PDA

View Full Version : Browser hijacked & Broadcaster.com popups


Gcarp
2007-04-01, 00:57
Every time I go online, my browsergets hijacked. If I go to Google and do a search, When I click on a result, it gets hijacked to some other website other than the one I was trying to go to. If I cut & paste the URL into the address window, it goes where I want. I also have been getting popup windows for Broadcaster.com.

I have tried various spyware removal tools (don't even remember which ones now.) that have removed various things (sorry). Then I found this website. I have followed the "Before you post" thread. Tried to use "Bit Defender" and it runs to the end and I get an IE has performed an illegal action and will close message. (ran it twice with the same results). Then ran Trend Micro Online - didn't find anything and did not give me a choice to save a log/report.

I have run SpyBot and adaware and every time I reboot I get find the same stuff and cannot remove it. (TIBS C) I have done all the steps from the sticky thread and here is the HJT log:


--- Search result list ---
Smitfraud-C.Toolbar888: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1532886375-2966927733-1597234714-1006\Software\Microsoft\aldd


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-03-21 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-01-15 advcheck.dll (1.2.1.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-03-28 Includes\Cookies.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2007-03-28 Includes\DialerC.sbi (*)
2007-03-21 Includes\Hijackers.sbi (*)
2007-03-28 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-03-28 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-03-21 Includes\Malware.sbi (*)
2007-03-28 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-03-28 Includes\PUPSC.sbi (*)
2007-03-28 Includes\Revision.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-03-28 Includes\SecurityC.sbi (*)
2007-03-21 Includes\Spybots.sbi (*)
2007-03-28 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-03-21 Includes\Trojans.sbi (*)
2007-03-28 Includes\TrojansC.sbi (*)



--- System information ---
Windows XP (Build: 2600)
/ Internet Explorer 6 / SP0: Windows XP Hotfix - KB834707
/ Windows XP / SP1: Windows XP Hotfix - KB823980
/ Windows XP / SP1: Windows XP Hotfix - KB824141
/ Windows XP / SP1: Windows XP Hotfix - KB828035
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q308402 for more information]
/ Windows XP / SP1 / Q308677: Windows XP Hotfix (SP1) [See Q308677 for more information]
/ Windows XP / SP1 / Q308678: Windows XP Hotfix (SP1) [See Q308678 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q311889 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q312368 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q315000 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q315403 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q317277 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q317326 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q319632 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q326830 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329048 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q329170
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329390 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329441 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329834 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q810577
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q810833
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q811630
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q815021
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q817606
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q819696
/ Windows XP / SP2: Windows XP Hotfix - KB823559
/ Windows XP / SP2: Windows XP Hotfix - KB828741
/ Windows XP / SP2: Windows XP Hotfix - KB833987
/ Windows XP / SP2: Windows XP Hotfix - KB835732
/ Windows XP / SP2: Windows XP Hotfix - KB839643
/ Windows XP / SP2: Windows XP Hotfix - KB840374
/ Windows XP / SP2: Windows XP Hotfix - KB840987
/ Windows XP / SP2: Windows XP Hotfix - KB841356
/ Windows XP / SP2: Windows XP Hotfix - KB841873
/ Windows XP / SP2: Windows XP Hotfix - KB842773
/ Windows XP / SP2: Windows XP Hotfix - KB873376
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q323255 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329115 for more information]
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)


--- Startup entries list ---
Located: HK_LM:Run, ATIModeChange
command: Ati2mdxx.exe
file: C:\WINDOWS\system32\Ati2mdxx.exe
size: 28672
MD5: fae95d6d7651b5629c4e19adbc9a3863

Located: HK_LM:Run, AtiPTA
command: atiptaxx.exe
file: C:\WINDOWS\system32\atiptaxx.exe
size: 286720
MD5: 4263458289fe421c014bed6ac1a2d1ed

Located: HK_LM:Run, CaAvTray
command: "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
file: C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
size: 230512
MD5: 080a83de3f10aade330268193b461e42

Located: HK_LM:Run, CAVRID
command: "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
file: C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
size: 185456
MD5: 3b0280a11e689315e3efb7c5675a99cb

Located: HK_LM:Run, Cpqset
command: c:\compaq\cpqsetup\cpqset.exe
file: c:\compaq\cpqsetup\cpqset.exe
size: 172101
MD5: 7b72c13e4b54444271bd20b8136e2e19

Located: HK_LM:Run, eabconfg.cpl
command: C:\Program Files\Compaq\EAB\EabServr.exe /Start
file:

Located: HK_LM:Run, Microsoft Works Portfolio
command: C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
file:

Located: HK_LM:Run, Microsoft Works Update Detection
command: C:\Program Files\Microsoft Works\WkDetect.exe
file: C:\Program Files\Microsoft Works\WkDetect.exe
size: 28739
MD5: 3141750fad211c6dadf7c2dc2ec74da8

Located: HK_LM:Run, Motive SmartBridge
command: C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
file: C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
size: 438359
MD5: 7d5393ba10deacb5a1ab7f05232eb600

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 77824
MD5: f8dbb32041336a94c676e6b70f759993

Located: HK_LM:Run, srmclean
command: C:\Cpqs\Scom\srmclean.exe
file: C:\Cpqs\Scom\srmclean.exe
size: 36864
MD5: 787b8ad5fef1a68d3ed00e4e393b9d18

Located: HK_LM:Run, SunJavaUpdateSched
command: C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
file: C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
size: 36975
MD5: bd902d0d7ed7c2d5fc327567ce96b97c

Located: HK_LM:Run, SynTPEnh
command: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
file: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 540672
MD5: 6849cbabadfd708421fb1258b0b3d297

Located: HK_LM:Run, SynTPLpr
command: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
file: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
size: 126976
MD5: f8b2b0d165a53f6435797e6e94833428

Located: HK_LM:Run, TkBellExe
command: C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
file:

Located: HK_LM:Run, VerizonServicepoint.exe
command: C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
file: C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
size: 1880064
MD5: a7f075d26df8127140e70840134675b7

Located: HK_LM:Run, YOP
command: C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
file: C:\PROGRA~1\Yahoo!\YOP\yop.exe
size: 401408
MD5: 5278f0d69b1c7d5f32bbc8da3bf2573b

Located: HK_LM:Run, ZoneAlarm Client
command: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
file: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
size: 919280
MD5: f6d4d4068aec371df8f89cdf11fc321d

Located: HK_CU:Run, spc_w
command: "C:\Program Files\NZSearch\nzspc.exe" -w
file: C:\Program Files\NZSearch\nzspc.exe
size: 286786
MD5: 990800fd5aac6c08e1d3bc146997372b

Located: Startup (common), Adobe Reader Speed Launch.lnk
command: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
file: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
size: 40048
MD5: 54c88bfbd055621e2306534f445c0c8d

Located: Startup (common), Adobe Reader Synchronizer.lnk
command: C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
file: C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
size: 734872
MD5: 169c293ce9460a05646d17dc6aa2fb2c

Located: Startup (common), Microsoft Office.lnk
command: C:\Program Files\Microsoft Office\Office\OSA9.EXE
file: C:\Program Files\Microsoft Office\Office\OSA9.EXE
size: 65588
MD5: 1a80248ec5d290a391ce27326dd13e29

Located: Startup (common), Microsoft Works Calendar Reminders.lnk
command: C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
file: C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
size: 24633
MD5: 7084b58a098d2f83b304832251a8c6a8

Located: Startup (user), HotSync Manager.lnk
command: C:\Program Files\Palm\hotsync.exe
file: C:\Program Files\Palm\hotsync.exe
size: 265728
MD5: cde086e30ce7f9c5b890265ae8396ef8

Located: System.ini, !SASWinLogon
command: C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
file: C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
size: 282624
MD5: f6597f9f732453daf4d3a86170da63d5

Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll

Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, __c0047460
command: C:\WINDOWS\System32\__c0047460.dat
file: C:\WINDOWS\System32\__c0047460.dat
size: 9546
MD5: 23e0d413c9748e2c036215e25a6eb07b

Located: System.ini, __c00B6700
command: C:\WINDOWS\System32\__c00B6700.dat
file: C:\WINDOWS\System32\__c00B6700.dat
size: 9546
MD5: 23e0d413c9748e2c036215e25a6eb07b



--- Browser helper object list ---
@A 3B846-8D59-4ffb-8758-209B6AD74ACC} ()
BHO name:
CLSID name:

{02478D38-C3F9-4EFB-9B51-7695ECA05670} (&Yahoo! Toolbar Helper)
BHO name:
CLSID name: &Yahoo! Toolbar Helper
description: Yahoo Companion!
classification: Legitimate
known filename: Ycomp*_*_*_*.dll
info link: http://companion.yahoo.com/
info source: TonyKlein
Path: C:\Program Files\Yahoo!\Companion\Installs\cpn0\
Long name: yt.dll
Short name:
Date (created): 2/13/2007 6:08:38 PM
Date (last access): 3/31/2007 12:30:38 PM
Date (last write): 2/13/2007 6:08:38 PM
Filesize: 807448
Attributes: archive
MD5: ED5A79CD89F920235E362B5F9A04739A
CRC32: 8B482521
Version: 2007.2.13.1

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 3/21/2007 2:56:24 PM
Date (last access): 3/31/2007 1:31:36 PM
Date (last write): 5/31/2005 1:04:00 AM
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0

À@ 49E9F-C8D7-4D59-B87D-784B7D6BE0B3} ()
BHO name:
CLSID name:

ð@ BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} ()
BHO name:
CLSID name:



--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control)
DPF name:
CLSID name: ewidoOnlineScan Control
Installer:
Codebase: http://downloads.ewido.net/ewidoOnlineScan.cab
description:
classification: Legitimate
known filename: EWIDOO~1.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: ewidoOnlineScan.dll
Short name: EWIDOO~1.DLL
Date (created): 7/11/2006 9:41:36 AM
Date (last access): 3/31/2007 12:49:36 PM
Date (last write): 7/11/2006 9:41:36 AM
Filesize: 345656
Attributes: archive
MD5: B284992540E0FA2B76DEA56F93D49A16
CRC32: FD2E709C
Version: 1.0.0.4

{33564D57-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\wmv9dmo.inf
Codebase: http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
description: Microsoft WMV Video Codec
classification: Legitimate
known filename: WMV9DMO.CAB
info link:
info source: Patrick M. Kolla

{4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\vzbb.inf
Codebase: http://www2.verizon.net/micro/vol_toolbar/vzbb.cab
description:
classification: Legitimate
known filename: vzbb.dll
info link:
info source: Safer Networking Ltd.

{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control)
DPF name:
CLSID name: BDSCANONLINE Control
Installer: C:\WINDOWS\Downloaded Program Files\oscan8.inf
Codebase: http://download.bitdefender.com/resources/scan8/oscan8.cab
description:
classification: Legitimate
known filename: oscan8.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: oscan8.ocx
Short name:
Date (created): 6/1/2006 2:54:16 AM
Date (last access): 3/31/2007 11:57:26 AM
Date (last write): 6/1/2006 2:54:16 AM
Filesize: 471040
Attributes: archive
MD5: 9026F860148F0569BD92AEEFC4BDDFD7
CRC32: D1520CCE
Version: 1.0.0.1

{644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class)
DPF name:
CLSID name: Symantec RuFSI Utility Class
Installer: C:\WINDOWS\Downloaded Program Files\CabSA.inf
Codebase: http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
description:
classification: Legitimate
known filename: rufsi.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: rufsi.dll
Short name:
Date (created): 5/17/2006 2:32:42 PM
Date (last access): 3/31/2007 12:49:38 PM
Date (last write): 5/17/2006 2:32:42 PM
Filesize: 161480
Attributes: archive
MD5: D9021B7C1D765851774FD9A753AEC435
CRC32: 6D65423F
Version: 2006.2.15.43

{7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class)
DPF name:
CLSID name: WScanCtl Class
Installer: C:\WINDOWS\Downloaded Program Files\webscan.inf
Codebase: http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
description:
classification: Legitimate
known filename: webscan.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: webscan.dll
Short name:
Date (created): 11/20/2006 12:02:34 PM
Date (last access): 3/31/2007 12:49:38 PM
Date (last write): 11/20/2006 12:02:34 PM
Filesize: 180282
Attributes: archive
MD5: 76EA3ABECE61FBA3C07F61E42BB0CA48
CRC32: AECD0E4D
Version: 1.1.0.1049

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_03
Installer: C:\WINDOWS\Downloaded Program Files\jinstall-1_5_0_03.inf
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.5.0_03\bin\
Long name: NPJPI150_03.dll
Short name: NPJPI1~1.DLL
Date (created): 4/13/2005 3:48:56 AM
Date (last access): 3/31/2007 11:01:06 AM
Date (last write): 4/13/2005 4:06:32 AM
Filesize: 69746
Attributes: archive
MD5: 13FCA03EBCA6E1F8C6481166C516D1FE
CRC32: 868C298F
Version: 5.0.30.7

See next post...
Gcarp
2007-04-01, 01:02
{90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player)
DPF name:
CLSID name: InstallShield International Setup Player
Installer: C:\WINDOWS\Downloaded Program Files\isetup.inf
Codebase: http://www.lizardtech.com/download/files/win/expressview/webinstall/isetup.cab
description:
classification: Open for discussion
known filename: isetup.dll
info link:
info source: Safer Networking Ltd.
Path: c:\windows\DOWNLO~1\
Long name: iSetup.dll
Short name:
Date (created): 7/25/2002 12:21:56 PM
Date (last access): 3/31/2007 11:57:24 AM
Date (last write): 7/25/2002 12:21:56 PM
Filesize: 24576
Attributes: archive
MD5: 2812B7254C2080BE341E796548B54A4E
CRC32: 909869C6
Version: 6.31.100.1221

