Plz Help Me!!!!(RESOLVED)

**lauren86** · 27-02-2006

I have tried all the syware and virus removal programs to help my computer it is still running extremely slowly and i get pop ups every time i go on to the internet, i cant do any work and its driving me nuts!!! PLZ HELP ME!!

here is my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 18:00:05, on 27/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\csrrs.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SU B_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\wmplayer\wmplayer.exe /auto
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by108fd.bay108.hotmail.msn.co...x/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: DH - C:\WINDOWS\system32\lv2609fse.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

**Neal** · 28-02-2006

Hi and welcome to DAL,

It appears you have a Look2Me/VX2 infection so.....

Please download Look2Me-Remover.exe by Atribune to your desktop.

Close all windows before continuing.
Double-click Look2Me-Remover.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Remover will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Remover re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Remover will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Remover.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new...b/MSWINSCK.OCX

**lauren86** · 28-02-2006

Hi there, i managed to run the scan succesfully. Here are the results.

Look2Me-Destroyer V1.0.7

Scanning for infected files.....
Scan started at 28/02/2006 17:55:02

Infected! C:\WINDOWS\system32\i4nm0e51eh.dll
Infected! C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP100\A0025921.dll
Infected! C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP100\A0025928.dll
Infected! C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP100\A0026102.dll
Infected! C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP100\A0026114.dll
Infected! C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP99\A0025812.dll
Infected! C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP99\A0025817.dll
Infected! C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP99\A0025849.dll
Infected! C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP99\A0025888.dll
Infected! C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP99\A0025894.dll
Infected! C:\WINDOWS\system32\i4nm0e51eh.dll
Infected! C:\WINDOWS\system32\mv8ql9l51.dll
Infected! C:\WINDOWS\system32\oSkley.dll
Infected! C:\WINDOWS\system32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\i4nm0e51eh.dll
C:\WINDOWS\system32\i4nm0e51eh.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP100\A0025921.dll
C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP100\A0025921.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP100\A0025928.dll
C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP100\A0025928.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP100\A0026102.dll
C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP100\A0026102.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP100\A0026114.dll
C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP100\A0026114.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP99\A0025812.dll
C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP99\A0025812.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP99\A0025817.dll
C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP99\A0025817.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP99\A0025849.dll
C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP99\A0025849.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP99\A0025888.dll
C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP99\A0025888.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP99\A0025894.dll
C:\System Volume Information\_restore{C6BED097-2B01-4377-A855-58AF73DFC380}\RP99\A0025894.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\i4nm0e51eh.dll
C:\WINDOWS\system32\i4nm0e51eh.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mv8ql9l51.dll
C:\WINDOWS\system32\mv8ql9l51.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\oSkley.dll
C:\WINDOWS\system32\oSkley.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{B55B3DA6-9378-4DFB-A1E4-E0C52739E615}"
HKCR\Clsid\{B55B3DA6-9378-4DFB-A1E4-E0C52739E615}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{C2705609-79D6-4578-A838-90F580F19C9D}"
HKCR\Clsid\{C2705609-79D6-4578-A838-90F580F19C9D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{A01CC259-DE4D-460D-846C-E9A1CFFC802C}"
HKCR\Clsid\{A01CC259-DE4D-460D-846C-E9A1CFFC802C}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{11A66384-2400-46FD-8BC0-0DAE8BDACBD1}"
HKCR\Clsid\{11A66384-2400-46FD-8BC0-0DAE8BDACBD1}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{B461BF66-96BE-43AB-AE6F-5E560A2382E7}"
HKCR\Clsid\{B461BF66-96BE-43AB-AE6F-5E560A2382E7}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{EBEB788B-DBB4-425B-B83B-51E4B729697F}"
HKCR\Clsid\{EBEB788B-DBB4-425B-B83B-51E4B729697F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{83DBD274-FA41-4C62-B4F1-5CBEAE4FB164}"
HKCR\Clsid\{83DBD274-FA41-4C62-B4F1-5CBEAE4FB164}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{13413F03-DC75-496F-AFD8-E9F88E49CE98}"
HKCR\Clsid\{13413F03-DC75-496F-AFD8-E9F88E49CE98}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{E8434847-09EE-4C08-97AE-9596E8924979}"
HKCR\Clsid\{E8434847-09EE-4C08-97AE-9596E8924979}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{17C092D7-AD0F-470B-B821-938D677908AC}"
HKCR\Clsid\{17C092D7-AD0F-470B-B821-938D677908AC}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{2733412C-59C4-4A6F-BD27-DE07738B7210}"
HKCR\Clsid\{2733412C-59C4-4A6F-BD27-DE07738B7210}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{B631216D-93D7-44D0-81E8-B7F800D1D272}"
HKCR\Clsid\{B631216D-93D7-44D0-81E8-B7F800D1D272}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{FCF7DE10-C3B7-438A-AE5C-A7C8EC511120}"
HKCR\Clsid\{FCF7DE10-C3B7-438A-AE5C-A7C8EC511120}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{9F117F7A-746A-4B17-A27C-1CA14C126186}"
HKCR\Clsid\{9F117F7A-746A-4B17-A27C-1CA14C126186}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{CEDCD2B1-743F-49DC-985E-ACB96DC7322A}"
HKCR\Clsid\{CEDCD2B1-743F-49DC-985E-ACB96DC7322A}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{7BC15F7F-2A05-464D-8B67-EAB82430550C}"
HKCR\Clsid\{7BC15F7F-2A05-464D-8B67-EAB82430550C}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{441673E3-CB4F-46D7-AB03-CAE627CCB930}"
HKCR\Clsid\{441673E3-CB4F-46D7-AB03-CAE627CCB930}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{5E3FC02E-F1F0-461B-AA66-7B554A779614}"
HKCR\Clsid\{5E3FC02E-F1F0-461B-AA66-7B554A779614}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{C9E4FA91-D5BD-4665-B6EA-BB245460A84F}"
HKCR\Clsid\{C9E4FA91-D5BD-4665-B6EA-BB245460A84F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{B4B09E77-EEE9-4CD5-9720-29DF87B45354}"
HKCR\Clsid\{B4B09E77-EEE9-4CD5-9720-29DF87B45354}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{09762D06-8375-4A8C-AB93-7C559FC0AB7D}"
HKCR\Clsid\{09762D06-8375-4A8C-AB93-7C559FC0AB7D}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

Here is the hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 18:04:12, on 28/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SU B_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\wmplayer\wmplayer.exe /auto
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by108fd.bay108.hotmail.msn.co...x/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

**Neal** · 28-02-2006

Hi and nice job.

Lets see what some virus scans can uncover and we will go from there.

Get the stinger here:
http://vil.nai.com/vil/stinger/

Download it to another computer if need be, and bring it to the affected computer on floppy disk.

It will kill the top 53 virus files if any are found there

then,

Internet Explorer required

www.pandasoftware.com/activescan/

Please run this online virus scan: ActiveScan

* Once you are on the Panda site click the Scan your PC button
* A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)
- Select either Home User or Company
* Click the big Scan Now button
* If/when you get a notice that Panda wants to install an ActiveX component allow it
* It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
* When download is complete, click on Local Disks to start the scan
* When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop and post it back here please.

Thanks

**lauren86** · 01-03-2006

Hey, I ran the Stinger scan but it didn't detect any viruses so that's one good sign! Here are the results of the panda scan. Thank you!

Incident Status Location

Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Lauren\Cookies\lauren@112.2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Lauren\Cookies\lauren@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Lauren\Cookies\lauren@adopt.hbmediapro[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Lauren\Cookies\lauren@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Lauren\Cookies\lauren@atdmt[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Lauren\Cookies\lauren@belnk[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Lauren\Cookies\lauren@burstnet[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Lauren\Cookies\lauren@ccbill[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Lauren\Cookies\lauren@com[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Lauren\Cookies\lauren@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Lauren\Cookies\lauren@doubleclick[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Lauren\Cookies\lauren@go[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Lauren\Cookies\lauren@i.screensavers[1].txt
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Lauren\Cookies\lauren@microsoftwga.112.2o 7[1].txt
Spyware:Cookie/Outster Not disinfected C:\Documents and Settings\Lauren\Cookies\lauren@outster[2].txt
Spyware:Cookie/Paypopup Not disinfected C:\Documents and Settings\Lauren\Cookies\lauren@paypopup[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Lauren\Cookies\lauren@rn11[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Lauren\Cookies\lauren@stats1.reliablestat s[2].txt
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Lauren\Cookies\lauren@valueclick[2].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Lauren\Cookies\lauren@winfixer[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Lauren\Cookies\lauren@www.burstbeacon[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Lauren\Cookies\lauren@xmts[1].txt
Hacktool:Hacktool/MSNpass.B Not disinfected C:\Documents and Settings\Lauren\im.exe
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Lauren\Local Settings\Temp\Cookies\lauren@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Lauren\Local Settings\Temp\Cookies\lauren@adopt.hbmediapro[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Lauren\Local Settings\Temp\Cookies\lauren@azjmp[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Lauren\Local Settings\Temp\Cookies\lauren@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Lauren\Local Settings\Temp\Cookies\lauren@dist.belnk[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Lauren\Local Settings\Temp\Cookies\lauren@stats1.reliablestats[2].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Lauren\Local Settings\Temp\Cookies\lauren@xmts[1].txt
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Lauren\Local Settings\Temporary Internet Files\Content.IE5\ELWBU9U5\drsmartload[1].exe
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Lauren\Local Settings\Temporary Internet Files\Content.IE5\ODOPINGL\gimmygames11[1].exe
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\Lauren\Local Settings\Temporary Internet Files\Content.IE5\ODOPINGL\stubNsbg[1].exe
Adware:Adware/BroadcastPC Not disinfected C:\Documents and Settings\Lauren\Local Settings\Temporary Internet Files\Content.IE5\ZEWFJTWD\DR21206[1].exe
Hacktool:Hacktool/Passview.E Not disinfected C:\Documents and Settings\Lauren\pwha.exe
Adware:Adware/BroadcastPC Not disinfected C:\DR21206.exe
Adware:Adware/DollarRevenue Not disinfected C:\drsmartload1.exe
Adware:Adware/DollarRevenue Not disinfected C:\gimmygames11.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\gimmygames11.exe
Spyware:Cookie/888 Not disinfected C:\WINDOWS\Temp\Cookies\lauren@888[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\Temp\Cookies\lauren@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\WINDOWS\Temp\Cookies\lauren@adopt.hbmediapro[2].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Temp\Cookies\lauren@belnk[1].txt
Spyware:Cookie/Cassava Not disinfected C:\WINDOWS\Temp\Cookies\lauren@cassava[1].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Temp\Cookies\lauren@dist.belnk[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\WINDOWS\Temp\Cookies\lauren@i.screensavers[2].txt
Spyware:Cookie/Paypopup Not disinfected C:\WINDOWS\Temp\Cookies\lauren@paypopup[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\WINDOWS\Temp\Cookies\lauren@rn11[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\WINDOWS\Temp\Cookies\lauren@stats1.reliablestat s[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\WINDOWS\Temp\Cookies\lauren@winfixer[1].txt
Spyware:Cookie/Xiti Not disinfected C:\WINDOWS\Temp\Cookies\lauren@xiti[1].txt

**Neal** · 01-03-2006

Thanks for the logs.

Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main check all EXCEPT COOKIES
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and check everything EXCEPT FIREFOX COOKIES AND FIREFOX SAVED PASSWORDS
Click the Empty Selected button.

If you use Opera browser

Click Opera at the top and check everything EXCEPT COOKIES AND SAVED PASSWORDS
Click the Empty Selected button.

Click Exit on the Main menu to close the program.

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Search for and delete ALL FOLDER occurrences of Content.ie5 to clean up all 'Temporary Internet Files' content.

Hunt for and delete if present:

C:\Documents and Settings\Lauren\im.exe < file
C:\Documents and Settings\Lauren\pwha.exe < file
C:\DR21206.exe < file
C:\drsmartload1.exe < file
C:\WINDOWS\gimmygames11.exe < file

Then....

Please download, install, and update the NEW free version of Ewido trojan scanner:
[*]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
[*]When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
[*]From the main ewido screen, click on update in the left menu, then click the Start update button.
[*]After the update finishes (the status bar at the bottom will display "Update successful")
[*]Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
[*]If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
[*]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Post the log Ewido makes back here please and a new hijackthis log please.

**lauren86** · 03-03-2006

hello, i managed to run the scans but i couldnt delete content.1e5. im having alot of trouble with programs not responding. plz could u help me. here are the logs:

--------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 02:45:12, 03/03/2006
+ Report-Checksum: 1617C39C

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{6001CDF7-6F45-471b-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Ext\Stats\{2296428D-C133-4928-B76A-A200FF409572} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-3018332914-1052143815-2092372733-1006\Software\DNS -> Adware.Shorty : Cleaned with backup
HKU\S-1-5-21-3018332914-1052143815-2092372733-1006\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{2296428D-C133-4928-B76A-A200FF409572} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-3018332914-1052143815-2092372733-1006\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\S tats\{2296428D-C133-4928-B76A-A200FF409572} -> Adware.Generic : Cleaned with backup
C:\Documents and Settings\Lauren\Cookies\lauren@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Program Files\Network\ipnetwork.exe -> Adware.Maxifiles : Cleaned with backup
C:\Program Files\Network\network.exe -> Adware.Maxifiles : Cleaned with backup

::Report End

This is the hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 02:51:25, on 03/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SU B_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\wmplayer\wmplayer.exe /auto
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by108fd.bay108.hotmail.msn.co...x/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

Thank you sooo much for helping me out.

**Neal** · 03-03-2006

Hi let's continue,

Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5

Download Clean.bat to your desktop(Save page as or Save as): for later use to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat

Please download Brute Force Uninstaller©Merijn.
Unzip it to it’s own folder (c:\BFU)

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).

Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute field copy and paste c:\bfu\p2pnetwork.bfu
Press execute and let it do it’s job.

Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Then please run HijackThis, click Scan, and check the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O4 - HKLM\..\Run: [wmplayer] C:\Program Files\wmplayer\wmplayer.exe /auto
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe

Close all open windows and click Fix Checked.

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Hunt for and delete if present:

C:\Program Files\wmplayer < folder---not windows media player
C:\Program Files\outlook < folder---be careful of the spelling not outlook express
csrrs.exe < file

Now run that clean batch file you created earlier, type in 'Y' a couple of times and press enter at the prompts.

Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal Start

Post a new HJT log for further review.

Also try to delete the content.IE5 folders again.

Post a new hijackthis log.

**lauren86** · 06-03-2006

Im not really sure how succesful i have been with what you have asked me to do. I was still unable to find and delete the content.ie5.

Here is the hijack this logfile:

Logfile of HijackThis v1.99.1
Scan saved at 13:22:45, on 06/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by108fd.bay108.hotmail.msn.co...x/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

**Neal** · 06-03-2006

You done an excellent job.

How is your computer behaving now?