# Solved: Virus Found Lop



## amf0802 (Oct 7, 2007)

Ok, I get at least 5 or 6 notifications a day from AVG antivirus saying a virus was found, and I move it to the virus vault. Its a new .dll every time, but typically similar names (some include mlljg.dll, mllji.dll, awtss.dll, or vtuurrr.dll). When AVG comes up, it says *.dll is infected, and at the bottom it says 'Virus Found Lop'.

I read alot about the MSN messenger virus that people are getting, and I got something similar through AIM, about 'check out this picture of us oh photobucket' that I clicked.

Either way, I have had at least 5 of these messages a day from AVG since I opened that link. Any and all help is gratefully accepted, thanks! Here is my HJT log, I will be away for a few hours and will check when I get back:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:42:32 PM, on 10/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TuneUp Utilities 2007\MemOptimizer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system\mgrsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {521EF0DE-EC32-4FC4-8AA9-7CBB88108ED1} - C:\WINDOWS\system32\urqppnl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {ECA44585-5A2C-4241-93DC-92891719388B} - (no file)
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2007\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM (R) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1185414716843
O17 - HKLM\System\CCS\Services\Tcpip\..\{0CFC8578-D742-4725-AB44-B2C989B680AE}: NameServer = 10.0.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0CFC8578-D742-4725-AB44-B2C989B680AE}: NameServer = 10.0.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0CFC8578-D742-4725-AB44-B2C989B680AE}: NameServer = 10.0.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cbxusrr - C:\WINDOWS\SYSTEM32\cbxusrr.dll
O20 - Winlogon Notify: khfdebc - C:\WINDOWS\SYSTEM32\khfdebc.dll
O20 - Winlogon Notify: rqrqppo - C:\WINDOWS\SYSTEM32\rqrqppo.dll
O20 - Winlogon Notify: urqppnl - C:\WINDOWS\SYSTEM32\urqppnl.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel Input Service (IISLvc) - Unknown owner - C:\WINDOWS\system\mgrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6391 bytes


----------



## MFDnNC (Sep 7, 2004)

*NOTE: If you have downloaded ComboFix previously please delete that version and download it again!*

Download this file :

http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. *Post that log* 

Note: 
Do not mouseclick combofix's window while its running. That may cause it to stall

=====================
Download Superantispyware (SAS) free home version

http://www.superantispyware.com/superantispywarefreevspro.html

Install it and double-click the icon on your desktop to run it.
·	It will ask if you want to update the program definitions, click Yes.
·	Under Configuration and Preferences, click the Preferences button.
·	Click the Scanning Control tab.
·	Under Scanner Options make sure the following are checked:
o	Close browsers before scanning
o	Scan for tracking cookies
o	Terminate memory threats before quarantining.
o	Please leave the others as they were.
o	Click the Close button to leave the control center screen.
·	On the main screen, under Scan for Harmful Software click Scan your computer.
·	On the left check C:\Fixed Drive.
·	On the right, under Complete Scan, choose Perform Complete Scan.
·	Click Next to start the scan. Please be patient while it scans your computer.
·	After the scan is complete a summary box will appear. Click OK.
·	Make sure everything in the white box has a check next to it, then click Next.
·	It will quarantine what it found and if it asks if you want to reboot, click Yes.
·	To retrieve the removal information for me please do the following:
o	After reboot, double-click the SUPERAntispyware icon on your desktop.
o	Click Preferences. Click the Statistics/Logs tab.
o	Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o	It will open in your default text editor (such as Notepad/Wordpad).
o	Please highlight everything in the notepad, then right-click and choose copy.
·	Click close and close again to exit the program.
·	*Please paste that information here for me regardless of what it finds with a new HijackThis log*.

This will take some time!!!!!!!!


----------



## amf0802 (Oct 7, 2007)

Thank you for all the help MFCnNC, I notice you are from the Piedmont. I am originally from Greenville, NC and I have lots of friends from the Durham/Chapel Hill area. Either way, here is the ComboFix log, I will be back on shortly with the SAS and HJT log.