{9F1C11AA-197B-4942-BA54-47A8489BB47F} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\iuctl.inf
Codebase: http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37849.6604282407
description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link:
info source: Patrick M. Kolla

{B1826A9F-4AA0-4510-BA77-9013E74E4B9B} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\SpyMD.inf
Codebase: http://www.trendmicro.com/spyware-scan/as4web.cab

{C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class)
DPF name:
CLSID name: PreQualifier Class
Installer: C:\WINDOWS\Downloaded Program Files\MotivePreQual.inf
Codebase: http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
description:
classification: Legitimate
known filename: MotivePreQual.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\System32\
Long name: MotivePreQual.dll
Short name: MOTIVE~1.DLL
Date (created): 12/14/2004 12:10:52 PM
Date (last access): 3/31/2007 11:37:42 AM
Date (last write): 12/14/2004 12:10:52 PM
Filesize: 205888
Attributes: archive
MD5: 766DAF2D55A52214B407FA956C7B2AAE
CRC32: A5BA1208
Version: 4.10.4.32742

{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_03
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
description:
classification: Legitimate
known filename: NPJPI150_03.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.5.0_03\bin\
Long name: NPJPI150_03.dll
Short name: NPJPI1~1.DLL
Date (created): 4/13/2005 3:48:56 AM
Date (last access): 3/31/2007 1:32:18 PM
Date (last write): 4/13/2005 4:06:32 AM
Filesize: 69746
Attributes: archive
MD5: 13FCA03EBCA6E1F8C6481166C516D1FE
CRC32: 868C298F
Version: 5.0.30.7



--- Process list ---
PID: 0 ( 0) [System]
PID: 120 ( 4) \SystemRoot\System32\smss.exe
PID: 172 ( 120) \??\C:\WINDOWS\system32\csrss.exe
PID: 196 ( 120) \??\C:\WINDOWS\system32\winlogon.exe
PID: 240 ( 196) C:\WINDOWS\system32\services.exe
size: 101376
MD5: E3DF4A0252D287C44606EE55355E1623
PID: 252 ( 196) C:\WINDOWS\system32\lsass.exe
size: 11776
MD5: 8A590EA109B5E0C7629E022F8A6B17C5
PID: 416 ( 240) C:\WINDOWS\system32\svchost.exe
size: 12800
MD5: 0F7D9C87B0CE1FA520473119752C6F79
PID: 440 ( 240) C:\WINDOWS\system32\svchost.exe
size: 12800
MD5: 0F7D9C87B0CE1FA520473119752C6F79
PID: 700 ( 680) C:\WINDOWS\Explorer.EXE
size: 1000960
MD5: 5A26FC6010886D25B3E412493DD95ED8
PID: 804 ( 700) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 4 ( 0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 3/31/2007 1:32:16 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

--- Winsock Layered Service Provider list ---
Protocol 0: CA ISafe LSP over [MSAFD Tcpip [TCP/IP]]
GUID: {CB949772-4E54-4D97-96DA-685DB44A1C46}
Filename: C:\WINDOWS\System32\VetRedir.dll

Protocol 1: CA ISafe LSP over [MSAFD Tcpip [UDP/IP]]
GUID: {CB949772-4E54-4D97-96DA-685DB44A1C46}
Filename: C:\WINDOWS\System32\VetRedir.dll

Protocol 2: CA ISafe LSP over [MSAFD Tcpip [RAW/IP]]
GUID: {CB949772-4E54-4D97-96DA-685DB44A1C46}
Filename: C:\WINDOWS\System32\VetRedir.dll

Protocol 3: MSAFD Irda [IrDA]
GUID: {3972523D-2AF1-11D1-B655-00805F3642CC}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Infrared protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Irda [IrDA]

Protocol 4: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 5: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 6: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 7: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 8: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 9: MSAFD nwlnkipx [IPX]
GUID: {11058240-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware UPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkipx *

Protocol 10: MSAFD nwlnkspx [SPX]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *

Protocol 11: MSAFD nwlnkspx [SPX] [Pseudo Stream]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *

Protocol 12: MSAFD nwlnkspx [SPX II]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *

Protocol 13: MSAFD nwlnkspx [SPX II] [Pseudo Stream]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *

Protocol 14: MSAFD NetBIOS [\Device\NwlnkNb] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NwlnkNb] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E512E008-9733-45D3-97DB-C4CB035DA487}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E512E008-9733-45D3-97DB-C4CB035DA487}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A5322A73-781B-4429-BC8D-ED42859E6DA7}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A5322A73-781B-4429-BC8D-ED42859E6DA7}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{02765DA6-1ABA-44AB-B52C-DBCCB8BA73F0}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{02765DA6-1ABA-44AB-B52C-DBCCB8BA73F0}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1FD9A9D4-C67A-4E8F-864D-97EEF91C86EE}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1FD9A9D4-C67A-4E8F-864D-97EEF91C86EE}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 24: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3F20512E-1F44-4DF8-ABA8-430D48255FED}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 25: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3F20512E-1F44-4DF8-ABA8-430D48255FED}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 26: MSAFD NetBIOS [\Device\NetBT_Tcpip_{30EF6FA1-F178-4B6A-ABA5-DA17206AE6F1}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 27: MSAFD NetBIOS [\Device\NetBT_Tcpip_{30EF6FA1-F178-4B6A-ABA5-DA17206AE6F1}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 28: CA ISafe LSP
GUID: {AE2578B4-F478-4313-9A3E-1B83F7A643DF}
Filename: C:\WINDOWS\System32\VetRedir.dll

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 3: NWLink IPX/SPX/NetBIOS Compatible Transport Protocol
GUID: {E02DAAF0-7E9F-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\nwprovau.dll
Description: Microsoft Windows NT/2k/XP Novell Netware name space provider
DB filename: %SystemRoot%\system32\nwprovau.dll
DB protocol: NWLink IPX/SPX/NetBIOS*



--- Uninstall list ---
(AddressBook)

Adobe Acrobat 5.0 5.0 (Adobe Acrobat 5.0)
version (major): 5
install location: C:\Program Files\Adobe\Acrobat 5.0
install source: C:\Documents and Settings\Betty\Local Settings\Temp\pft2~tmp\
uninstall cmd: C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
publisher: Adobe Systems, Inc.
help link: http://www.adobe.com/prodindex/acrobat/main.html

ATI Display Driver (ATI Display Driver)
uninstall cmd: rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean

Audacity 1.2.1 (Audacity_is1)
uninstall cmd: "C:\Program Files\Audacity\unins000.exe"
help link: http://audacity.sourceforge.net

(Branding)

(Connection Manager)

(DirectAnimation)

(DirectDrawEx)

Compaq Easy Access Buttons 3.00 B3 (Easy Access Buttons)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Compaq\EAB\Uninst.isu" -c"C:\Program Files\Compaq\EAB\EABINST.DLL"

(Fontcore)

GoldWave v4.25 (GoldWave v4.25)
uninstall cmd: C:\WINDOWS\sxstall2.exe "GoldWave v4.25" "C:\Program Files\GoldWave\unstall.log"

HijackThis 1.99.1 1.99.1 (HijackThis)
uninstall cmd: C:\Documents and Settings\Betty\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe /uninstall
publisher: Soeperman Enterprises Ltd.

(ICW)

(IE40)

(IE4Data)

(IE5BAKEX)

(IEData)

(InstallShield Uninstall Information)

InterActual Player (InterActual Player)
uninstall cmd: C:\Program Files\InterActual\InterActual Player\inuninst.exe

Windows XP Hotfix - KB823559 20030701.220428 (KB823559)
uninstall cmd: C:\WINDOWS\$NtUninstallKB823559$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=823559

Windows XP Hotfix - KB823980 20030705.121436 (KB823980)
uninstall cmd: C:\WINDOWS\$NtUninstallKB823980$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=823980

Windows XP Hotfix - KB824141 20030926.115120 (KB824141)
uninstall cmd: C:\WINDOWS\$NtUninstallKB824141$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=824141

Windows XP Hotfix - KB828035 20031021.154251 (KB828035)
uninstall cmd: C:\WINDOWS\$NtUninstallKB828035$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=828035

See next post ...
Gcarp
2007-04-01, 01:05
Windows XP Hotfix - KB828741 20040305.180454 (KB828741)
uninstall cmd: C:\WINDOWS\$NtUninstallKB828741$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=828741

Windows XP Hotfix - KB833987 20040308.175840 (KB833987)
uninstall cmd: C:\WINDOWS\$NtUninstallKB833987$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=833987

Windows XP Hotfix - KB834707 20040929.115007 (KB834707-IE6-20040929.115007)
uninstall cmd: C:\WINDOWS\$NtUninstallKB834707-IE6-20040929.115007$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com/?kbid=834707

Windows XP Hotfix - KB835732 20040329.172537 (KB835732)
uninstall cmd: C:\WINDOWS\$NtUninstallKB835732$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=835732

Windows XP Hotfix - KB839643 20040512.132734 (KB839643)
uninstall cmd: C:\WINDOWS\$NtUninstallKB839643$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=839643

Windows XP Hotfix - KB840374 20040416.121729 (KB840374)
uninstall cmd: C:\WINDOWS\$NtUninstallKB840374$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=840374

Windows XP Hotfix - KB840987 20040927.095912 (KB840987)
uninstall cmd: C:\WINDOWS\$NtUninstallKB840987$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=840987

Windows XP Hotfix - KB841356 20040929.102221 (KB841356)
uninstall cmd: C:\WINDOWS\$NtUninstallKB841356$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=841356

Windows XP Hotfix - KB841873 20040608.144331 (KB841873)
uninstall cmd: C:\WINDOWS\$NtUninstallKB841873$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=841873

Windows XP Hotfix - KB842773 20040805.140010 (KB842773)
uninstall cmd: C:\WINDOWS\$NtUninstallKB842773$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=842773

Windows XP Hotfix - KB873376 20040923.181029 (KB873376)
uninstall cmd: C:\WINDOWS\$NtUninstallKB873376$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=873376

(KB884016)

(KB893803)
Windows Installer 3.1 (KB893803) 3.1 (KB893803v2)
uninstall cmd: "C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://go.microsoft.com/fwlink/?LinkId=42467

MailFrontier Desktop 4.9.1.8203 (MailFrontier Desktop)
uninstall cmd: C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\UNWISE.EXE C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\INSTMLF.LOG
publisher: MailFrontier

(Microsoft Interactive Training)
uninstall cmd: C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu

(Microsoft NetShow Player 2.0)

(MobileOptionPack)

(MPlayer2)

(MSI30-Beta1)

(MSI30-Beta2)

(MSI30-KB884016)

(MSI30-RC1)

(MSI30-RC2)

(MSI30a-KB884016)

(MSI31-Beta)

(MSI31-RC1)

(MsJavaVM)

(NetMeeting)

Netscape 6 (6.1) (Netscape 6 (6.1))
uninstall cmd: C:\WINDOWS\N6Uninst.exe /ua "6.1 (en)"

(OutlookExpress)

(PCHealth)
uninstall cmd: rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

Punch! Professional Home Design (Punch! Professional Home Design)
uninstall cmd: C:\PROGRA~1\PUNCH!~1\UNWISE.EXE C:\PROGRA~1\PUNCH!~1\INSTALL.LOG

Windows XP Hotfix (SP1) [See Q308402 for more information] (Q308402)
uninstall cmd: C:\WINDOWS\$NtUninstallQ308402$\spuninst\spuninst.exe

Windows XP Hotfix (SP1) [See Q308677 for more information] (Q308677)
uninstall cmd: C:\WINDOWS\$NtUninstallQ308677$\spuninst\spuninst.exe

Windows XP Hotfix (SP1) [See Q308678 for more information] (Q308678)

Windows XP Hotfix (SP1) [See Q311889 for more information] (Q311889)
uninstall cmd: C:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.exe

Windows XP Hotfix (SP1) [See Q312368 for more information] (Q312368)

Windows XP Hotfix (SP1) [See Q315000 for more information] (Q315000)
uninstall cmd: C:\WINDOWS\$NtUninstallQ315000$\spuninst\spuninst.exe

Windows XP Hotfix (SP1) [See Q315403 for more information] (Q315403)
uninstall cmd: C:\WINDOWS\$NtUninstallQ315403$\spuninst\spuninst.exe

Windows XP Hotfix (SP1) [See Q317277 for more information] (Q317277)
uninstall cmd: C:\WINDOWS\$NtUninstallQ317277$\spuninst\spuninst.exe

Windows XP Hotfix (SP1) [See Q317326 for more information] (Q317326)
uninstall cmd: C:\WINDOWS\$NtUninstallQ317326$\spuninst\spuninst.exe

Windows XP Hotfix (SP1) [See Q319632 for more information] (Q319632)
uninstall cmd: C:\WINDOWS\$NtUninstallQ319632$\spuninst\spuninst.exe

Windows XP Hotfix (SP1) [See Q326830 for more information] (Q326830)
uninstall cmd: C:\WINDOWS\$NtUninstallQ326830$\spuninst\spuninst.exe

Windows XP Hotfix (SP1) [See Q329048 for more information] (Q329048)
uninstall cmd: C:\WINDOWS\$NtUninstallQ329048$\spuninst\spuninst.exe

