you game me just now… and when i went back there it said sasiesusie.exe but i still see it as hijacksusie on the desktop… but yes i did go to c:
program files folder
trend micro
hijackthis
hijackthis exe.
i renamed it
i went back and check again and yess when i get to program files/trendmicro/hijackthis on the right i see highjack this is renamed… but as i said above the one on the desktop had not changed names…am i confusing you again!

240

would it change if i rebooted? or does the desktop icon matter that it says something different?