ComboFix 07-10-08.3 - Adam 2007-10-07 22:52:35.1 - NTFSx86 
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.418 [GMT -4:00]
Running from: C:\Documents and Settings\Adam\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\gjllm.bak1
C:\WINDOWS\system32\gjllm.bak2
C:\WINDOWS\system32\gjllm.ini
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\pskill.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.

2007-10-07 22:51	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-10-07 22:48	34,816	--a------	C:\WINDOWS\system32\ljjhijk.dll
2007-10-07 21:14	34,816	--a------	C:\WINDOWS\system32\urqrstq.dll
2007-10-07 19:05	34,816	--a------	C:\WINDOWS\system32\pmnnlmn.dll
2007-10-07 18:32 d--------	C:\Program Files\Trend Micro
2007-10-07 18:22 d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-07 18:21 d--------	C:\Program Files\SUPERAntiSpyware
2007-10-07 18:21 d--------	C:\Documents and Settings\Adam\Application Data\SUPERAntiSpyware.com
2007-10-07 18:18 d--------	C:\VundoFix Backups
2007-10-06 13:40 d--------	C:\Documents and Settings\Adam\Application Data\Apple Computer
2007-10-06 13:39 d----c---	C:\WINDOWS\system32\DRVSTORE
2007-10-06 13:38 d--------	C:\Program Files\Common Files\Apple
2007-10-05 19:49	16,384	--a------	C:\gb1.exe
2007-10-05 19:40	34,816	--a------	C:\WINDOWS\system32\urqppnl.dll
2007-10-05 19:38 d--------	C:\WINDOWS\pss
2007-10-05 19:32	34,816	--a------	C:\WINDOWS\system32\khfdebc.dll
2007-10-05 19:24	34,816	--a------	C:\WINDOWS\system32\rqrqppo.dll
2007-10-05 19:19	34,816	--a------	C:\WINDOWS\system32\awtstqo.dll
2007-10-05 19:07	34,816	--a------	C:\WINDOWS\system32\cbxusrr.dll
2007-10-04 12:59 d--------	C:\Documents and Settings\Adam\Application Data\Help
2007-09-29 18:25 d--------	C:\Program Files\Apple Software Update
2007-09-29 18:25 d--------	C:\Documents and Settings\All Users\Application Data\Apple
2007-09-28 18:55	31,232	-r-hs----	C:\WINDOWS\system\mgrsvc.exe
2007-09-28 17:25 d--------	C:\Program Files\MSXML 6.0
2007-09-27 20:15 d--------	C:\Documents and Settings\Adam\Application Data\Media Player Classic
2007-09-27 11:44	81,984	--a------	C:\WINDOWS\system32\bdod.bin
2007-09-27 11:42 d--------	C:\Program Files\Common Files\BitDefender
2007-09-23 10:20	49,152	--a------	C:\WINDOWS\system32\ChCfg.exe
2007-09-23 10:19 d--------	C:\Program Files\Realtek AC97
2007-09-23 10:19 d--h-----	C:\Program Files\InstallShield Installation Information
2007-09-23 10:19	10,528,768	--a------	C:\WINDOWS\system32\RTLCPL.exe
2007-09-23 10:19	577,536	--a------	C:\WINDOWS\soundman.exe
2007-09-23 10:19	315,392	--a------	C:\WINDOWS\alcupd.exe
2007-09-23 10:19	217,088	--a------	C:\WINDOWS\Alcrmv.exe
2007-09-23 10:19	147,456	--a------	C:\WINDOWS\system32\RtlCPAPI.dll
2007-09-23 10:18 d--------	C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-09-23 09:24 d--------	C:\Program Files\Common Files\InstallShield
2007-09-23 09:24	208,896	--a------	C:\WINDOWS\system32\NVUNINST.EXE
2007-09-23 09:24	208,896	--a------	C:\WINDOWS\system32\nvudisp.exe
2007-09-23 09:23 d--------	C:\Program Files\NVidia
2007-09-20 23:56 d--------	C:\WINDOWS\nview
2007-09-10 16:23 d--------	C:\WINDOWS\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 22:57	34816	--a------	C:\WINDOWS\system32\ljjgebc.dll
2007-10-07 18:20	---------	d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-10-07 12:22	---------	d--------	C:\Documents and Settings\Adam\Application Data\uTorrent
2007-09-23 11:39	---------	d--------	C:\Program Files\TuneUp Utilities 2007
2007-09-06 22:06	---------	d-a------	C:\Documents and Settings\All Users\Application Data\TEMP
2007-08-30 21:35	---------	d--------	C:\Program Files\Common Files\Deterministic Networks
2007-08-30 21:35	---------	d--------	C:\Program Files\Cisco Systems
2007-08-26 21:51	---------	d--------	C:\Program Files\QuickTime