Windows XP Hotfix (SP2) [See Q329115 for more information] (Q329115)
uninstall cmd: C:\WINDOWS\$NtUninstallQ329115$\spuninst\spuninst.exe

Windows XP Hotfix (SP1) Q329170 20030102.115458 (Q329170)
uninstall cmd: C:\WINDOWS\$NtUninstallQ329170$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: For more information, see Q329170 at http://support.microsoft.com

Windows XP Hotfix (SP1) [See Q329390 for more information] (Q329390)
uninstall cmd: C:\WINDOWS\$NtUninstallQ329390$\spuninst\spuninst.exe

Windows XP Hotfix (SP1) [See Q329441 for more information] (Q329441)
uninstall cmd: C:\WINDOWS\$NtUninstallQ329441$\spuninst\spuninst.exe
publisher: Microsoft Corporation

Windows XP Hotfix (SP1) [See Q329834 for more information] (Q329834)
uninstall cmd: C:\WINDOWS\$NtUninstallQ329834$\spuninst\spuninst.exe

Windows XP Hotfix (SP1) Q810577 20021118.133626 (Q810577)
uninstall cmd: C:\WINDOWS\$NtUninstallQ810577$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: For more information, see Q810577 at http://support.microsoft.com

Windows XP Hotfix (SP1) Q810833 20021203.200852 (Q810833)
uninstall cmd: C:\WINDOWS\$NtUninstallQ810833$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: For more information, see Q810833 at http://support.microsoft.com

Windows XP Hotfix (SP1) Q815021 20030502.110257 (Q815021)
uninstall cmd: C:\WINDOWS\$NtUninstallQ815021$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=815021

Windows XP Hotfix (SP1) Q817606 20030331.103325 (Q817606)
uninstall cmd: C:\WINDOWS\$NtUninstallQ817606$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=817606

Windows XP Hotfix (SP1) Q819696 20030513.122705 (Q819696)
uninstall cmd: C:\WINDOWS\$NtUninstallQ819696$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=819696

QuickTime (QuickTime)
uninstall cmd: C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log

Verizon Servicepoint 1.3.21 1.3.21 (RadialpointClientGateway_is1)
install location: C:\Program Files\Verizon\Servicepoint\
uninstall cmd: "C:\Program Files\Verizon\Servicepoint\unins000.exe"
publisher: Verizon
help link: http://www.verizon.freedom.net/vsp-support-page/

(RealJukebox 1.0)
uninstall cmd: C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0

RealOne Player (RealPlayer 6.0)
uninstall cmd: C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0

Verizon PC Security Checkup 1.5.5 (Rp Scan and Clean {40ACEAF4-1EB2-45FC-90C3-6810700C0595})
version: 17104901
version (major): 1
version (minor): 5
estimated size: 20697
install date: 20070214
install location: C:\Program Files\Verizon\PC Security Checkup\
install source: C:\WINDOWS\Downloaded Installations\{E0651F12-2AC9-46B9-964D-A1A93A3736FE}\
uninstall cmd: C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /M{40ACEAF4-1EB2-45FC-90C3-6810700C0595}
publisher: Verizon
contact: Customer Support Department
help link: http://www.verizon.freedom.net/supportpage

(SchedulingAgent)

Setup Compaq Software (Setup Compaq Software)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\COMPAQ\Setup Compaq Software\Uninst.isu" -c"C:\Program Files\COMPAQ\Setup Compaq Software\CPQUNST.DLL"

Adobe Flash Player 9 ActiveX 9 (ShockwaveFlash)
uninstall cmd: C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
publisher: Adobe Systems Incorporated
help link: http://www.adobe.com/go/flashplayer_support/

Spybot - Search & Destroy 1.4 1.4 (Spybot - Search & Destroy_is1)
install location: C:\Program Files\Spybot - Search & Destroy\
uninstall cmd: "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
publisher: Safer Networking Limited

Synaptics TouchPad (SynTPDeinstKey)
uninstall cmd: rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall

TurboTax Deluxe Deduction Maximizer 2006 (TurboTax Deluxe Deduction Maximizer 2006)
uninstall cmd: C:\Program Files\TurboTax\Deluxe 2006\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2006\Uninstall.log" -NoGui

Verizon Online DSL (Verizon Online DSL_is1)
uninstall cmd: C:\Program Files\Common Files\SupportSoft\Verizon\vzuninstall.exe /starthidden

Verizon Online Help and Support (Verizon Online Help and Support)
uninstall cmd: C:\PROGRA~1\Verizon\UNWISE.EXE C:\PROGRA~1\Verizon\INSTALL.LOG

Verizon Yahoo! Applications (Verizon Yahoo! Applications)
uninstall cmd: C:\PROGRA~1\Yahoo!\Common\uninstall.exe

Verizon Broadband Toolbar (VZBB)
uninstall cmd: C:\Program Files\VZBB Toolbar\Uninstall.exe

Windows Genuine Advantage Validation Tool (KB892130) 1.5.0530.0 (WGA)
install date: 20070217
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=892130

Yahoo! Toolbar (Yahoo! Toolbar)

ZoneAlarm 7.0.302.000 (ZoneAlarm)
uninstall cmd: C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
publisher: Check Point, Inc
help link: C:\Program Files\Zone Labs\ZoneAlarm\Help\zaclients.chm

Microsoft Office 2000 SR-1 Professional 9.00.3821 ({00010409-78E1-11D2-B60F-006097C998E7})
version: 150998765
version (major): 9
estimated size: 207769
install date: 20030112
install source: D:\
uninstall cmd: MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
publisher: Microsoft Corporation
help link: http://www.microsoft.com/support
readme: C:\Program Files\Microsoft Office\Office\ofread9.txt

Compaq Diagnostics for Windows ({1881AE03-2BD4-11D4-86BF-00508B10AA88})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1881AE03-2BD4-11D4-86BF-00508B10AA88}\setup.exe"

J2SE Runtime Environment 5.0 Update 3 1.5.0.30 ({3248F0A8-6813-11D6-A77B-00B0D0150030})
version: 17104896
version (major): 1
version (minor): 5
estimated size: 146909
install date: 20070325
install source: http://javadl.sun.com/webapps/download/GetFile/1.5.0_03-b07/windows-i586//
uninstall cmd: MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
publisher: Sun Microsystems, Inc.
contact: http://java.com
help link: http://java.com
readme: C:\Program Files\Java\jre1.5.0_03\README.txt

WebFldrs XP 9.50.5318 ({350C97B0-3D7C-4EE8-BAA9-00BCB3D54227})
version: 154277062
version (major): 9
version (minor): 50
estimated size: 2564
install date: 20010916
install source: C:\WINDOWS\System32\
publisher: Microsoft Corporation
help link: http://www.microsoft.com/windows

Verizon PC Security Checkup 1.5.5 ({40ACEAF4-1EB2-45FC-90C3-6810700C0595})
version: 17104901
version (major): 1
version (minor): 5
estimated size: 20697
install date: 20070214
install location: C:\Program Files\Verizon\PC Security Checkup\
install source: C:\WINDOWS\Downloaded Installations\{E0651F12-2AC9-46B9-964D-A1A93A3736FE}\
publisher: Verizon
contact: Customer Support Department
help link: http://www.verizon.freedom.net/supportpage

Lizardtech Express View Browser Plug-in ({4F8D44E7-3F47-4002-AE6A-BCB6A46A1788})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchiSetup -ether"C:\Program Files\InstallShield Installation Information\{4F8D44E7-3F47-4002-AE6A-BCB6A46A1788}" -l0x9

NetZero ({6C651250-2EB2-11D5-8E33-0050DAD72AC2})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6C651250-2EB2-11D5-8E33-0050DAD72AC2}\setup.exe" UNINSTALL

Windows Backup Utility 5.1 ({76EFFC7C-17A6-479D-9E47-8E658C1695AE})
version: 83951616
version (major): 5
version (minor): 1
estimated size: 1281
install date: 20020910
install source: C:\appl.zip\NTBACKUP\US\
uninstall cmd: MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
publisher: Microsoft Corporation
help link: http://www.microsoft.com/management

Ad-Aware SE Personal 1.0.6 ({78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747})
version: 16777222
version (major): 1
estimated size: 3045
install date: 20070304
install source: C:\Program Files\Common Files\Wise Installation Wizard\
uninstall cmd: MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
publisher: Lavasoft AB
help link: http://www.lavasoftsupport.com

Family Lawyer 2004 ({95C2FBF3-4462-41E3-89DC-0F784387BD53})
install location: C:\Program Files\Broderbund\Family Lawyer 2004\
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{95C2FBF3-4462-41E3-89DC-0F784387BD53}\setup.exe" -l0x9
publisher: Broderbund

PlayLinc 2.0.8 ({9CCE527D-356F-41A8-9718-77A68AC065FB})
version: 33554440
version (major): 2
estimated size: 30206
install date: 20070314
install location: C:\Program Files\PlayLinc\
install source: C:\DOCUME~1\Betty\LOCALS~1\Temp\is-98QS1.tmp\
uninstall cmd: MsiExec.exe /I{9CCE527D-356F-41A8-9718-77A68AC065FB}
publisher: SCI
comments: PlayLinc
contact: Tom Evans
help link: www.playlinc.com
help telephone: 770-344-1100

Motorola i850-i760 USB - Handset Manager V9 9.0 ({A918DE8A-98C8-0900-0000-000000180033})
version: 150994944
version (major): 9
estimated size: 48698
install date: 20061004
install source: D:\fscommand\USBHmgr\V9\
uninstall cmd: MsiExec.exe /I{A918DE8A-98C8-0900-0000-000000180033}
publisher: Mobile Action
help link: http://www.mobileaction.com

Multimedia Samples 9.2 ({A918DE8A-98C8-0920-0001-000000000000})
version: 151126016
version (major): 9
version (minor): 2
estimated size: 125574
install date: 20061004
install source: D:\fscommand\Samples\
uninstall cmd: MsiExec.exe /I{A918DE8A-98C8-0920-0001-000000000000}
publisher: Mobile Action
help link: http://www.mobileaction.com

Adobe Reader 8 8.0.0 ({AC76BA86-7AD7-1033-7B44-A80000000002})
version: 134217728
version (major): 8
estimated size: 119925
install date: 20070216
install location: C:\Program Files\Adobe\Reader 8.0\Reader\
install source: C:\DOCUME~1\Betty\LOCALS~1\Temp\Adobe Reader 8.0\
uninstall cmd: MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
publisher: Adobe Systems Incorporated
comments:
contact: Customer Support
help link: http://www.adobe.com/support/main.html
readme: C:\Program Files\Adobe\Reader 8.0\Reader\Readme.htm

TurboTax ItsDeductible 2006 10.00.0000 ({AFF1EA96-9C23-4249-B7D4-CD4B54D4582F})
version: 167772160
version (major): 10
estimated size: 20298
install date: 20070114
install location: C:\Program Files\ItsDeductible2006\
install source: D:\ID\Setup\
uninstall cmd: MsiExec.exe /X{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}
publisher: Intuit

Encarta Online ({C0A23442-6214-11D3-8CDF-0080C768385C})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C0A23442-6214-11D3-8CDF-0080C768385C}\setup.exe" -l0x9 -uninst

InterVideo WinDVD ({C1939820-A945-11D4-86F6-0001031E5712})
version (major): 3
version (minor): 2
install location: C:\Program Files\InterVideo\WinDVD
uninstall cmd: "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
publisher: InterVideo Inc.

Anti-Spyware 5.6.608 ({C2444FA0-04AA-4221-B652-73713947ED22})
version: 84279904
version (major): 5
version (minor): 6
estimated size: 7397
install date: 20070214
install location: C:\Program Files\Common Files\PestPatrol\
install source: C:\Program Files\Common Files\PestPatrol\
publisher: Zero-Knowledge Systems Inc.
comments: Your Comments
contact: Customer Support Department
help link: http://www.yourcompany.com/help
help telephone:

See next post...
Gcarp
2007-04-01, 01:06
Compaq Advisor ({C4C1AFCD-2C72-48B4-AE2E-A7354A525E87})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C4C1AFCD-2C72-48B4-AE2E-A7354A525E87}\Setup.exe" UNINSTALL

SUPERAntiSpyware Free Edition 3.6.0.1000 ({CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA})
version: 50724864
version (major): 3
version (minor): 6
estimated size: 10965
install date: 20070317
install source: C:\Program Files\Common Files\Wise Installation Wizard\
uninstall cmd: MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
publisher: SUPERAntiSpyware.com
help link: http://www.superantispyware.com/support.html

Microsoft Money 2002 System Pack 10.0.80 ({CF5193F7-6B37-11D5-B7D2-00AA00A204F1})
version: 167772240
version (major): 10
estimated size: 6089
install date: 20020910
install source: c:\compaq\MSMoney\
uninstall cmd: MsiExec.exe /I{CF5193F7-6B37-11D5-B7D2-00AA00A204F1}
publisher: Microsoft
comments: Installs system components used by Microsoft Money 2002.
help link: http://support.microsoft.com
help telephone: (800) 936-5700

Authentium 4.93.7 ({D3386797-A836-4030-AB5D-4E89F2F15F33})
version: 73203719
version (major): 4
version (minor): 93
estimated size: 13625
install date: 20070214
install source: C:\Program Files\Common Files\Command Software\
publisher: Command Software Systems, Inc.

Microsoft Money 2002 10.0.50 ({E7298FD5-1386-11D5-8D6C-0050DAD32D95})
version: 167772210
version (major): 10
estimated size: 147633
install date: 20020910
install source: c:\compaq\MSMoney\
uninstall cmd: MsiExec.exe /I{E7298FD5-1386-11D5-8D6C-0050DAD32D95}
publisher: Microsoft
comments: The Installation database contains the logic and data required to install Money 2002
help link: http://support.microsoft.com
help telephone: (800) 936-5700

SoundMAX ({F0A37341-D692-11D4-A984-009027EC0A9C})
install location: C:\Program Files\Analog Devices\SoundMAX
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"

Microsoft Works 6.0 06.00.1829 ({F8D0829C-9C6F-11D3-8080-00C04FA329AA})
version: 100665125
version (major): 6
estimated size: 97086
install date: 20020910
install source: C:\Program Files\COMPAQ\Works6.0\
uninstall cmd: MsiExec.exe /I{F8D0829C-9C6F-11D3-8080-00C04FA329AA}
publisher: Microsoft Corporation
comments: Microsoft Works 6.0 installation.
help link: http://support.microsoft.com/support/works

Sorry this was sooooo long.

I am running out of options and hope you can help me...

Thanks in advance.

George
Mr_JAk3
2007-04-02, 20:33
Hello Gcarp :)

Please post a HijackThis log to here: Click here (http://downloads.malwareremoval.com/HijackThis.exe) to download HijackThis.exe
Save HijackThis.exe to your desktop.
Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
Run HijackThis.exe
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


:bigthumb:
Gcarp
2007-04-03, 23:37
Thank you for your prompt reply. :)
HijackThis log as requested.

George

Logfile of HijackThis v1.99.1
Scan saved at 5:33:50 PM, on 4/3/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Palm\hotsync.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Real\Update_OB\rndal.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Betty\Desktop\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - @A 3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - À@ 49E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - ð@ BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\System32\__c002423A.dat",setvm
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Advisor - {8EB0F793-55E3-400A-9A58-9493B5D1C04B} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - http://www2.verizon.net/micro/vol_toolbar/vzbb.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/download/files/win/expressview/webinstall/isetup.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: __c0047460 - C:\WINDOWS\System32\__c0047460.dat
O20 - Winlogon Notify: __c00B6700 - C:\WINDOWS\System32\__c00B6700.dat
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Mr_JAk3
2007-04-04, 20:17
Hello :)

Before we can start the cleaning I need you to do something important.

Please download and install Windows XP Service Pack 1A -> Windows XP SP1a (http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx)
NOTE! Do NOT install Service Pack 2 yet. We'll have to get you cleaned first


Post a fresh HijackThis log when you're ready :bigthumb:
Gcarp
2007-04-05, 04:35
Mr Jak,
I did the custom update because Microsoft wanted me to update to SP2 in express. I think I have all up to SP2 but not completely sure. It only shows SP1 not SP1A. Is this ok?

Thanks,
George

Latest HJT log...

Logfile of HijackThis v1.99.1
Scan saved at 10:27:25 PM, on 4/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Palm\hotsync.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Betty\Desktop\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - @A 3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - À@ 49E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - ð@ BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Advisor - {8EB0F793-55E3-400A-9A58-9493B5D1C04B} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - http://www2.verizon.net/micro/vol_toolbar/vzbb.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175720342404
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/download/files/win/expressview/webinstall/isetup.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: __c0047460 - C:\WINDOWS\System32\__c0047460.dat
O20 - Winlogon Notify: __c00B6700 - C:\WINDOWS\System32\__c00B6700.dat
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Mr_JAk3
2007-04-05, 19:04
Ok good work :)

Now we'll begin.

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Gcarp
2007-04-06, 03:01
Hi Mr Jak,
Next step as requested...
There was an error while running. It said "Search string too long" but kept running.

George

"Betty" - 07-04-05 20:35:27 Service Pack 1
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Betty\Desktop\hijack this"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\install.log


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\gb
-------\nm
-------\LEGACY_GB
-------\LEGACY_MCHINJDRV


((((((((((((((((((((((((((((((( Files Created from 2007-03-05 to 2007-04-05 ))))))))))))))))))))))))))))))))))