2007-08-26 21:50	---------	d--------	C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-08-25 22:22	---------	d--------	C:\Program Files\Lavasoft
2007-08-25 22:22	---------	d--------	C:\Documents and Settings\Adam\Application Data\Lavasoft
2007-08-25 18:50	---------	d--------	C:\Program Files\uTorrent
2007-08-25 18:18	9344	--a------	C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-25 18:18	8320	--a------	C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-25 18:16	---------	d--------	C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-07-30 19:19	92504	--a------	C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19	549720	--a------	C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19	53080	--a------	C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19	43352	--a------	C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19	325976	--a------	C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19	203096	--a------	C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19	1712984	--a------	C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18	33624	--a------	C:\WINDOWS\system32\wups.dll
2007-07-30 15:50	720896	--a------	C:\WINDOWS\iun6002.exe
2007-07-26 06:39	1082880	--a------	C:\WINDOWS\system32\AutoPartNt.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{521EF0DE-EC32-4FC4-8AA9-7CBB88108ED1}]
2007-10-07 22:57	34816	--a------	C:\WINDOWS\system32\ljjgebc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ECA44585-5A2C-4241-93DC-92891719388B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-28 00:55]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2007\MemOptimizer.exe" [2007-04-27 06:50]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{521EF0DE-EC32-4FC4-8AA9-7CBB88108ED1}"= C:\WINDOWS\system32\ljjgebc.dll [2007-10-07 22:57 34816]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxusrr] 
cbxusrr.dll 2007-10-05 19:07 34816 C:\WINDOWS\system32\cbxusrr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfdebc] 
khfdebc.dll 2007-10-05 19:32 34816 C:\WINDOWS\system32\khfdebc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjgebc] 
ljjgebc.dll 2007-10-07 22:57 34816 C:\WINDOWS\system32\ljjgebc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjhijk] 
ljjhijk.dll 2007-10-07 22:48 34816 C:\WINDOWS\system32\ljjhijk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnlmn] 
pmnnlmn.dll 2007-10-07 19:05 34816 C:\WINDOWS\system32\pmnnlmn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqppo] 
rqrqppo.dll 2007-10-05 19:24 34816 C:\WINDOWS\system32\rqrqppo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqppnl] 
urqppnl.dll 2007-10-05 19:40 34816 C:\WINDOWS\system32\urqppnl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv] 
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2007-07-27 19:48 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R2 IISLvc;Intel Input Service;"C:\WINDOWS\system\mgrsvc.exe"
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs
R3 MA311;NETGEAR Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\ma311n51.sys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2007-10-05 21:18:01 C:\WINDOWS\Tasks\1-Click Maintenance.job"
"2007-10-06 17:29:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-07 22:57:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-07 23:02:44 - machine was rebooted 
C:\ComboFix-quarantined-files.txt ... 2007-10-07 23:02
.
--- E O F ---


----------



## amf0802 (Oct 7, 2007)

I'm also adding this because I forgot to mention it in my original post. On startup, I sometimes get a runDLL error but it doesn't way which one. It doesn't happen on every startup. I don't know if this is related, but it only started happening within the last few days. Until now I have not had a problem with Windows, this is a relatively fresh install, I reformatted in June. So I'm hoping they are related and any fix will also clear up these errors.