2007-04-05 20:32 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-04-05 20:32 <DIR> d-------- C:\WINDOWS\LastGood
2007-04-04 21:29 57,344 --a------ C:\WINDOWS\system32\wzcdlg.dll
2007-04-04 21:29 31,232 --a------ C:\WINDOWS\system32\wzcsapi.dll
2007-04-04 21:29 281,088 --a------ C:\WINDOWS\system32\wzcsvc.dll
2007-04-04 21:29 1,630,208 --a------ C:\WINDOWS\system32\netshell.dll
2007-04-04 21:19 <DIR> d-------- C:\WINDOWS\PeerNet
2007-04-04 21:11 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-04-04 21:10 384,512 --a------ C:\WINDOWS\system32\mp4sdmod.dll
2007-04-04 21:10 316,040 --a------ C:\WINDOWS\system32\mp43dmod.dll
2007-04-04 21:10 241,664 --a------ C:\WINDOWS\system32\mpg4dmod.dll
2007-04-04 20:17 98,816 --a------ C:\WINDOWS\system32\dmstyle.dll
2007-04-04 20:17 974,848 --a------ C:\WINDOWS\system32\dxdiag.exe
2007-04-04 20:17 83,968 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
2007-04-04 20:17 80,896 --a------ C:\WINDOWS\system32\dpvsetup.exe
2007-04-04 20:17 8,192 --a------ C:\WINDOWS\system32\d3d8thk.dll
2007-04-04 20:17 797,184 --a------ C:\WINDOWS\system32\d3dim700.dll
2007-04-04 20:17 76,800 --a------ C:\WINDOWS\system32\dmscript.dll
2007-04-04 20:17 733,184 --a------ C:\WINDOWS\system32\qedwipes.dll
2007-04-04 20:17 7,424 --a------ C:\WINDOWS\system32\drivers\mskssrv.sys
2007-04-04 20:17 68,096 --a------ C:\WINDOWS\system32\dsdmoprp.dll
2007-04-04 20:17 68,096 --a------ C:\WINDOWS\system32\dpnhupnp.dll
2007-04-04 20:17 64,512 --a------ C:\WINDOWS\system32\amstream.dll
2007-04-04 20:17 602,624 --a------ C:\WINDOWS\system32\dx7vb.dll
2007-04-04 20:17 590,336 --a------ C:\WINDOWS\system32\d3dramp.dll
2007-04-04 20:17 58,368 --a------ C:\WINDOWS\system32\dmcompos.dll
2007-04-04 20:17 57,856 --a------ C:\WINDOWS\system32\dpwsockx.dll
2007-04-04 20:17 53,248 --a------ C:\WINDOWS\system32\devenum.dll
2007-04-04 20:17 524,800 --a------ C:\WINDOWS\system32\qedit.dll
2007-04-04 20:17 52,096 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2007-04-04 20:17 5,504 --a------ C:\WINDOWS\system32\drivers\mstee.sys
2007-04-04 20:17 5,248 --a------ C:\WINDOWS\system32\drivers\mspclock.sys
2007-04-04 20:17 48,512 --a------ C:\WINDOWS\system32\drivers\stream.sys
2007-04-04 20:17 47,616 --a------ C:\WINDOWS\system32\d3dxof.dll
2007-04-04 20:17 47,104 --a------ C:\WINDOWS\system32\wstdecod.dll
2007-04-04 20:17 46,592 --a------ C:\WINDOWS\system32\dxdllreg.exe
2007-04-04 20:17 44,032 --a------ C:\WINDOWS\system32\dimap.dll
2007-04-04 20:17 436,224 --a------ C:\WINDOWS\system32\d3dim.dll
2007-04-04 20:17 4,608 --a------ C:\WINDOWS\system32\drivers\mspqm.sys
2007-04-04 20:17 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-04-04 20:17 4,096 --a------ C:\WINDOWS\system32\drivers\swenum.sys
2007-04-04 20:17 394,240 --a------ C:\WINDOWS\system32\diactfrm.dll
2007-04-04 20:17 382,976 --a------ C:\WINDOWS\system32\qdvd.dll
2007-04-04 20:17 377,856 --a------ C:\WINDOWS\system32\dpnet.dll
2007-04-04 20:17 363,520 --a------ C:\WINDOWS\system32\dsound.dll
2007-04-04 20:17 354,816 --a------ C:\WINDOWS\system32\psisdecd.dll
2007-04-04 20:17 350,208 --a------ C:\WINDOWS\system32\d3drm.dll
2007-04-04 20:17 34,816 --a------ C:\WINDOWS\system32\d3dpmesh.dll
2007-04-04 20:17 34,304 --a------ C:\WINDOWS\system32\mciqtz32.dll
2007-04-04 20:17 33,280 --a------ C:\WINDOWS\system32\dmloader.dll
2007-04-04 20:17 32,768 --a------ C:\WINDOWS\system32\dpnhpast.dll
2007-04-04 20:17 3,072 --a------ C:\WINDOWS\system32\dpnlobby.dll
2007-04-04 20:17 3,072 --a------ C:\WINDOWS\system32\dpnaddr.dll
2007-04-04 20:17 28,160 --a------ C:\WINDOWS\system32\dplaysvr.exe
2007-04-04 20:17 276,480 --a------ C:\WINDOWS\system32\qdv.dll
2007-04-04 20:17 27,136 --a------ C:\WINDOWS\system32\dmband.dll
2007-04-04 20:17 265,728 --a------ C:\WINDOWS\system32\ddraw.dll
2007-04-04 20:17 24,064 --a------ C:\WINDOWS\system32\ddrawex.dll
2007-04-04 20:17 230,400 --a------ C:\WINDOWS\system32\dplayx.dll
2007-04-04 20:17 223,232 --a------ C:\WINDOWS\system32\gcdef.dll
2007-04-04 20:17 22,016 --a------ C:\WINDOWS\system32\dpmodemx.dll
2007-04-04 20:17 203,264 --a------ C:\WINDOWS\system32\dpvoice.dll
2007-04-04 20:17 194,560 --a------ C:\WINDOWS\system32\mswebdvd.dll
2007-04-04 20:17 19,968 --a------ C:\WINDOWS\system32\dpvacm.dll
2007-04-04 20:17 186,880 --a------ C:\WINDOWS\system32\dsdmo.dll
2007-04-04 20:17 181,248 --a------ C:\WINDOWS\system32\dmime.dll
2007-04-04 20:17 18,944 --a------ C:\WINDOWS\system32\encapi.dll
2007-04-04 20:17 18,688 --a------ C:\WINDOWS\system32\drivers\wstcodec.sys
2007-04-04 20:17 18,432 --a------ C:\WINDOWS\system32\dswave.dll
2007-04-04 20:17 177,152 --a------ C:\WINDOWS\system32\qcap.dll
2007-04-04 20:17 16,896 --a------ C:\WINDOWS\system32\msyuv.dll
2007-04-04 20:17 16,896 --a------ C:\WINDOWS\system32\dpnsvr.exe
2007-04-04 20:17 16,384 --a------ C:\WINDOWS\system32\drivers\ccdecode.sys
2007-04-04 20:17 15,104 --a------ C:\WINDOWS\system32\drivers\mpe.sys
2007-04-04 20:17 14,976 --a------ C:\WINDOWS\system32\drivers\streamip.sys
2007-04-04 20:17 130,304 --a------ C:\WINDOWS\system32\drivers\ks.sys
2007-04-04 20:17 13,312 --a------ C:\WINDOWS\system32\msdmo.dll
2007-04-04 20:17 112,128 --a------ C:\WINDOWS\system32\dpvvox.dll
2007-04-04 20:17 11,392 --a------ C:\WINDOWS\system32\drivers\bdasup.sys
2007-04-04 20:17 104,448 --a------ C:\WINDOWS\system32\dmusic.dll
2007-04-04 20:17 100,864 --a------ C:\WINDOWS\system32\dmsynth.dll
2007-04-04 20:17 10,880 --a------ C:\WINDOWS\system32\drivers\slip.sys
2007-04-04 20:17 10,496 --a------ C:\WINDOWS\system32\drivers\dxapi.sys
2007-04-04 20:17 10,112 --a------ C:\WINDOWS\system32\drivers\ndisip.sys
2007-04-04 20:17 1,769,472 --a------ C:\WINDOWS\system32\dxdiagn.dll
2007-04-04 20:17 1,689,600 --a------ C:\WINDOWS\system32\d3d9.dll
2007-04-04 20:17 1,294,336 --a------ C:\WINDOWS\system32\dsound3d.dll
2007-04-04 20:17 1,230,336 --a------ C:\WINDOWS\system32\msvidctl.dll
2007-04-04 20:17 1,227,776 --a------ C:\WINDOWS\system32\quartz.dll
2007-04-04 20:17 1,189,888 --a------ C:\WINDOWS\system32\dx8vb.dll
2007-04-04 20:17 1,179,648 --a------ C:\WINDOWS\system32\d3d8.dll
2007-04-04 20:06 51,072 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2007-04-04 20:06 22,016 --a------ C:\WINDOWS\system32\drivers\mouclass.sys
2007-04-04 19:44 67,584 --a------ C:\WINDOWS\system32\magnify.exe
2007-04-04 19:44 53,760 --a------ C:\WINDOWS\system32\cryptsvc.dll
2007-04-04 19:44 51,200 --a------ C:\WINDOWS\system32\narrator.exe
2007-04-04 19:44 238,080 --a------ C:\WINDOWS\system32\newdev.dll
2007-04-04 19:44 212,480 --a------ C:\WINDOWS\system32\osk.exe
2007-04-04 19:44 179,200 --a------ C:\WINDOWS\system32\accwiz.exe
2007-04-04 19:09 831,519 --a------ C:\WINDOWS\system32\mswdat10.dll
2007-04-04 19:09 614,431 --a------ C:\WINDOWS\system32\mswstr10.dll
2007-04-04 19:09 552,989 --a------ C:\WINDOWS\system32\msrepl40.dll
2007-04-04 19:09 53,279 --a------ C:\WINDOWS\system32\msjter40.dll
2007-04-04 19:09 512,029 --a------ C:\WINDOWS\system32\msexch40.dll
2007-04-04 19:09 421,919 --a------ C:\WINDOWS\system32\msrd2x40.dll
2007-04-04 19:09 380,957 --a------ C:\WINDOWS\system32\expsrv.dll
2007-04-04 19:09 358,976 --a------ C:\WINDOWS\system32\msjetoledb40.dll
2007-04-04 19:09 348,189 --a------ C:\WINDOWS\system32\msxbde40.dll
2007-04-04 19:09 348,189 --a------ C:\WINDOWS\system32\mspbde40.dll
2007-04-04 19:09 319,517 --a------ C:\WINDOWS\system32\msexcl40.dll
2007-04-04 19:09 315,423 --a------ C:\WINDOWS\system32\msrd3x40.dll
2007-04-04 19:09 30,749 --a------ C:\WINDOWS\system32\vbajet32.dll
2007-04-04 19:09 258,077 --a------ C:\WINDOWS\system32\mstext40.dll
2007-04-04 19:09 241,693 --a------ C:\WINDOWS\system32\msjtes40.dll
2007-04-04 19:09 213,023 --a------ C:\WINDOWS\system32\msltus40.dll
2007-04-04 19:09 151,583 --a------ C:\WINDOWS\system32\msjint40.dll
2007-04-04 19:09 1,507,356 --a------ C:\WINDOWS\system32\msjet40.dll
2007-04-04 18:21 991,232 --a------ C:\WINDOWS\system32\esent.dll
2007-04-04 17:46 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-04-04 17:46 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-04-04 17:37 <DIR> d-------- C:\WINDOWS\Prefetch
2007-04-04 17:19 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-04-04 17:19 <DIR> d-------- C:\WINDOWS\ehome
2007-04-04 17:14 9,216 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-04-04 17:14 88,064 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2007-04-04 17:14 86,528 --a------ C:\WINDOWS\system32\wlnotify.dll
2007-04-04 17:14 86,016 --a------ C:\WINDOWS\system32\xactsrv.dll
2007-04-04 17:14 81,920 --a------ C:\WINDOWS\system32\trkwks.dll
2007-04-04 17:14 77,824 --a------ C:\WINDOWS\system32\wmpstub.exe
2007-04-04 17:14 60,416 --a------ C:\WINDOWS\system32\wextract.exe
2007-04-04 17:14 51,200 --a------ C:\WINDOWS\system32\wmerrenu.dll
2007-04-04 17:14 48,640 --a------ C:\WINDOWS\system32\vdmredir.dll
2007-04-04 17:14 48,128 --a------ C:\WINDOWS\system32\winsta.dll
2007-04-04 17:14 479,261 --a------ C:\WINDOWS\system32\vbscript.dll
2007-04-04 17:14 47,616 --a------ C:\WINDOWS\system32\utilman.exe
2007-04-04 17:14 446,464 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2007-04-04 17:14 409,088 --a------ C:\WINDOWS\system32\vssapi.dll
2007-04-04 17:14 40,960 --a------ C:\WINDOWS\system32\tscupgrd.exe
2007-04-04 17:14 38,912 --a------ C:\WINDOWS\system32\wsnmp32.dll
2007-04-04 17:14 339,456 --a------ C:\WINDOWS\system32\usp10.dll
2007-04-04 17:14 32,256 --a------ C:\WINDOWS\system32\umandlg.dll
2007-04-04 17:14 311,327 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-04-04 17:14 296,448 --a------ C:\WINDOWS\system32\wmstream.dll
2007-04-04 17:14 266,752 --a------ C:\WINDOWS\winhlp32.exe
2007-04-04 17:14 231,424 --a------ C:\WINDOWS\system32\upnpui.dll
2007-04-04 17:14 22,016 --a------ C:\WINDOWS\system32\udhisapi.dll
2007-04-04 17:14 203,264 --a------ C:\WINDOWS\system32\uxtheme.dll
2007-04-04 17:14 172,664 --a------ C:\WINDOWS\system32\xenroll.dll
2007-04-04 17:14 171,520 --a------ C:\WINDOWS\system32\winmm.dll
2007-04-04 17:14 171,008 --a------ C:\WINDOWS\system32\sccsccp.dll
2007-04-04 17:14 17,408 --a------ C:\WINDOWS\system32\wtsapi32.dll
2007-04-04 17:14 168,448 --a------ C:\WINDOWS\system32\wldap32.dll
2007-04-04 17:14 165,376 --a------ C:\WINDOWS\system32\w32time.dll
2007-04-04 17:14 164,864 --a------ C:\WINDOWS\system32\upnphost.dll
2007-04-04 17:14 16,384 --a------ C:\WINDOWS\system32\watchdog.sys
2007-04-04 17:14 16,384 --a------ C:\WINDOWS\system32\ups.exe
2007-04-04 17:14 124,928 --a------ C:\WINDOWS\system32\webvw.dll
2007-04-04 17:14 120,320 --a------ C:\WINDOWS\system32\upnp.dll
2007-04-04 17:14 119,808 --a------ C:\WINDOWS\system32\wiadss.dll
2007-04-04 17:14 118,784 --a------ C:\WINDOWS\system32\wmsdmoe.dll
2007-04-04 17:13 98,304 --a------ C:\WINDOWS\system32\oleprn.dll
2007-04-04 17:13 95,744 --a------ C:\WINDOWS\system32\nlhtml.dll
2007-04-04 17:13 91,136 --a------ C:\WINDOWS\system32\rastls.dll
2007-04-04 17:13 91,136 --a------ C:\WINDOWS\system32\MSOERT2.DLL
2007-04-04 17:13 891,711 --------- C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-04-04 17:13 87,304 --a------ C:\WINDOWS\system32\rdpdd.dll
2007-04-04 17:13 857,600 --a------ C:\WINDOWS\system32\netplwiz.dll
2007-04-04 17:13 82,944 --a------ C:\WINDOWS\system32\smlogsvc.exe
2007-04-04 17:13 82,944 --a------ C:\WINDOWS\system32\psbase.dll
2007-04-04 17:13 8,192 --a------ C:\WINDOWS\system32\scrnsave.scr
2007-04-04 17:13 75,912 --a------ C:\WINDOWS\system32\rdpwsx.dll
2007-04-04 17:13 74,240 --a------ C:\WINDOWS\system32\rtcshare.exe
2007-04-04 17:13 72,192 --a------ C:\WINDOWS\system32\telnet.exe
2007-04-04 17:13 71,168 --a------ C:\WINDOWS\system32\storprop.dll
2007-04-04 17:13 71,168 --a------ C:\WINDOWS\system32\sdbinst.exe
2007-04-04 17:13 699,392 --a------ C:\WINDOWS\system32\msxml2.dll
2007-04-04 17:13 686,080 --------- C:\WINDOWS\system32\opengl32.dll
2007-04-04 17:13 667,648 --a------ C:\WINDOWS\system32\ss3dfo.scr
2007-04-04 17:13 66,560 --a------ C:\WINDOWS\system32\spoolss.dll
2007-04-04 17:13 66,048 --a------ C:\WINDOWS\system32\sigverif.exe
2007-04-04 17:13 638,976 --a------ C:\WINDOWS\system32\sstext3d.scr
2007-04-04 17:13 63,663 --------- C:\WINDOWS\system32\drivers\atinrvxx.sys
2007-04-04 17:13 63,488 --a------ C:\WINDOWS\system32\srclient.dll
2007-04-04 17:13 62,976 --a------ C:\WINDOWS\system32\shgina.dll
2007-04-04 17:13 61,952 --a------ C:\WINDOWS\system32\sti.dll
2007-04-04 17:13 61,440 --a------ C:\WINDOWS\system32\odbccu32.dll
2007-04-04 17:13 61,440 --a------ C:\WINDOWS\system32\odbccr32.dll
2007-04-04 17:13 60,416 --a------ C:\WINDOWS\system32\shimeng.dll
2007-04-04 17:13 6,912 --------- C:\WINDOWS\system32\drivers\hidir.sys
2007-04-04 17:13 6,144 --a------ C:\WINDOWS\system32\sensapi.dll
2007-04-04 17:13 598,016 --a------ C:\WINDOWS\system32\mstscax.dll
2007-04-04 17:13 584,192 --a------ C:\WINDOWS\system32\netcfgx.dll
2007-04-04 17:13 58,880 --a------ C:\WINDOWS\system32\pautoenr.dll
2007-04-04 17:13 57,856 --a------ C:\WINDOWS\system32\raschap.dll
2007-04-04 17:13 569,344 --a------ C:\WINDOWS\system32\sspipes.scr
2007-04-04 17:13 56,591 --------- C:\WINDOWS\system32\drivers\atinbtxx.sys
2007-04-04 17:13 56,320 --a------ C:\WINDOWS\system32\remotepg.dll
2007-04-04 17:13 56,320 --a------ C:\WINDOWS\system32\mshtmler.dll
2007-04-04 17:13 534,016 --a------ C:\WINDOWS\system32\spider.exe
2007-04-04 17:13 53,248 --a------ C:\WINDOWS\system32\packager.exe
2007-04-04 17:13 53,248 --a------ C:\WINDOWS\system32\odbcconf.exe
2007-04-04 17:13 52,224 --a------ C:\WINDOWS\system32\secur32.dll
2007-04-04 17:13 5,504 --------- C:\WINDOWS\system32\drivers\smbali.sys
2007-04-04 17:13 49,152 --a------ C:\WINDOWS\system32\npptools.dll
2007-04-04 17:13 48,128 --a------ C:\WINDOWS\system32\reg.exe
2007-04-04 17:13 44,032 --a------ C:\WINDOWS\system32\regapi.dll
2007-04-04 17:13 44,032 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-04-04 17:13 43,008 --a------ C:\WINDOWS\system32\ssdpsrv.dll
2007-04-04 17:13 420,864 --a------ C:\WINDOWS\system32\shimgvw.dll
2007-04-04 17:13 42,496 --a------ C:\WINDOWS\system32\ncobjapi.dll
2007-04-04 17:13 403,456 --------- C:\WINDOWS\system32\winbrand.dll
2007-04-04 17:13 401,462 --a------ C:\WINDOWS\system32\msvcp60.dll
2007-04-04 17:13 4,608 --a------ C:\WINDOWS\system32\msimg32.dll
2007-04-04 17:13 399,360 --a------ C:\WINDOWS\system32\netlogon.dll
2007-04-04 17:13 392,704 --a------ C:\WINDOWS\system32\ntmssvc.dll
2007-04-04 17:13 39,424 --a------ C:\WINDOWS\system32\net.exe
2007-04-04 17:13 388,608 --a------ C:\WINDOWS\system32\mstsc.exe
2007-04-04 17:13 384,000 --a------ C:\WINDOWS\system32\themeui.dll
2007-04-04 17:13 38,400 --a------ C:\WINDOWS\system32\ntmsapi.dll
2007-04-04 17:13 38,400 --a------ C:\WINDOWS\system32\ntlanman.dll
2007-04-04 17:13 377,984 --------- C:\WINDOWS\system32\ati2dvaa.dll
2007-04-04 17:13 368,710 --a------ C:\WINDOWS\system32\msisam11.dll
2007-04-04 17:13 364,544 --a------ C:\WINDOWS\system32\ssflwbox.scr
2007-04-04 17:13 36,463 --------- C:\WINDOWS\system32\drivers\atintuxx.sys
2007-04-04 17:13 36,352 --a------ C:\WINDOWS\system32\sens.dll
2007-04-04 17:13 34,735 --------- C:\WINDOWS\system32\drivers\atinxsxx.sys
2007-04-04 17:13 34,304 --a------ C:\WINDOWS\system32\rcimlby.exe
2007-04-04 17:13 339,968 --a------ C:\WINDOWS\system32\mspaint.exe
2007-04-04 17:13 334,848 --a------ C:\WINDOWS\system32\smlogcfg.dll
2007-04-04 17:13 327,040 --------- C:\WINDOWS\system32\drivers\ati2mtaa.sys
2007-04-04 17:13 326,656 --a------ C:\WINDOWS\system32\netsetup.exe
2007-04-04 17:13 323,072 --a------ C:\WINDOWS\system32\msvcrt.dll
2007-04-04 17:13 32,768 --a------ C:\WINDOWS\system32\odbcad32.exe
2007-04-04 17:13 319,760 --a------ C:\WINDOWS\system32\msnsspc.dll
2007-04-04 17:13 31,744 --a------ C:\WINDOWS\system32\pid.dll
2007-04-04 17:13 30,671 --------- C:\WINDOWS\system32\drivers\atinraxx.sys
2007-04-04 17:13 3,584 --------- C:\WINDOWS\system32\dsprpres.dll
2007-04-04 17:13 3,494,303 --------- C:\WINDOWS\system32\nv4_disp.dll
2007-04-04 17:13 3,338 --a------ C:\WINDOWS\system32\redir.exe
2007-04-04 17:13 297,984 --a------ C:\WINDOWS\system32\scesrv.dll
2007-04-04 17:13 29,696 --a------ C:\WINDOWS\system32\snmp.exe
2007-04-04 17:13 29,455 --------- C:\WINDOWS\system32\drivers\atinxbxx.sys
2007-04-04 17:13 27,136 --a------ C:\WINDOWS\system32\ssdpapi.dll
2007-04-04 17:13 26,367 --------- C:\WINDOWS\system32\drivers\atinsnxx.sys
2007-04-04 17:13 254,976 --a------ C:\WINDOWS\system32\pdh.dll
2007-04-04 17:13 251,904 --a------ C:\WINDOWS\system32\strmdll.dll
2007-04-04 17:13 25,216 --------- C:\WINDOWS\system32\drivers\usbehci.sys
2007-04-04 17:13 241,725 --a------ C:\WINDOWS\system32\msuni11.dll
2007-04-04 17:13 24,576 --a------ C:\WINDOWS\system32\nmmkcert.dll
2007-04-04 17:13 24,064 --a------ C:\WINDOWS\system32\skeys.exe
2007-04-04 17:13 230,400 --a------ C:\WINDOWS\system32\msieftp.dll
2007-04-04 17:13 229,376 --a------ C:\WINDOWS\system32\MSOEACCT.DLL
2007-04-04 17:13 22,528 --a------ C:\WINDOWS\system32\slayerxp.dll
2007-04-04 17:13 22,528 --a------ C:\WINDOWS\system32\shfolder.dll
2007-04-04 17:13 22,528 --a------ C:\WINDOWS\system32\mslbui.dll
2007-04-04 17:13 21,343 --------- C:\WINDOWS\system32\drivers\atinttxx.sys
2007-04-04 17:13 200,192 --a------ C:\WINDOWS\system32\termsrv.dll
2007-04-04 17:13 20,992 --a------ C:\WINDOWS\system32\setup.exe
2007-04-04 17:13 193,536 --a------ C:\WINDOWS\system32\rasppp.dll
2007-04-04 17:13 19,456 --a------ C:\WINDOWS\system32\ssmarque.scr
2007-04-04 17:13 187,904 --------- C:\WINDOWS\system32\xpsp1res.dll
2007-04-04 17:13 182,784 --a------ C:\WINDOWS\system32\msutb.dll
2007-04-04 17:13 18,944 --a------ C:\WINDOWS\system32\ssbezier.scr
2007-04-04 17:13 18,944 --------- C:\WINDOWS\system32\faxpatch.exe
2007-04-04 17:13 174,592 --a------ C:\WINDOWS\system32\scecli.dll
2007-04-04 17:13 172,032 --------- C:\WINDOWS\system32\mssap.dll
2007-04-04 17:13 17,408 --a------ C:\WINDOWS\system32\ssmyst.scr
2007-04-04 17:13 17,408 --a------ C:\WINDOWS\system32\psapi.dll
2007-04-04 17:13 165,888 --a------ C:\WINDOWS\system32\ntmsdba.dll
2007-04-04 17:13 165,376 --a------ C:\WINDOWS\system32\tapi32.dll
2007-04-04 17:13 16,896 --a------ C:\WINDOWS\system32\snmpapi.dll
2007-04-04 17:13 16,384 --a------ C:\WINDOWS\system32\ping.exe
2007-04-04 17:13 16,384 --a------ C:\WINDOWS\system32\odbc32gt.dll
2007-04-04 17:13 158,720 --a------ C:\WINDOWS\system32\srsvc.dll

Continued next post.
Gcarp
2007-04-06, 03:03
2007-04-04 17:13 147,456 --a------ C:\WINDOWS\system32\odbctrac.dll
2007-04-04 17:13 143,872 --a------ C:\WINDOWS\system32\msimtf.dll
2007-04-04 17:13 14,848 --a------ C:\WINDOWS\system32\rdpsnd.dll
2007-04-04 17:13 137,216 --a------ C:\WINDOWS\system32\ntshrui.dll
2007-04-04 17:13 135,680 --a------ C:\WINDOWS\system32\rdchost.dll
2007-04-04 17:13 134,144 --a------ C:\WINDOWS\regedit.exe
2007-04-04 17:13 133,632 --a------ C:\WINDOWS\system32\rsaenh.dll
2007-04-04 17:13 133,120 --a------ C:\WINDOWS\system32\sfc_os.dll
2007-04-04 17:13 131,072 --a------ C:\WINDOWS\system32\msorcl32.dll
2007-04-04 17:13 130,560 --a------ C:\WINDOWS\system32\sti_ci.dll
2007-04-04 17:13 13,824 --a------ C:\WINDOWS\system32\rassapi.dll
2007-04-04 17:13 13,312 --a------ C:\WINDOWS\system32\ssstars.scr
2007-04-04 17:13 13,056 --------- C:\WINDOWS\system32\drivers\wacompen.sys
2007-04-04 17:13 128,512 --a------ C:\WINDOWS\system32\taskmgr.exe
2007-04-04 17:13 122,880 --a------ C:\WINDOWS\system32\odbcconf.dll
2007-04-04 17:13 12,800 --a------ C:\WINDOWS\system32\runonce.exe
2007-04-04 17:13 12,288 --a------ C:\WINDOWS\system32\rdsaddin.exe
2007-04-04 17:13 12,288 --a------ C:\WINDOWS\system32\odbcp32r.dll
2007-04-04 17:13 12,047 --------- C:\WINDOWS\system32\drivers\atinpdxx.sys
2007-04-04 17:13 117,760 --a------ C:\WINDOWS\system32\stobject.dll
2007-04-04 17:13 115,200 --a------ C:\WINDOWS\system32\net1.exe
2007-04-04 17:13 113,664 --a------ C:\WINDOWS\system32\msvfw32.dll
2007-04-04 17:13 112,128 --a------ C:\WINDOWS\system32\ntmarta.dll
2007-04-04 17:13 110,080 --------- C:\WINDOWS\system32\sbeio.dll
2007-04-04 17:13 11,904 --------- C:\WINDOWS\system32\drivers\mutohpen.sys
2007-04-04 17:13 11,776 --a------ C:\WINDOWS\system32\sigtab.dll
2007-04-04 17:13 11,615 --------- C:\WINDOWS\system32\drivers\atinmdxx.sys
2007-04-04 17:13 109,568 --a------ C:\WINDOWS\system32\offfilt.dll
2007-04-04 17:13 10,752 --a------ C:\WINDOWS\system32\tracert.exe
2007-04-04 17:13 10,240 --a------ C:\WINDOWS\system32\msrle32.dll
2007-04-04 17:13 1,677,312 --------- C:\WINDOWS\system32\wmvcore2.dll
2007-04-04 17:13 1,350,144 --a------ C:\WINDOWS\system32\query.dll
2007-04-04 17:13 1,157,632 --a------ C:\WINDOWS\system32\sfcfiles.dll
2007-04-04 17:12 98,816 --a------ C:\WINDOWS\system32\clipbrd.exe
2007-04-04 17:12 9,216 --a------ C:\WINDOWS\system32\icaapi.dll
2007-04-04 17:12 9,216 --a------ C:\WINDOWS\system32\dumprep.exe
2007-04-04 17:12 802,304 --a------ C:\WINDOWS\system32\dxmrtp.dll
2007-04-04 17:12 8,832 --a------ C:\WINDOWS\system32\framebuf.dll
2007-04-04 17:12 8,192 --a------ C:\WINDOWS\system32\autolfn.exe
2007-04-04 17:12 78,336 --a------ C:\WINDOWS\system32\irmon.dll
2007-04-04 17:12 76,288 --a------ C:\WINDOWS\system32\dfrgfat.exe
2007-04-04 17:12 76,288 --a------ C:\WINDOWS\system32\avifil32.dll
2007-04-04 17:12 74,810 --a------ C:\WINDOWS\system32\atl.dll
2007-04-04 17:12 73,728 --a------ C:\WINDOWS\system32\ils.dll
2007-04-04 17:12 71,680 --a------ C:\WINDOWS\system32\browsewm.dll
2007-04-04 17:12 70,656 --a------ C:\WINDOWS\system32\defrag.exe
2007-04-04 17:12 70,144 --a------ C:\WINDOWS\system32\cryptdlg.dll
2007-04-04 17:12 7,040 --a------ C:\WINDOWS\system32\kd1394.dll
2007-04-04 17:12 68,608 --a------ C:\WINDOWS\system32\mscms.dll
2007-04-04 17:12 67,584 --a------ C:\WINDOWS\system32\msctfp.dll
2007-04-04 17:12 65,536 --a------ C:\WINDOWS\system32\msconf.dll
2007-04-04 17:12 64,512 --a------ C:\WINDOWS\system32\ciodm.dll
2007-04-04 17:12 62,976 --a------ C:\WINDOWS\system32\browselc.dll
2007-04-04 17:12 6,656 --a------ C:\WINDOWS\system32\batt.dll
2007-04-04 17:12 596,480 --a------ C:\WINDOWS\system32\INETCOMM.DLL
2007-04-04 17:12 59,904 --a------ C:\WINDOWS\system32\cabinet.dll
2007-04-04 17:12 59,392 --a------ C:\WINDOWS\system32\iesetup.dll
2007-04-04 17:12 57,856 --a------ C:\WINDOWS\system32\licwmi.dll
2007-04-04 17:12 55,296 --a------ C:\WINDOWS\system32\digest.dll
2007-04-04 17:12 54,272 --a------ C:\WINDOWS\system32\clusapi.dll
2007-04-04 17:12 51,712 --a------ C:\WINDOWS\system32\ipconfig.exe
2007-04-04 17:12 504,320 --a------ C:\WINDOWS\system32\logonui.exe
2007-04-04 17:12 498,205 --a------ C:\WINDOWS\system32\dxmasf.dll
2007-04-04 17:12 49,664 --a------ C:\WINDOWS\system32\ixsso.dll
2007-04-04 17:12 49,152 --a------ C:\WINDOWS\system32\eventlog.dll
2007-04-04 17:12 49,152 --a------ C:\WINDOWS\system32\browser.dll
2007-04-04 17:12 489,984 --a------ C:\WINDOWS\system32\dbghelp.dll
2007-04-04 17:12 45,568 --a------ C:\WINDOWS\system32\docprop2.dll
2007-04-04 17:12 41,472 --a------ C:\WINDOWS\system32\cmdl32.exe
2007-04-04 17:12 4,126 --a------ C:\WINDOWS\system32\msdxmlc.dll
2007-04-04 17:12 381,440 --a------ C:\WINDOWS\system32\lmrt.dll
2007-04-04 17:12 38,912 --a------ C:\WINDOWS\system32\audiosrv.dll
2007-04-04 17:12 36,922 --a------ C:\WINDOWS\system32\imeshare.dll
2007-04-04 17:12 35,328 --a------ C:\WINDOWS\system32\dfrgsnap.dll
2007-04-04 17:12 324,608 --a------ C:\WINDOWS\system32\cmdial32.dll
2007-04-04 17:12 32,768 --a------ C:\WINDOWS\system32\cfgbkend.dll
2007-04-04 17:12 32,256 --a------ C:\WINDOWS\system32\mnmdd.dll
2007-04-04 17:12 318,464 --a------ C:\WINDOWS\system32\ippromon.dll
2007-04-04 17:12 307,712 --a------ C:\WINDOWS\system32\cscui.dll
2007-04-04 17:12 30,208 --a------ C:\WINDOWS\system32\imgutil.dll
2007-04-04 17:12 28,672 --a------ C:\WINDOWS\system32\dbnmpntw.dll
2007-04-04 17:12 27,648 --a------ C:\WINDOWS\system32\pidgen.dll
2007-04-04 17:12 266,752 --a------ C:\WINDOWS\system32\msctf.dll
2007-04-04 17:12 263,680 --a------ C:\WINDOWS\system32\duser.dll
2007-04-04 17:12 263,168 --a------ C:\WINDOWS\system32\devmgr.dll
2007-04-04 17:12 25,600 --a------ C:\WINDOWS\system32\dfsshlex.dll
2007-04-04 17:12 240,640 --a------ C:\WINDOWS\system32\hnetcfg.dll
2007-04-04 17:12 24,576 --a------ C:\WINDOWS\system32\dbmsvinn.dll
2007-04-04 17:12 24,576 --a------ C:\WINDOWS\system32\dbmsrpcn.dll
2007-04-04 17:12 24,576 --a------ C:\WINDOWS\system32\conime.exe
2007-04-04 17:12 238,592 --a------ C:\WINDOWS\system32\compatui.dll
2007-04-04 17:12 237,056 --a------ C:\WINDOWS\system32\icm32.dll
2007-04-04 17:12 227,840 --a------ C:\WINDOWS\system32\dsquery.dll
2007-04-04 17:12 219,648 --a------ C:\WINDOWS\system32\logon.scr
2007-04-04 17:12 210,944 --a------ C:\WINDOWS\system32\moricons.dll
2007-04-04 17:12 20,480 --a------ C:\WINDOWS\system32\hidserv.dll
2007-04-04 17:12 20,480 --a------ C:\WINDOWS\system32\dbmsadsn.dll
2007-04-04 17:12 196,096 --a------ C:\WINDOWS\system32\mobsync.dll
2007-04-04 17:12 19,456 --a------ C:\WINDOWS\system32\licmgr10.dll
2007-04-04 17:12 19,456 --a------ C:\WINDOWS\system32\fontview.exe
2007-04-04 17:12 19,456 --a------ C:\WINDOWS\system32\ersvc.dll
2007-04-04 17:12 186,880 --a------ C:\WINDOWS\system32\certcli.dll
2007-04-04 17:12 178,688 --a------ C:\WINDOWS\system32\eudcedit.exe
2007-04-04 17:12 168,960 --a------ C:\WINDOWS\system32\dinput8.dll
2007-04-04 17:12 165,376 --a------ C:\WINDOWS\system32\els.dll
2007-04-04 17:12 163,840 --a------ C:\WINDOWS\system32\mindex.dll
2007-04-04 17:12 16,384 --a------ C:\WINDOWS\system32\ds32gt.dll
2007-04-04 17:12 158,720 --a------ C:\WINDOWS\system32\credui.dll
2007-04-04 17:12 151,552 --a------ C:\WINDOWS\system32\dinput.dll
2007-04-04 17:12 135,680 --a------ C:\WINDOWS\system32\dsprop.dll
2007-04-04 17:12 13,312 --a------ C:\WINDOWS\system32\ctfmon.exe
2007-04-04 17:12 124,928 --a------ C:\WINDOWS\system32\dssenh.dll
2007-04-04 17:12 123,904 --a------ C:\WINDOWS\system32\imapi.exe
2007-04-04 17:12 12,288 --a------ C:\WINDOWS\system32\mscpx32r.dll
2007-04-04 17:12 116,736 --a------ C:\WINDOWS\system32\mplay32.exe
2007-04-04 17:12 115,200 --a------ C:\WINDOWS\system32\dpcdll.dll
2007-04-04 17:12 114,176 --a------ C:\WINDOWS\system32\input.dll
2007-04-04 17:12 113,152 --a------ C:\WINDOWS\system32\idq.dll
2007-04-04 17:12 113,152 --a------ C:\WINDOWS\system32\dfrgui.dll
2007-04-04 17:12 103,936 --a------ C:\WINDOWS\system32\imm32.dll
2007-04-04 17:12 103,424 --a------ C:\WINDOWS\system32\dgnet.dll
2007-04-04 17:12 10,240 --a------ C:\WINDOWS\system32\localui.dll
2007-04-04 17:12 1,740 --a------ C:\WINDOWS\system32\dcache.bin
2007-04-04 17:12 1,128,960 --a------ C:\WINDOWS\system32\mmcndmgr.dll
2007-04-04 17:11 91,648 --a------ C:\WINDOWS\system32\ahui.exe
2007-04-04 17:11 62,464 --a------ C:\WINDOWS\system32\adsmsext.dll
2007-04-04 17:11 41,984 --a------ C:\WINDOWS\system32\alg.exe
2007-04-04 17:11 239,616 --a------ C:\WINDOWS\system32\adsnt.dll
2007-04-04 17:11 22,528 --a------ C:\WINDOWS\system32\at.exe
2007-04-04 17:11 162,816 --a------ C:\WINDOWS\system32\adsldp.dll
2007-04-04 17:11 14,366 --a------ C:\WINDOWS\system32\asfsipc.dll
2007-04-04 17:11 139,776 --a------ C:\WINDOWS\system32\adsldpc.dll
2007-04-04 17:11 115,712 --a------ C:\WINDOWS\system32\apphelp.dll
2007-04-04 17:09 42,537 --a------ C:\WINDOWS\system32\keyboard.sys
2007-04-04 17:09 169,984 --a------ C:\WINDOWS\system32\sccbase.dll
2007-04-03 17:30 119,822 --a------ C:\WINDOWS\system32\__c002423A.dat
2007-03-31 12:48 <DIR> d-------- C:\Program Files\Trend Micro
2007-03-31 08:43 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-03-27 17:47 118,798 --a------ C:\WINDOWS\system32\__c001550F.dat
2007-03-25 14:27 38,400 --a------ C:\WINDOWS\system32\grpconv.exe
2007-03-25 14:26 316,928 --a------ C:\WINDOWS\system32\zipfldr.dll
2007-03-25 14:24 30,720 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-03-25 14:22 260,096 --a------ C:\WINDOWS\system32\mstask.dll
2007-03-25 14:22 172,544 --a------ C:\WINDOWS\system32\schedsvc.dll
2007-03-25 14:22 10,752 --a------ C:\WINDOWS\system32\mstinit.exe
2007-03-25 14:22 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-03-25 14:13 32,256 --a------ C:\WINDOWS\system32\msgsvc.dll
2007-03-25 11:56 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-03-25 11:55 <DIR> d-------- C:\DOCUME~1\Betty\.housecall6.6
2007-03-25 11:54 <DIR> d-------- C:\WINDOWS\Sun
2007-03-25 11:54 <DIR> d-------- C:\DOCUME~1\Betty\APPLIC~1\Sun
2007-03-25 11:52 <DIR> d-------- C:\Program Files\Java
2007-03-25 11:49 <DIR> d-------- C:\Program Files\Common Files\Java
2007-03-25 09:19 118,798 --a------ C:\WINDOWS\system32\__c00B34CD.dat
2007-03-21 15:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-03-21 14:11 118,798 --a------ C:\WINDOWS\system32\__c00A2C2.dat
2007-03-18 09:31 24,192 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2007-03-17 14:25 0 --a------ C:\WINDOWS\YOURAPP.EXE
2007-03-17 14:25 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2007-03-17 14:25 0 --a------ C:\WINDOWS\ORUN32.EXE
2007-03-17 14:25 0 --a------ C:\WINDOWS\CPQDIAG.EXE
2007-03-17 14:16 <DIR> d-------- C:\WINDOWS\CAVTemp
2007-03-17 14:16 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-03-17 14:16 <DIR> d-------- C:\DOCUME~1\Betty\APPLIC~1\SUPERAntiSpyware.com
2007-03-17 14:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-03-17 13:54 <DIR> d-------- C:\DOCUME~1\Betty\APPLIC~1\Yahoo!
2007-03-17 08:57 118,798 --a------ C:\WINDOWS\system32\__c00A987E.dat
2007-03-15 18:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-03-15 17:59 74,864 --a------ C:\WINDOWS\system32\VetRedir.dll
2007-03-15 17:59 629,264 --a------ C:\WINDOWS\system32\drivers\VetEFile.sys
2007-03-15 17:59 26,787 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-03-15 17:59 21,031 --a------ C:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-03-15 17:59 15,735 --a------ C:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-03-15 17:59 15,478 --a------ C:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-03-15 17:59 115,824 --a------ C:\WINDOWS\UnVet32.exe
2007-03-15 17:59 111,728 --a------ C:\WINDOWS\AVShlExt.dll
2007-03-15 17:59 108,592 --a------ C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-03-15 17:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CA
2007-03-15 17:58 95,344 --a------ C:\WINDOWS\system32\ISafeIf.dll
2007-03-15 17:58 89,088 --a------ C:\WINDOWS\system32\ATL71.DLL
2007-03-15 17:58 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2007-03-15 17:58 74,864 --a------ C:\WINDOWS\system32\iSafProd.dll
2007-03-15 17:58 65,536 --a------ C:\WINDOWS\system32\YCRWin32.dll
2007-03-15 17:58 243,824 --a------ C:\WINDOWS\unicows.dll
2007-03-15 17:58 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-03-15 17:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-03-14 19:55 <DIR> d-------- C:\Program Files\PlayLinc
2007-03-14 19:43 <DIR> d-------- C:\Program Files\SupportSoft
2007-03-14 18:51 3,474 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-14 18:49 1,310,720 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-03-14 18:49 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-03-14 18:49 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2007-03-14 18:49 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Adobe
2007-03-11 11:16 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-03-10 19:10 <DIR> d-------- C:\DOCUME~1\Betty\APPLIC~1\Google
2007-03-10 19:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-03-05 19:47 9,546 --a------ C:\WINDOWS\system32\__c00B6700.dat
2007-03-05 19:47 9,546 --a------ C:\WINDOWS\system32\__c0047460.dat