====================

Ok, here are the SAS and new HJT logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/07/2007 at 11:44 PM

Application Version : 3.9.1008

Core Rules Database Version : 3320
Trace Rules Database Version: 1321

Scan type : Complete Scan
Total Scan Time : 00:28:37

Memory items scanned : 386
Memory threats detected : 0
Registry items scanned : 5133
Registry threats detected : 0
File items scanned : 20066
File threats detected : 3

Adware.Tracking Cookie
C:\Documents and Settings\Adam\Cookies\[email protected][2].txt
C:\Documents and Settings\Adam\Cookies\[email protected][1].txt

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\YAYVWVU.DLL

-----------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:07 PM, on 10/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system\mgrsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {521EF0DE-EC32-4FC4-8AA9-7CBB88108ED1} - C:\WINDOWS\system32\ljjgebc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {ECA44585-5A2C-4241-93DC-92891719388B} - (no file)
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM (R) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1185414716843
O17 - HKLM\System\CCS\Services\Tcpip\..\{0CFC8578-D742-4725-AB44-B2C989B680AE}: NameServer = 10.0.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0CFC8578-D742-4725-AB44-B2C989B680AE}: NameServer = 10.0.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0CFC8578-D742-4725-AB44-B2C989B680AE}: NameServer = 10.0.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cbxusrr - C:\WINDOWS\SYSTEM32\cbxusrr.dll
O20 - Winlogon Notify: khfdebc - C:\WINDOWS\SYSTEM32\khfdebc.dll
O20 - Winlogon Notify: ljjgebc - C:\WINDOWS\SYSTEM32\ljjgebc.dll
O20 - Winlogon Notify: ljjhijk - C:\WINDOWS\SYSTEM32\ljjhijk.dll
O20 - Winlogon Notify: pmnnlmn - C:\WINDOWS\SYSTEM32\pmnnlmn.dll
O20 - Winlogon Notify: rqrqppo - C:\WINDOWS\SYSTEM32\rqrqppo.dll
O20 - Winlogon Notify: urqppnl - C:\WINDOWS\SYSTEM32\urqppnl.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel Input Service (IISLvc) - Unknown owner - C:\WINDOWS\system\mgrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

-------------------------------------------------------

I would like to confirm that AVG is still popping up with 'Virus Found Lop' message and a similar .dll file as the culprit


----------



## amf0802 (Oct 7, 2007)

Just did a AVG scan again, it found 8 more of those similarly named .dll's. They just keep popping up.


----------



## MFDnNC (Sep 7, 2004)

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis  mark them, close IE, click fix checked

O2 - BHO: (no name) - {521EF0DE-EC32-4FC4-8AA9-7CBB88108ED1} - C:\WINDOWS\system32\ljjgebc.dll

O2 - BHO: (no name) - {ECA44585-5A2C-4241-93DC-92891719388B} - (no file)

O20 - Winlogon Notify: cbxusrr - C:\WINDOWS\SYSTEM32\cbxusrr.dll
O20 - Winlogon Notify: khfdebc - C:\WINDOWS\SYSTEM32\khfdebc.dll
O20 - Winlogon Notify: ljjgebc - C:\WINDOWS\SYSTEM32\ljjgebc.dll
O20 - Winlogon Notify: ljjhijk - C:\WINDOWS\SYSTEM32\ljjhijk.dll
O20 - Winlogon Notify: pmnnlmn - C:\WINDOWS\SYSTEM32\pmnnlmn.dll
O20 - Winlogon Notify: rqrqppo - C:\WINDOWS\SYSTEM32\rqrqppo.dll
O20 - Winlogon Notify: urqppnl - C:\WINDOWS\SYSTEM32\urqppnl.dll

DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by DELETE ON REBOOT. In the "Full Path of File to Delete" box, copy and paste each of the following line(s) one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\system32\ljjgebc.dll
C:\WINDOWS\system32\ljjhijk.dll
C:\WINDOWS\system32\urqrstq.dll
C:\WINDOWS\system32\pmnnlmn.dll
C:\WINDOWS\system32\urqppnl.dll
C:\WINDOWS\system32\khfdebc.dll
C:\WINDOWS\system32\rqrqppo.dll
C:\WINDOWS\system32\awtstqo.dll
C:\WINDOWS\system32\cbxusrr.dll

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START  RUN  type in %temp% - OK - Edit  Select all  File  Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new hijack log from normal NOT safe mode

How are things on the PC???????????


----------



## amf0802 (Oct 7, 2007)

Quick question before I boot to safe mode....you say to tick this in HJT and fix it:

O2 - BHO: (no name) - {521EF0DE-EC32-4FC4-8AA9-7CBB88108ED1} - C:\WINDOWS\system32\ljjgebc.dll

I go to that entry and instead of ljjgebc.dll, it is qomlmnm.dll. So should I tick that in place of the mentioned one, and then add that file to the list of the ones to delete with killbox?


----------



## MFDnNC (Sep 7, 2004)

yes fix that one


----------



## amf0802 (Oct 7, 2007)

Everything seems to be running fine right now. No RunDLL errors on startup, and no notifications yet from AVG about new .dll files. I'm hoping every thing is cleared up, but of course will come back if AVG finds anything else. Here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:39:16 PM, on 10/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TuneUp Utilities 2007\MemOptimizer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2007\MemOptimizer.exe" autostart
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM (R) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1185414716843
O17 - HKLM\System\CCS\Services\Tcpip\..\{0CFC8578-D742-4725-AB44-B2C989B680AE}: NameServer = 10.0.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0CFC8578-D742-4725-AB44-B2C989B680AE}: NameServer = 10.0.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0CFC8578-D742-4725-AB44-B2C989B680AE}: NameServer = 10.0.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel Input Service (IISLvc) - Unknown owner - C:\WINDOWS\system\mgrsvc.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5794 bytes


----------



## amf0802 (Oct 7, 2007)

I actually had one small grievance, and I don't even know if its related to any of the fixes done here. But whenever I hit ctr+alt+delete, the task manager window comes up, but now it is only the window with running processes. The toolbar that was the File, Edit, View, etc. buttons isn't there. The tabs for processes, applications, performance, etc. are also not there. 

It is simply the window pane that normally comes up with the processes, but no toolbar or tabs.


----------



## amf0802 (Oct 7, 2007)

Sorry to keep making new posts. I haven't had a pop-up from AVG yet, but I did a full scan and these popped up as 'Virus found lop':

C:\WINDOWS\system32\ddccd.dll
C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\ssttt.dll
C:\WINDOWS\system32\vtstq.dll


Should I go through the same process for deleting them with killbox?


----------



## MFDnNC (Sep 7, 2004)

Yes

*If you have vundofix, remove it and get the current version*

Please download http://www.atribune.org/ccount/click.php?id=4 to C:\
Double-click VundoFix.exe to run it.
click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt  Even if it does not find anything.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

*Please let Vundo finish its thing, sometimes it can take multiple passes*


----------



## amf0802 (Oct 7, 2007)

Ok, the previously mentioned files weren't found with Killbox, I believe because I had moved them into AVG's virus vault, and then deleted them.

VundoFix also didn't find anything, so when I clicked Remove Vundo, it simply said no files found and closed, and the log just says 'beginning scan' and has nothing else.

Either way, I haven't had any problems since and no more alerts from AVG as of yet. My only annoyance is the task manager situation.


----------



## MFDnNC (Sep 7, 2004)

DOuble click on the edge of the taskmgr window


----------



## amf0802 (Oct 7, 2007)

wow, something so simple as that. I thank you, and everyone else here that helps. You saved me a lot of hassle, keep up the great work.


----------



## MFDnNC (Sep 7, 2004)

Clean








If you feel its is fixed mark it solved via Thread Tools above

Clear restore points  heres how

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

You will turn them off  boot  turn them on

This clears infected restore points and sets a new, clean one.


----------