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-05 20:29 9546 --a------ C:\WINDOWS\system32\__c0047460.dat
2007-04-04 17:56 -------- d-------- C:\Program Files\messenger
2007-04-04 17:19 -------- d-------- C:\Program Files\movie maker
2007-04-03 17:30 119822 --a------ C:\WINDOWS\system32\__c002423a.dat
2007-03-27 17:47 118798 --a------ C:\WINDOWS\system32\__c001550f.dat
2007-03-25 09:19 118798 --a------ C:\WINDOWS\system32\__c00b34cd.dat
2007-03-21 15:10 22852 --a------ C:\WINDOWS\compaq.reg
2007-03-21 14:11 118798 --a------ C:\WINDOWS\system32\__c00a2c2.dat
2007-03-17 15:34 -------- d-------- C:\Program Files\yahoo!
2007-03-17 14:25 -------- d-------- C:\Program Files\palm
2007-03-17 14:15 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-03-17 08:57 118798 --a------ C:\WINDOWS\system32\__c00a987e.dat
2007-03-14 19:52 -------- d-------- C:\Program Files\verizon
2007-03-11 10:13 -------- d--h----- C:\Program Files\installshield installation information
2007-03-11 10:13 -------- d-------- C:\Program Files\Common Files\installshield
2007-03-05 19:47 9546 --a------ C:\WINDOWS\system32\__c00b6700.dat
2007-03-04 16:41 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-03-04 14:42 -------- d-------- C:\Program Files\lavasoft
2007-03-04 14:42 -------- d-------- C:\DOCUME~1\Betty\APPLIC~1\lavasoft
2007-03-01 22:05 -------- d-------- C:\Program Files\lizardtech
2007-03-01 22:05 -------- d-------- C:\Program Files\Common Files\lizardtech shared
2007-02-14 19:45 -------- d-------- C:\Program Files\Common Files\supportsoft
2007-02-13 22:15 -------- d-------- C:\DOCUME~1\Betty\APPLIC~1\verizon
2007-02-13 22:14 -------- d-------- C:\Program Files\Common Files\motive
2007-02-13 21:20 -------- d-------- C:\Program Files\netzero
2007-02-13 21:19 4094 --a------ C:\WINDOWS\system32\rtcsses.dll
2007-02-10 11:59 -------- d-------- C:\Program Files\nzsearch
2007-02-10 11:54 180952 --a------ C:\DOCUME~1\Betty\APPLIC~1\shb.dat
2007-01-08 15:29 75512 --a------ C:\WINDOWS\zllsputility.exe
2007-01-08 15:29 1087216 --a------ C:\WINDOWS\system32\zpeng24.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"spc_w"="\"C:\\Program Files\\NZSearch\\nzspc.exe\" -w"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VerizonServicepoint.exe"="C:\\Program Files\\Verizon\\Servicepoint\\VerizonServicepoint.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"CAVRID"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVRID.exe\""
"CaAvTray"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVTray.exe\""
"Cpqset"="c:\\compaq\\cpqsetup\\cpqset.exe"
"AtiPTA"="atiptaxx.exe"
"ATIModeChange"="Ati2mdxx.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\Verizon\\SMARTB~1\\MotiveSB.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"eabconfg.cpl"="C:\\Program Files\\Compaq\\EAB\\EabServr.exe /Start"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc.exe -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"
"YOP"="C:\\PROGRA~1\\Yahoo!\\YOP\\yop.exe /autostart"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0047460
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00B6700

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-05 20:42:49
C:\ComboFix-quarantined-files.txt ... 07-04-05 20:42
Mr_JAk3
2007-04-06, 10:12
Hi again, we'll continue :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop but do NOT run it yet.

==================

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: (no name) - @A 3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - À@ 49E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - ð@ BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O20 - Winlogon Notify: __c0047460 - C:\WINDOWS\System32\__c0047460.dat
O20 - Winlogon Notify: __c00B6700 - C:\WINDOWS\System32\__c00B6700.dat

Please run Killbox.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:


C:\WINDOWS\system32\__c002423A.dat
C:\WINDOWS\system32\__c001550F.dat
C:\WINDOWS\system32\__c00B34CD.dat
C:\WINDOWS\system32\__c00A2C2.dat
C:\WINDOWS\system32\__c00A987E.dat
C:\WINDOWS\system32\__c00B6700.dat
C:\WINDOWS\system32\__c0047460.dat

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Select "All Files".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
Gcarp
2007-04-07, 17:30
Mr Jak,

Having problems running AVG... :sad: :banghead: Hangs when trying to do system scan during memory/processes @ [120] VM_7FFE0000. This is related to process SMSS.EXE on the Analysis page. When I do Windows Task Manager, it shows that CSRSS.EXE is hogging the CPU. Have tried various ways to get around it but no joy. Date created and date modified in windows explorer for CSRSS.EXE shows as 8/18/2001; and SMSS.EXE Created 8/18/2001 modified 8/29/2002. How shall I proceed? I did run Registry scan and found nothing. BTW, only using Internet Explorer.

George
Mr_JAk3
2007-04-07, 20:24
Hmm are you running AVG Anti-Spyware in safe mode?

:bigthumb:
Gcarp
2007-04-11, 03:05
Yes, Tried it both in safe mode and in normal mode. Safe mode first. Also tried to run in diagnostic mode using msconfig. I also ran SFC/scanboot. That didn't do anything either.

When searching for info, I came across this...
http://support.microsoft.com/kb/555021

I am going to try to re-do the users on this computer. and if that doesn't work, I'll uninstall & re-install AVG. May take a few days. I'll get back when I'm done. Unless you have a better idea... I didn't want to leave you hanging.

George :sad: :red:
Mr_JAk3
2007-04-11, 21:00
Hello :)

Ok let's try this:

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.
Gcarp
2007-04-12, 01:48
Hello Mr Jak,
GMER rootkit as requested... I'm assuming you wanted it in safe mode.
George :bigthumb:

GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-04-11 19:33:32
Windows 5.1.2600 Service Pack 1


---- Kernel code sections - GMER 1.0.12 ----

.text ntdll.dll!NtClose 77F5B5C8 5 Bytes JMP 720342BA
.text ntdll.dll!NtCreateProcess 77F5B728 5 Bytes JMP 72034445
.text ntdll.dll!NtCreateProcessEx 77F5B738 5 Bytes JMP 72034329
.text ntdll.dll!NtCreateSection 77F5B758 5 Bytes JMP 720342D8

---- EOF - GMER 1.0.12 ----
Mr_JAk3
2007-04-12, 20:53
Ok nothing there.

Please post a fresh HijackThis log and we'll see :bigthumb:
Gcarp
2007-04-12, 22:55
Mr Jak, :bigthumb:
As requested.
George

Logfile of HijackThis v1.99.1
Scan saved at 4:51:29 PM, on 4/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Real\Update_OB\rndal.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Documents and Settings\Betty\Desktop\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Advisor - {8EB0F793-55E3-400A-9A58-9493B5D1C04B} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - http://www2.verizon.net/micro/vol_toolbar/vzbb.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175720342404
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/download/files/win/expressview/webinstall/isetup.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Mr_JAk3
2007-04-13, 22:05
Hello :)

HijackThis log looks pretty good now...


Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.


:bigthumb:
Gcarp
2007-04-14, 02:54
Mr Jak,
As requested...
George :rolleyes:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 13, 2007 8:50:53 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 13/04/2007
Kaspersky Anti-Virus database records: 297190
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 144337
Number of viruses found: 2
Number of infected objects: 17 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:34:29

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Desktop\Betty\My Documents\George\installers\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\Desktop\Betty\My Documents\George\installers\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\Desktop\Betty\My Documents\George\installers\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\Desktop\Betty\My Documents\George\installers\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Desktop\Welcome to Compaq Services.exe Infected: not-a-virus:Porn-Downloader.Win32.Generic skipped
C:\Documents and Settings\Betty\Application Data\Verizon\VSP\client_gateway.log Object is locked skipped
C:\Documents and Settings\Betty\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Betty\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Betty\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Betty\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Betty\Local Settings\History\History.IE5\MSHist012007041320070414\index.dat Object is locked skipped
C:\Documents and Settings\Betty\Local Settings\Temp\~DF2C53.tmp Object is locked skipped
C:\Documents and Settings\Betty\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Betty\My Documents\George\installers\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Betty\My Documents\George\installers\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Betty\My Documents\George\installers\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Betty\My Documents\George\installers\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Betty\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Betty\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\bettybackup\Betty\My Documents\George\installers\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\bettybackup\Betty\My Documents\George\installers\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\bettybackup\Betty\My Documents\George\installers\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\bettybackup\Betty\My Documents\George\installers\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Verizon\SmartBridge\AlertFilter.log Object is locked skipped
C:\Program Files\Verizon\SmartBridge\log\httpclient.log Object is locked skipped
C:\Program Files\Verizon\SmartBridge\SmartBridge.log Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\20070317202421.zip Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\20070317204518.zip Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\20070317204930.zip Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\20070317221659.zip Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\20070323214949.zip Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\20070323230551.zip Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\20070325152956.zip Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq31.tmp Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq32.tmp Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq33.tmp Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqdb.dat Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqsdb.dat Object is locked skipped
C:\RECYCLER\S-1-5-21-1532886375-2966927733-1597234714-1009\Dc124\installers\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\RECYCLER\S-1-5-21-1532886375-2966927733-1597234714-1009\Dc124\installers\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\RECYCLER\S-1-5-21-1532886375-2966927733-1597234714-1009\Dc124\installers\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\RECYCLER\S-1-5-21-1532886375-2966927733-1597234714-1009\Dc124\installers\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\WINDOWS\$NtUninstallKB824141$\kb824141.cat Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141_RTM$\sysmain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141_RTM$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141_RTM$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\kb828035.cat Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035_RTM$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035_RTM$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\kb828741.cat Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB833987$\kb833987.cat Object is locked skipped
C:\WINDOWS\$NtUninstallKB833987$\sxs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB833987_RTM$\sxs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\kb835732.cat Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\browser.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\xpsp2res.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ329048$\reg00001 Object is locked skipped
C:\WINDOWS\$NtUninstallQ329390$\reg00001 Object is locked skipped
C:\WINDOWS\$NtUninstallQ329834$\reg00001 Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\CPQ44853040948.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{701ED810-BFD2-4EDD-BA5E-0A2B6DF2B03A}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_21c.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT06a3b.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT06a3e.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
Mr_JAk3
2007-04-14, 21:27
Ok no real baddies there.

You're logged in with an administrator account? How's the computer running?
Please try again to run a scan with AVG, try in normal mode this time

:bigthumb:
Gcarp
2007-04-14, 23:11
Mr Jak,

:scratch: Same problem, same place...:scratch:

Did a re-install of AVG (including the update of the files). Tried regular boot, safe boot, and safe boot using the global admin account (even though this account is an admin account.) No joy. :sad:
Where do we go from here?

BTW, you have the patience of a saint... I can't thank you enough for your help.

George
Mr_JAk3
2007-04-15, 20:25
Hello :)

OK this is propably just some bug or a conflict with some other software as the system appears to be clean.

Just to be sure:

Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\system32\csrss.exe
Click on Send
Wait for the scan to end.

Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\System32\smss.exe
Click on Send
Wait for the scan to end.

Copy & Paste the scan results to here.
Gcarp
2007-04-16, 23:20
Here are the results of the scans for the two files.

STATUS: FINISHEDComplete scanning result of "csrss.exe", received in VirusTotal at 04.16.2007, 23:09:49 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.14.0 04.16.2007 no virus found
AntiVir 7.3.1.52 04.16.2007 no virus found
Authentium 4.93.8 04.14.2007 no virus found
Avast 4.7.936.0 04.13.2007 no virus found
AVG 7.5.0.447 04.16.2007 no virus found
BitDefender 7.2 04.16.2007 no virus found
CAT-QuickHeal 9.00 04.16.2007 no virus found
ClamAV devel-20070312 04.16.2007 no virus found
DrWeb 4.33 04.16.2007 no virus found
eSafe 7.0.15.0 04.16.2007 no virus found
eTrust-Vet 30.7.3572 04.16.2007 no virus found
Ewido 4.0 04.16.2007 no virus found
FileAdvisor 1 04.16.2007 No threat detected
Fortinet 2.85.0.0 04.16.2007 no virus found
F-Prot 4.3.2.48 04.16.2007 no virus found
F-Secure 6.70.13030.0 04.16.2007 no virus found
Ikarus T3.1.1.5 04.16.2007 no virus found
Kaspersky 4.0.2.24 04.16.2007 no virus found
McAfee 5010 04.16.2007 no virus found
Microsoft 1.2405 04.16.2007 no virus found
NOD32v2 2195 04.16.2007 no virus found
Norman 5.80.02 04.12.2007 no virus found
Panda 9.0.0.4 04.16.2007 no virus found
Prevx1 V2 04.16.2007 no virus found
Sophos 4.16.0 04.12.2007 no virus found
Sunbelt 2.2.907.0 04.07.2007 no virus found
Symantec 10 04.16.2007 no virus found
TheHacker 6.1.6.088 04.09.2007 no virus found
VBA32 3.11.3 04.16.2007 no virus found
VirusBuster 4.3.7:9 04.16.2007 no virus found
Webwasher-Gateway 6.0.1 04.16.2007 no virus found


Aditional Information
File size: 4096 bytes
MD5: b82cd0ad8b605f64ead6c46d70a2c993
SHA1: d35fe3415d73546bea7f1b84a8db53628881342a
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=b82cd0ad8b605f64ead6c46d70a2c993



STATUS: FINISHEDComplete scanning result of "smss.exe", received in VirusTotal at 04.16.2007, 23:02:30 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.14.0 04.16.2007 no virus found
AntiVir 7.3.1.52 04.16.2007 no virus found
Authentium 4.93.8 04.14.2007 no virus found
Avast 4.7.981.0 04.16.2007 no virus found
AVG 7.5.0.447 04.16.2007 no virus found
BitDefender 7.2 04.16.2007 no virus found
CAT-QuickHeal 9.00 04.16.2007 no virus found
ClamAV devel-20070312 04.16.2007 no virus found
DrWeb 4.33 04.16.2007 no virus found
eSafe 7.0.15.0 04.16.2007 no virus found
eTrust-Vet 30.7.3572 04.16.2007 no virus found
Ewido 4.0 04.16.2007 no virus found
FileAdvisor 1 04.16.2007 No threat detected
Fortinet 2.85.0.0 04.16.2007 no virus found
F-Prot 4.3.2.48 04.16.2007 no virus found
F-Secure 6.70.13030.0 04.16.2007 no virus found
Ikarus T3.1.1.5 04.16.2007 no virus found
Kaspersky 4.0.2.24 04.16.2007 no virus found
McAfee 5010 04.16.2007 no virus found
Microsoft 1.2405 04.16.2007 no virus found
NOD32v2 2195 04.16.2007 no virus found
Norman 5.80.02 04.14.2007 no virus found
Panda 9.0.0.4 04.16.2007 no virus found
Prevx1 V2 04.16.2007 no virus found
Sophos 4.16.0 04.12.2007 no virus found
Sunbelt 2.2.907.0 04.14.2007 no virus found
Symantec 10 04.16.2007 no virus found
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.3 04.16.2007 no virus found
VirusBuster 4.3.7:9 04.16.2007 no virus found
Webwasher-Gateway 6.0.1 04.16.2007 no virus found


Aditional Information
File size: 45568 bytes
MD5: bddac60bdebbf51e71b2b65ebf80ed90
SHA1: a7dbd8bab152c3b8ec04d006c560f52274768824
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=bddac60bdebbf51e71b2b65ebf80ed90

BTW, yes it is running a bit better. Not as good as I hoped, but if we can clear up the malware, I can do the rest.

George :rolleyes:
Mr_JAk3
2007-04-17, 20:42
Ok we'll see if this is able to complete the scan:

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

-> Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml
-> Doubleclick the drweb-cureit.exe file and Allow to run the express scan
-> This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
-> Once the short scan has finished, you should now mark the drives that you want to scan.
-> Select all drives. A red dot shows which drives have been chosen.
-> Click the green arrow at the right, and the scan will start.
-> Click 'Yes to all' if it asks if you want to cure/move the file.

-> When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
-> If so, click it and then click the next icon right below and select Move incurable
-> After the scan, in the menu, click file and choose save report list
-> Save the report to your desktop. The report will be called DrWeb.csv
-> Close Dr.Web Cureit.
-> Reboot the computer in Normal Mode,
-> Post the Cure-it report and a fresh HijackThis log
Gcarp
2007-04-20, 02:17
My apologies... I had to use another computer to get Dr.Web. For some reason I was being blocked on the problem computer. But as requested... the files.

George :bigthumb:

Dr.Web.csv

Process.exe;C:\Documents and Settings\Administrator\Desktop\Betty\My Documents\George\installers\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\Administrator\Desktop\Betty\My Documents\George\installers\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
Process.exe;C:\Documents and Settings\Betty\My Documents\George\installers\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\Betty\My Documents\George\installers\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
Process.exe;C:\Documents and Settings\bettybackup\Betty\My Documents\George\installers\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\bettybackup\Betty\My Documents\George\installers\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably DLOADER.Trojan;Incurable.Moved.;
Process.exe;C:\RECYCLER\S-1-5-21-1532886375-2966927733-1597234714-1009\Dc124\installers\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\RECYCLER\S-1-5-21-1532886375-2966927733-1597234714-1009\Dc124\installers\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
ycomp4,0,2,2.dll;C:\WINDOWS\Downloaded Program Files;Probably DLOADER.Trojan;Incurable.Moved.;

and HJT log.
Logfile of HijackThis v1.99.1
Scan saved at 8:10:14 PM, on 4/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Betty\Desktop\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Advisor - {8EB0F793-55E3-400A-9A58-9493B5D1C04B} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - http://www2.verizon.net/micro/vol_toolbar/vzbb.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175720342404
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/download/files/win/expressview/webinstall/isetup.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Mr_JAk3
2007-04-21, 21:14
Hello :)

OK DrWeb didn't found anything alarming. The AVG won't run...Any other issues at the moment?

:bigthumb:
Gcarp
2007-04-22, 02:25
No I don't think so... Haven't been hijacked for a while now. It just seems a little slow booting up. After looking at the HJT log, I think that is due to some stuff left behind by some uninstalls and some stuff installed by Compaq to "help" me.
George :D:
Mr_JAk3
2007-04-22, 20:10
Hi again, it is looking clean now :)

You have many unnecessary programs loading with Windows, this causes the slow startup. You may fix the following entries with Hijackthis if you want to make your computer to run faster:

O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE


You can remove the tools we used.

Then you should update your Java to the latest version (6u1) Start
Control Panel
Add/Remove Programs
Delete the old Java, J2SE Runtime Environment 5.0 Update 3
Download the latest version of Java Runtime Environment (JRE) 6u1 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it


=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)

Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)
Gcarp
2007-04-22, 20:36
Thank YOU Mr_JAk3,
There used to be a time when a simple AV program would take care of the problem. But today, as you know, that is not the case. You are truly one of the white hats of the internet world. :2thumb: :bow:

Thanks again,
George :bigthumb:
Mr_JAk3
2007-04-22, 20:45
You're very welcome - Thanks for the kind words :D:

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb: