View Full Version : Virtumonde Infection Help Please
I have the nasty trojan and unsuccessfully removed it. I used Malwarebyte's Anti-malware and of course, Spybot. I thought they've removed them but my research shows that there's a lot of cleaning up to do.
A help on this will be highly appreciated. Thanks!
Here's my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:57 PM, on 10/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\igfxtray.exe
E:\WINDOWS\system32\hkcmd.exe
E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\system32\rundll32.exe
E:\WINDOWS\system32\cxbmtpya.exe
E:\WINDOWS\system32\rundll32.exe
E:\Documents and Settings\User\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://alifeinbloom.blogspot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [WatchDog] E:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "E:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [4248531e] rundll32.exe "E:\WINDOWS\system32\nobiyjwl.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RegCom32] E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [Norton SystemWorks] "E:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Norton SystemWorks] "E:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: DVD Check.lnk = E:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = E:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://E:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: uimkbo.dll twyjee.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - E:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
--
End of file - 9142 bytes
Hello and Welcome to the forums!
My name is peku006 and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Please continue to respond until I give you the "All Clear"
If you follow these instructions, everything should go smoothly.
We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
Thank you so much for your prompt help. I will surely keep you posted.
And again, THANK YOU!
Unfortunately, the Windows XP CD needed is not with me nor there is a chance for me to get it from the friend from whom we bought this laptop. Just FYI. Can still we still find a solution to this?
Thanks, peku006.
Hi zu921
the Windows XP CD is not needed..........
If you have ComboFix present, please delete it from your computer
Please do the following...
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Hello peku006!
Here's my Combofix log:
ComboFix 08-10-19.04 - User 2008-10-20 20:27:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.544 [GMT 8:00]
Running from: E:\Documents and Settings\User\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-09-20 to 2008-10-20 )))))))))))))))))))))))))))))))
.
2008-10-19 20:50 . 2008-10-19 20:50 <DIR> d-------- E:\Program Files\Trend Micro
2008-10-18 22:55 . 2008-10-18 22:55 <DIR> d-------- E:\Program Files\Lavasoft
2008-10-18 22:55 . 2008-10-18 23:03 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-18 22:51 . 2008-10-18 22:51 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard
2008-10-18 21:54 . 2008-10-18 21:54 <DIR> d-------- E:\VundoFix Backups
2008-10-18 21:51 . 2008-10-18 21:51 <DIR> d-------- E:\Documents and Settings\User\Application Data\Malwarebytes
2008-10-18 21:50 . 2008-10-18 21:50 <DIR> d-------- E:\Program Files\Malwarebytes' Anti-Malware
2008-10-18 21:50 . 2008-10-18 21:50 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-18 21:50 . 2008-10-16 20:25 38,496 --a------ E:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-18 21:50 . 2008-10-16 20:25 15,504 --a------ E:\WINDOWS\system32\drivers\mbam.sys
2008-10-16 23:12 . 2008-10-19 16:55 208 --a------ E:\WINDOWS\wininit.ini
2008-10-16 20:44 . 2008-10-16 20:44 <DIR> d-------- E:\Documents and Settings\User\Application Data\ESET
2008-10-16 20:12 . 2008-10-16 20:12 262,144 --a------ E:\ntuser.dat
2008-10-15 18:51 . 2008-08-14 18:11 2,189,184 -----c--- E:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 18:51 . 2008-08-14 18:09 2,145,280 -----c--- E:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 18:51 . 2008-08-14 17:33 2,066,048 -----c--- E:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 18:51 . 2008-08-14 17:33 2,023,936 -----c--- E:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 18:46 . 2008-09-08 18:41 333,824 -----c--- E:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 18:44 . 2008-09-15 20:12 1,846,400 -----c--- E:\WINDOWS\system32\dllcache\win32k.sys
2008-10-05 00:00 . 2008-10-05 00:00 <DIR> d-------- E:\Program Files\Alwil Software
2008-10-04 14:20 . 2008-10-04 14:20 <DIR> d-------- E:\Program Files\Common Files\Windows Live
2008-10-03 23:14 . 2008-10-03 23:14 <DIR> d-------- E:\Program Files\BUFFALO
2008-10-03 23:14 . 2007-05-18 16:04 15,872 --a------ E:\WINDOWS\system32\drivers\bfturboh.sys
2008-09-30 22:29 . 2008-09-30 22:29 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Fugazo
2008-09-30 22:28 . 2008-09-30 23:18 <DIR> d-------- E:\Program Files\Fashion Fits
2008-09-30 11:51 . 2008-09-30 20:23 <DIR> d-------- E:\Program Files\Believe In Santa
2008-09-30 11:37 . 2008-09-30 20:22 <DIR> d-------- E:\Program Files\Dr Daisy Pet Vet
2008-09-30 11:20 . 2008-09-30 11:35 <DIR> d-------- E:\Program Files\Happy Hour
2008-09-30 09:47 . 2008-09-30 09:47 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Gogii
2008-09-30 09:43 . 2008-09-30 22:35 <DIR> d-------- E:\Program Files\Babysitting Mania
2008-09-30 08:45 . 2008-09-30 08:45 <DIR> d-------- E:\Program Files\Farm Frenzy
2008-09-30 07:52 . 2008-09-30 07:53 <DIR> d-------- E:\Program Files\Daycare Nightmare
2008-09-30 07:27 . 2008-09-30 07:27 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-09-30 07:26 . 2008-09-30 20:22 <DIR> d-------- E:\Program Files\Cake Mania
2008-09-29 21:21 . 2008-09-29 21:21 4,096 --a------ E:\WINDOWS\d3dx.dat
2008-09-29 21:17 . 2008-09-30 07:51 <DIR> d-------- E:\Program Files\Sallys Salon
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-20 05:06 --------- d-----w E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-19 15:46 --------- d-----w E:\Documents and Settings\User\Application Data\AVG7
2008-10-18 23:36 --------- d-----w E:\Documents and Settings\User\Application Data\Yahoo!
2008-10-17 00:53 --------- d-----w E:\Documents and Settings\Guest\Application Data\AVG7
2008-10-17 00:52 --------- d-----w E:\Documents and Settings\Guest\Application Data\Yahoo!
2008-10-16 12:40 --------- d-----w E:\Program Files\ESET
2008-10-16 12:40 --------- d-----w E:\Documents and Settings\All Users\Application Data\ESET
2008-10-16 12:12 --------- d-----w E:\Documents and Settings\All Users\Application Data\yahoo!
2008-10-04 16:06 --------- d-----w E:\Program Files\Spybot - Search & Destroy
2008-09-30 03:38 --------- d-----w E:\Documents and Settings\All Users\Application Data\PlayFirst
2008-09-15 12:12 1,846,400 ----a-w E:\WINDOWS\system32\win32k.sys
2008-09-11 11:56 --------- d-----w E:\Documents and Settings\All Users\Application Data\Skype
2008-09-09 06:35 --------- d-----w E:\Documents and Settings\User\Application Data\DNA
2008-09-09 06:14 --------- d-----w E:\Program Files\Common Files\Teleca Shared
2008-09-08 23:18 --------- d-----w E:\Program Files\DNA
2008-09-08 10:41 333,824 ----a-w E:\WINDOWS\system32\drivers\srv.sys
2008-08-26 07:24 826,368 ----a-w E:\WINDOWS\system32\wininet.dll
2008-08-21 18:24 --------- d-----w E:\Program Files\UnzipThemAll
2008-08-14 10:11 2,189,184 ----a-w E:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w E:\WINDOWS\system32\ntkrnlpa.exe
2007-01-10 19:10 88 -csh--r E:\WINDOWS\system32\D2941CCD26.sys
2007-07-26 04:29 3,766 -csha-w E:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"YSearchProtection"="E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="E:\WINDOWS\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="E:\WINDOWS\system32\hkcmd.exe" [2005-01-23 126976]
"eabconfg.cpl"="E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-04 290816]
"WatchDog"="E:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-07-05 184320]
"NeroCheck"="E:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2006-03-28 155648]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SynTPLpr"="E:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="E:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"AVG7_CC"="E:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
"YSearchProtection"="E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"DiskeeperSystray"="E:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 221184]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="E:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-30 219136]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 E:\WINDOWS\system32\narrator.exe]
E:\Documents and Settings\User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-22 113664]
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
DVD Check.lnk - E:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2006-01-24 184320]
Microtek Scanner Finder.lnk - E:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe [2006-04-08 335872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXOfeeB]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffCSji]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkKdbAQ]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=uimkbo.dll twyjee.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=E:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"E:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"E:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"E:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"E:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"E:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"E:\\Program Files\\DNA\\btdna.exe"=
"E:\\Program Files\\BitComet\\BitComet.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19251:TCP"= 19251:TCP:BitComet 19251 TCP
"19251:UDP"= 19251:UDP:BitComet 19251 UDP
S3 bfturboh;BUFFALO TurboUSB for HD Filter;E:\WINDOWS\system32\drivers\bfturboh.sys [2007-05-18 15872]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);E:\WINDOWS\system32\DRIVERS\SE2Ebus.sys [2006-11-10 61600]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;E:\WINDOWS\system32\DRIVERS\SE2Emdfl.sys [2006-11-10 9360]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;E:\WINDOWS\system32\DRIVERS\SE2Emdm.sys [2006-11-10 97184]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);E:\WINDOWS\system32\DRIVERS\SE2Emgmt.sys [2006-11-10 88688]
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);E:\WINDOWS\system32\DRIVERS\se2End5.sys [2006-11-10 18704]
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;E:\WINDOWS\system32\DRIVERS\SE2Eobex.sys [2006-11-10 86560]
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);E:\WINDOWS\system32\DRIVERS\se2Eunic.sys [2006-11-10 90800]
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -
BHO-{4B00B903-D83E-4EF9-AF02-7694EF4C21FE} - (no file)
BHO-{67DF6AEE-CC10-4973-82FE-3DE5A9D404BF} - (no file)
BHO-{E2FBCF45-5461-47FE-9438-F15F10571027} - (no file)
BHO-{F25255EB-A335-4016-9205-F34D77555ADB} - (no file)
BHO-{F4A33694-ED5C-4968-89F3-BF3EE11DFCC1} - (no file)
.
------- Supplementary Scan -------
.
FireFox -: Profile - E:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\h00quznt.Default User\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://alifeinbloom.blogspot.com/
FF -: plugin - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\browser\nppdf32.dll
FF -: plugin - E:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - E:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - E:\Program Files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-20 20:29:30
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2008-10-20 20:33:00
ComboFix-quarantined-files.txt 2008-10-20 12:31:55
ComboFix2.txt 2008-10-20 12:13:31
Pre-Run: 14,653,415,424 bytes free
Post-Run: 14,641,049,600 bytes free
169 --- E O F --- 2008-10-15 13:09:04
Hi zu921
Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
Please reply with
a fresh HijackThis log
Thanks peku006
Hello peku006! I also removed my bitcomet, FYI. Here's my recent HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:24:29 AM, on 10/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\igfxtray.exe
E:\WINDOWS\system32\hkcmd.exe
E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
E:\WINDOWS\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://alifeinbloom.blogspot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file)
O2 - BHO: (no name) - {4B00B903-D83E-4EF9-AF02-7694EF4C21FE} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {67DF6AEE-CC10-4973-82FE-3DE5A9D404BF} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {E2FBCF45-5461-47FE-9438-F15F10571027} - (no file)
O2 - BHO: (no name) - {F25255EB-A335-4016-9205-F34D77555ADB} - (no file)
O2 - BHO: (no name) - {F4A33694-ED5C-4968-89F3-BF3EE11DFCC1} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [WatchDog] E:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "E:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RegCom32] E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: DVD Check.lnk = E:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = E:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: uimkbo.dll twyjee.dll
O20 - Winlogon Notify: byXOfeeB - E:\WINDOWS\
O20 - Winlogon Notify: iiffCSji - E:\WINDOWS\
O20 - Winlogon Notify: jkkKdbAQ - E:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - E:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
--
End of file - 9323 bytes
Thank you so much!
Hi zu921
1 - Remove bad HijackThis entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O2 - BHO: (no name) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file)
O2 - BHO: (no name) - {4B00B903-D83E-4EF9-AF02-7694EF4C21FE} - (no file)
O2 - BHO: (no name) - {67DF6AEE-CC10-4973-82FE-3DE5A9D404BF} - (no file)
O2 - BHO: (no name) - {E2FBCF45-5461-47FE-9438-F15F10571027} - (no file)
O2 - BHO: (no name) - {F25255EB-A335-4016-9205-F34D77555ADB} - (no file)
O2 - BHO: (no name) - {F4A33694-ED5C-4968-89F3-BF3EE11DFCC1} - (no file)
O4 - HKCU\..\Run: [RegCom32] E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe
O20 - AppInit_DLLs: uimkbo.dll twyjee.dll
O20 - Winlogon Notify: byXOfeeB - E:\WINDOWS\
O20 - Winlogon Notify: iiffCSji - E:\WINDOWS\
O20 - Winlogon Notify: jkkKdbAQ - E:\WINDOWS\
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
2 - Clean temp files
Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
if you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
if you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program
3 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to your desktop.
alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:
Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
5 - Status Check
Please reply with
1. the Malwarebytes' Anti-Malware Log
2. a fresh HijackThis log
How is the computer running now?
Thanks peku006
Hello again, peku006! I hope you are doing well. :)
Here's my fresh mbam-log (found 5 vundo.trojan and were successfully deleted):
Malwarebytes' Anti-Malware 1.29
Database version: 1299
Windows 5.1.2600 Service Pack 3
10/21/2008 9:52:10 PM
mbam-log-2008-10-21 (21-52-10).txt
Scan type: Full Scan (C:\|E:\|)
Objects scanned: 114877
Time elapsed: 2 hour(s), 58 minute(s), 28 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
E:\System Volume Information\_restore{7607B9D7-28FA-47B3-8E30-66FE14C6741B}\RP308\A0081814.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{7607B9D7-28FA-47B3-8E30-66FE14C6741B}\RP308\A0081815.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{7607B9D7-28FA-47B3-8E30-66FE14C6741B}\RP308\A0081824.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{7607B9D7-28FA-47B3-8E30-66FE14C6741B}\RP308\A0081825.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{7607B9D7-28FA-47B3-8E30-66FE14C6741B}\RP308\A0081826.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
And here is my new HJT log. The HJT log of the first one which I did before the MBAM listed all the malicious files which you mentioned. I deleted them all, as advised.
===========================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:50 PM, on 10/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\igfxtray.exe
E:\WINDOWS\system32\hkcmd.exe
E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://alifeinbloom.blogspot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [WatchDog] E:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "E:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RegCom32] E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: DVD Check.lnk = E:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = E:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - E:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
--
End of file - 8616 bytes
===========================================================
And as for how the computer is running now, there are no more alerts from the AVG, compared to last night which showed two trojans while I was online. I left it running a scan with auto-off once done (and I went to sleep) so I never found out how many it discovered during the thorough scan.
Aside from that, my Auto-Update of Windows Update is not modified now, compared to previous days when it was modified twice, even if I did not change it.
Again, thank you so much for your help. :)
Hi zu921
You’ve done a good job so far...:yes:
1 - Remove bad HijackThis entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O4 - HKCU\..\Run: [RegCom32] E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
2 - Download and run OTMoveIt3
Download OTMoveIt3 by OldTimer from here (http://oldtimer.geekstogo.com/OTMoveIt3.exe) and save it to your desktop
Launch OTMoveIt3.exe and copy the text from the codebox below into the lefthand box below "Paste Instructions for Items to be Moved"
:files
E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe
Double-check that the input matches the code box above and then click the MoveIt! button to start the script. If you're prompted about rebooting allow the request.
Once OTMoveIt finishes, a log will be located at C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss. (mmddyyyy_hhmmss is a timestamp from when the log was created)
Include this log in your next reply
3 - Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
5 - Status Check
Please reply with
1. the OTMoveIt3 log
2. the Kaspersky online scanner report
3. a fresh HijackThis log
Thanks peku006
Hello again, peku006!
Here are my logs:
OTMoveIt3:
========== FILES ==========
File/Folder E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe not found.
OTMoveIt3 by OldTimer - Version 1.0.5.0 log created on 10212008_224531
==============================================================
Kapersky:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, October 22, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, October 21, 2008 14:51:52
Records in database: 1331814
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Files scanned: 61153
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 03:20:58
No malware has been detected. The scan area is clean.
The selected area was scanned.
===========================================================
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:19 AM, on 10/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\igfxtray.exe
E:\WINDOWS\system32\hkcmd.exe
E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://alifeinbloom.blogspot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [WatchDog] E:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "E:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RegCom32] E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: DVD Check.lnk = E:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = E:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - E:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
--
End of file - 8616 bytes
=========================================================
Again, thank you so much for being a big help! :)
Hi Sam
1 - teatimer
Please disable Teatimer as it may interfere with the fix.
First: Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
Choose Exit Spybot S&D Resident
Second: Open Spybot S&D
Click Mode, check Advanced Mode
Go To Left Panel, Click Tools, then also in left panel, click Resident
If your firewall raises a question, say OK
Uncheck the box labeled Resident Tea-Timer and OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
Don't forget to re-enable it, when your computer is clean.
2 - Remove bad HijackThis entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O4 - HKCU\..\Run: [RegCom32] E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
After that, Reboot.
3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
Please reply with
a fresh HijackThis log
Thanks peku006
Hello again! Here is my freshest HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:08:55 PM, on 10/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
E:\WINDOWS\system32\igfxtray.exe
E:\WINDOWS\system32\hkcmd.exe
E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://alifeinbloom.blogspot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [WatchDog] E:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "E:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: DVD Check.lnk = E:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = E:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - E:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
--
End of file - 8413 bytes
Thanks peku006!
Hi zu921
Congratulations, your log looks clean! :)
Time for some housekeeping
Double click OTMoveIt3.exe to launch the programme.
Click on the CleanUp! button.
OTMoveIt will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
When finished exit out of OTMoveIt
The tool will delete itself once it finishes, if not delete it by yourself.
Clear system restore points
This is a good time to clear your existing system restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.
Here are some free programs I recommend that could help you improve your computer's security.
Spybot Search and Destroy 1.6
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
Install SpyWare Blaster 4.1
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Install WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)
Install FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)
Install MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
Note:"Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
If this isn't done first, the next reboot may take a VERY LONG TIME.
This is how to do it. First be sure you are signed in as a user with administrative privileges:
Stop and Disable the DNS Client Service
Go to Start, Run and type Services.msc and click OK.
Under the Extended Tab, Scroll down and find this service.
DNS Client
Right-Click on the DNS Client Service. Choose Properties
Select the General tab. Click on the Stop button.
Click the Arrow-down tab on the right-hand side at the Start-up Type box.
From the drop-down menu, click on Manual
Click the Apply tab, then click OK
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note: If you are running Windows XP SP2, you should upgrade to SP3.
Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)
Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.
Happy safe surfing! :bigthumb:
Hello peku006! I did as instructed, however, this is what I got as I was trying to work on the System Restore thing:
http://i35.tinypic.com/2lbyk1s.jpg
I am clueless on what to type in that box. Help, please. :)
Hi
You can write : clean 10-22
:bigthumb:
Problem solved re System Restore. HOWEVER... :D
This is what I got as I run cleanmgr:
http://i38.tinypic.com/ke7uo8.jpg
Help again, please. :) Thanks!
Hi
clean the C drive (suzanne)
FYI, my Program Files and Windows folders, among others are in E Drive. Here's a closer look inside my E Drive:
http://i38.tinypic.com/29e5a15.jpg
And here's what's inside my C Drive:
http://i34.tinypic.com/20fqao7.jpg
Still C Drive?
OK. I think I am done! I just have to go over the list of applications you have listed and their respective sites. Just one question, do you recommend that I install ALL of them to be safe?
Thanks!
Hi
My personal favorites
Spybot Search and Destroy
WinPatrol
MVPS Hosts File
:2thumb:
OK. I am going for them. But that would be tomorrow because I badly need to sleep now. LOL!
Thanks and I will update you as soon as I have installed them tomorrow.
Take care! And thanks again!
The following file which we have been deleting/ fixing thru HJT has been reappearing:
O4 - HKCU\..\Run: [RegCom32] E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe
I noticed this when I installed and run WinPatrol. :(
Hi
Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
Please reply with
HijackThis log
Hello again! Here is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30:34 PM, on 10/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
E:\WINDOWS\system32\igfxtray.exe
E:\WINDOWS\system32\hkcmd.exe
E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://alifeinbloom.blogspot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [WatchDog] E:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "E:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [WinPatrol] E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RegCom32] E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = E:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - E:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
--
End of file - 8651 bytes
==========================================================
And it's there. Every now and then, Scotty prompts me about this and when I click NO, it automatically opens THIS file. Is it normal?
file:///E:/Program%20Files/BillP%20Studios/WinPatrol/helpme.html
Moreover, I tried removing it thru HJT to no avail. Scotty can't kill it too even if I opted for killing it upon reboot.
Help please. :) Thanks, peku006!
Hi
OTViewIt
Please download OTViewIt (http://oldtimer.geekstogo.com/OTViewIt.exe) by OldTimer and save it to your Desktop.
Close all applications and windows.
Double-click on the OTViewIt.exeto start OTViewIt.
Place a checkmark in the blue-colored "Scan All Users" checkbox.
Click the blue Run Scan button.
OTViewIt will now start its scan.
When the scan is complete, two text files will be created, OTViewIt.Txt <- this one will be opened in Notepad and Extras.txt, on Desktop.
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of OTViewIt.Txt and the Extras.txt to your post.
Hello again! Sorry if I am consuming much of your time.
Here is my OTViewIt.Txt log. (File Age is 30 only)
OTViewIt logfile created on: 10/22/2008 11:11:25 PM - Run 3
OTViewIt by OldTimer - Version 1.0.17.0 Folder = E:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1014.42 Mb Total Physical Memory | 586.16 Mb Available Physical Memory | 57.78% Memory free
2.38 Gb Paging File | 2.01 Gb Available in Paging File | 84.30% Paging File free
Paging file location(s): C:\pagefile.sys 0 0;
%SystemDrive% = E: | %SystemRoot% = E:\WINDOWS | %ProgramFiles% = E:\Program Files
Drive C: | 5.37 Gb Total Space | 3.15 Gb Free Space | 58.63% Space Free | Partition Type: FAT32
Drive D: | 700.99 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 31.87 Gb Total Space | 13.74 Gb Free Space | 43.13% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: SUZANNE
Current User Name: User
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days
========== Processes ==========
[2008/10/18 22:58:40 | 00,611,664 | ---- | M] (Lavasoft) -- E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
[2007/11/30 09:19:28 | 00,418,816 | ---- | M] (GRISOFT, s.r.o.) -- E:\Program Files\Grisoft\AVG7\avgamsvr.exe
[2007/07/27 20:27:09 | 00,049,664 | ---- | M] (GRISOFT, s.r.o.) -- E:\Program Files\Grisoft\AVG7\avgupsvc.exe
[2008/01/07 21:06:25 | 00,406,528 | ---- | M] (GRISOFT, s.r.o.) -- E:\Program Files\Grisoft\AVG7\avgemc.exe
[2005/11/23 07:58:04 | 00,765,952 | ---- | M] (Diskeeper Corporation) -- E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
[2005/01/23 09:36:10 | 00,155,648 | ---- | M] (Intel Corporation) -- E:\WINDOWS\system32\igfxtray.exe
[2005/01/23 09:31:34 | 00,126,976 | ---- | M] (Intel Corporation) -- E:\WINDOWS\system32\hkcmd.exe
[2004/12/04 05:24:20 | 00,290,816 | ---- | M] (Hewlett-Packard ) -- E:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe
[2008/06/10 04:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.) -- E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
[2004/11/05 09:40:08 | 00,098,394 | ---- | M] (Synaptics, Inc.) -- E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[2004/11/05 09:38:54 | 00,688,218 | ---- | M] (Synaptics, Inc.) -- E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[2005/01/29 04:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\system32\wdfmgr.exe
[2008/10/17 09:56:33 | 00,590,848 | ---- | M] (GRISOFT, s.r.o.) -- E:\Program Files\Grisoft\AVG7\avgcc.exe
[2008/10/07 23:23:46 | 00,111,856 | ---- | M] (Yahoo! Inc) -- E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
[2008/09/16 12:16:08 | 01,833,296 | RHS- | M] (Safer Networking Limited) -- E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[2003/05/15 17:19:50 | 00,217,193 | ---- | M] (Adobe Systems Inc.) -- E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
[2008/10/09 23:52:54 | 00,333,120 | ---- | M] (BillP Studios) -- E:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
[2008/10/22 23:03:43 | 00,421,888 | ---- | M] (OldTimer Tools) -- E:\Documents and Settings\User\Desktop\OTViewIt.exe
========== (O23) Win32 Services ==========
[2008/10/18 22:58:40 | 00,611,664 | ---- | M] (Lavasoft) -- E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice [Auto | Running])
[2007/05/01 20:56:13 | 00,072,704 | ---- | M] (Adobe Systems) -- E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand | Stopped])
[2004/07/15 01:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2007/11/30 09:19:28 | 00,418,816 | ---- | M] (GRISOFT, s.r.o.) -- E:\Program Files\Grisoft\AVG7\avgamsvr.exe -- (Avg7Alrt [Auto | Running])
[2007/07/27 20:27:09 | 00,049,664 | ---- | M] (GRISOFT, s.r.o.) -- E:\Program Files\Grisoft\AVG7\avgupsvc.exe -- (Avg7UpdSvc [Auto | Running])
[2008/01/07 21:06:25 | 00,406,528 | ---- | M] (GRISOFT, s.r.o.) -- E:\Program Files\Grisoft\AVG7\avgemc.exe -- (AVGEMS [Auto | Running])
[2005/11/23 07:58:04 | 00,765,952 | ---- | M] (Diskeeper Corporation) -- E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper [Auto | Running])
[2004/11/18 16:32:56 | 00,098,304 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- E:\Program Files\HPQ\shared\hpqwmi.exe -- (hpqwmi [On_Demand | Stopped])
[2005/11/14 01:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) -- E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
[2003/07/29 04:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- E:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2005/01/29 04:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Running])
========== Driver Services ==========
[2007/11/30 09:18:19 | 00,821,856 | ---- | M] (GRISOFT, s.r.o.) -- E:\WINDOWS\system32\drivers\avg7core.sys -- (Avg7Core [System | Running])
[2007/07/27 20:27:22 | 00,004,224 | ---- | M] (GRISOFT, s.r.o.) -- E:\WINDOWS\system32\drivers\avg7rsw.sys -- (Avg7RsW [System | Running])
[2007/07/27 20:27:25 | 00,027,776 | ---- | M] (GRISOFT, s.r.o.) -- E:\WINDOWS\system32\drivers\avg7rsxp.sys -- (Avg7RsXP [System | Running])
[2008/01/07 21:06:33 | 00,010,760 | ---- | M] (GRISOFT, s.r.o.) -- E:\WINDOWS\system32\drivers\avgclean.sys -- (AvgClean [System | Running])
[2007/07/27 20:27:26 | 00,004,960 | ---- | M] (GRISOFT, s.r.o.) -- E:\WINDOWS\system32\drivers\avgtdi.sys -- (AvgTdi [Auto | Running])
[2005/12/18 08:25:12 | 00,424,320 | ---- | M] (Broadcom Corporation) -- E:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX [On_Demand | Running])
[2007/05/18 16:04:16 | 00,015,872 | ---- | M] () -- E:\WINDOWS\system32\drivers\bfturboh.sys -- (bfturboh [On_Demand | Stopped])
[2005/02/17 22:41:18 | 00,038,016 | ---- | M] (Conexant Systems Inc.) -- E:\WINDOWS\system32\drivers\camc6aud.sys -- (CAMCAUD [On_Demand | Running])
[2005/02/17 22:42:02 | 00,349,696 | ---- | M] (Conexant Systems Inc.) -- E:\WINDOWS\system32\drivers\camc6hal.sys -- (CAMCHALA [On_Demand | Running])
[2004/04/14 23:36:50 | 00,007,432 | ---- | M] (Hewlett-Packard Company) -- E:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr [System | Running])
[2003/06/07 03:46:16 | 00,005,220 | ---- | M] (Hewlett-Packard Company) -- E:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb [On_Demand | Stopped])
[2004/12/15 14:18:34 | 00,207,232 | ---- | M] (Conexant Systems, Inc.) -- E:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH [On_Demand | Running])
[2004/12/15 14:18:26 | 01,038,208 | ---- | M] (Conexant Systems, Inc.) -- E:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP [On_Demand | Running])
[2005/01/23 10:05:06 | 00,804,317 | ---- | M] (Intel Corporation) -- E:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm [On_Demand | Running])
[2004/03/17 10:04:14 | 00,013,059 | ---- | M] (Conexant) -- E:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
[2008/03/27 21:47:58 | 00,010,368 | ---- | M] (Padus, Inc.) -- E:\WINDOWS\system32\drivers\pfc.sys -- (pfc [On_Demand | Running])
[2004/08/04 09:07:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- E:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2007/02/06 16:31:36 | 00,020,640 | ---- | M] (Sonic Solutions) -- E:\WINDOWS\system32\drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
[2004/08/04 06:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- E:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139 [On_Demand | Running])
[2008/04/14 02:36:44 | 00,079,232 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\system32\drivers\sdbus.sys -- (sdbus [On_Demand | Running])
[2006/11/10 18:23:42 | 00,061,600 | R--- | M] (MCCI) -- E:\WINDOWS\system32\drivers\SE2Ebus.sys -- (SE2Ebus [On_Demand | Stopped])
[2006/11/10 18:23:48 | 00,009,360 | R--- | M] (MCCI) -- E:\WINDOWS\system32\drivers\SE2Emdfl.sys -- (SE2Emdfl [On_Demand | Stopped])
[2006/11/10 18:23:50 | 00,097,184 | R--- | M] (MCCI) -- E:\WINDOWS\system32\drivers\SE2Emdm.sys -- (SE2Emdm [On_Demand | Stopped])
[2006/11/10 18:23:54 | 00,088,688 | R--- | M] (MCCI) -- E:\WINDOWS\system32\drivers\SE2Emgmt.sys -- (SE2Emgmt [On_Demand | Stopped])
[2006/11/10 18:23:56 | 00,018,704 | R--- | M] (MCCI) -- E:\WINDOWS\system32\drivers\se2End5.sys -- (se2End5 [On_Demand | Stopped])
[2006/11/10 18:23:58 | 00,086,560 | R--- | M] (MCCI) -- E:\WINDOWS\system32\drivers\SE2Eobex.sys -- (SE2Eobex [On_Demand | Stopped])
[2006/11/10 18:24:06 | 00,090,800 | R--- | M] (MCCI) -- E:\WINDOWS\system32\drivers\se2Eunic.sys -- (se2Eunic [On_Demand | Stopped])
[2007/11/13 18:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- E:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2004/11/05 09:26:42 | 00,186,016 | ---- | M] (Synaptics, Inc.) -- E:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP [On_Demand | Running])
[2005/06/24 01:16:08 | 00,162,176 | ---- | M] (Texas Instruments) -- E:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21 [On_Demand | Running])
[2008/04/14 02:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
[2008/04/14 02:46:20 | 00,121,984 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\system32\drivers\usbvideo.sys -- (usbvideo [On_Demand | Stopped])
[2004/12/15 14:18:28 | 00,703,232 | ---- | M] (Conexant Systems, Inc.) -- E:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf [On_Demand | Running])
[2008/04/14 02:36:38 | 00,008,832 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\system32\drivers\wmiacpi.sys -- (WmiAcpi [System | Running])
[2008/10/16 20:25:46 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- E:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy [On_Demand | Running])
========== (R ) Internet Explorer ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.yahoo.com/
"Default_Search_URL"=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://www.yahoo.com/
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"CustomSearch"=http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr8/*http://www.yahoo.com/ext/search/search.html
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=E:\WINDOWS\system32\blank.htm
"Search Page"=http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
"Start Page"=http://alifeinbloom.blogspot.com/
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- E:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
[HKEY_USERS\PE_E_..\SOFTWARE\Microsoft\Internet Explorer\Main]
[HKEY_USERS\PE_E_ADMINISTRATOR\SOFTWARE\Microsoft\Internet Explorer\Main]
[HKEY_USERS\PE_E_ADMINISTRATOR\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
[HKEY_USERS\PE_E_ALL USERS\SOFTWARE\Microsoft\Internet Explorer\Main]
[HKEY_USERS\PE_E_GUEST\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=E:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
[HKEY_USERS\PE_E_GUEST\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- E:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
[HKEY_USERS\PE_E_GUEST\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 1
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
[HKEY_USERS\S-1-5-21-73586283-2052111302-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=E:\WINDOWS\system32\blank.htm
"Search Page"=http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
"Start Page"=http://alifeinbloom.blogspot.com/
[HKEY_USERS\S-1-5-21-73586283-2052111302-1801674531-1003\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
[HKEY_USERS\S-1-5-21-73586283-2052111302-1801674531-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- E:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
[HKEY_USERS\S-1-5-21-73586283-2052111302-1801674531-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
[HKEY_USERS\S-1-5-21-73586283-2052111302-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
========== (O1) Hosts File ==========
HOSTS File = (617912 bytes) - E:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 a9rhiwa.cn #[Google.Warning]
127.0.0.1 www.a9rhiwa.cn
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net
127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]
127.0.0.1 d.abnad.net
127.0.0.1 e.abnad.net
127.0.0.1 t.abnad.net
127.0.0.1 z.abnad.net
127.0.0.1 banners.absolpublisher.com
127.0.0.1 tracking.absolstats.com
127.0.0.1 adv.abv.bg
127.0.0.1 bimg.abv.bg
127.0.0.1 www2.a-counter.kiev.ua
127.0.0.1 track.acclaimnetwork.com
127.0.0.1 accuserveadsystem.com
127.0.0.1 www.accuserveadsystem.com
127.0.0.1 gtb5.acecounter.com
127.0.0.1 gtcc1.acecounter.com
16263 more lines...
========== (O2) BHO's ==========
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{02478D38-C3F9-4efb-9B51-7695ECA05670} (HKLM) -- E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{53707962-6F74-2D53-2644-206D7942484F} (HKLM) -- E:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (HKLM) -- E:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
{AE7CD045-E861-484f-8273-0445EE161910} (HKLM) -- E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
========== (O3) Toolbars ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" (HKLM) -- E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" (HKLM) -- E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
[HKEY_USERS\PE_E_GUEST\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
[HKEY_USERS\S-1-5-21-73586283-2052111302-1801674531-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
[HKEY_USERS\S-1-5-21-73586283-2052111302-1801674531-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" (HKLM) -- E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
[HKEY_USERS\S-1-5-21-73586283-2052111302-1801674531-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
========== (O4) Run Keys ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"=E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP (GRISOFT, s.r.o.)
"DiskeeperSystray"="E:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" (Diskeeper Corporation)
"eabconfg.cpl"=E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start (Hewlett-Packard )
"HotKeysCmds"=E:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
"IgfxTray"=E:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc.)
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" (Sun Microsystems, Inc.)
"SynTPEnh"=E:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
"SynTPLpr"=E:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
"WatchDog"=E:\Program Files\InterVideo\DVD Check\DVDCheck.exe (InterVideo Inc.)
"WinPatrol"=E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot (BillP Studios)
"YSearchProtection"="E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" (Yahoo! Inc)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegCom32"=E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe File not found
"SpybotSD TeaTimer"=E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
"YSearchProtection"=E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"=E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (GRISOFT, s.r.o.)
[HKEY_USERS\PE_E_ADMINISTRATOR\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"=E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (GRISOFT, s.r.o.)
[HKEY_USERS\PE_E_GUEST\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc.)
"Yahoo! Pager"="E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (Yahoo! Inc.)
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"=E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (GRISOFT, s.r.o.)
[HKEY_USERS\S-1-5-21-73586283-2052111302-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegCom32"=E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe File not found
"SpybotSD TeaTimer"=E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
"YSearchProtection"=E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
========== (O4) RunOnce Keys ==========
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"=Narrator.exe (Microsoft Corporation)
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"=Narrator.exe (Microsoft Corporation)
========== (O4) Startup Folders ==========
[2003/05/15 17:19:50 | 00,217,193 | ---- | M] (Adobe Systems Inc.) -- E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
[2005/05/07 07:58:24 | 00,335,872 | ---- | M] () -- E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk = E:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
[1999/11/05 07:06:48 | 00,113,664 | ---- | M] (Adobe Systems, Inc.) -- E:\Documents and Settings\User\Start Menu\Programs\Startup\Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
========== (O6 & O7) Current Version Policies ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=227
"NoDrives"=0
"NoDriveAutoRun"=67108863
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableRegistryTools"=0
"HideLegacyLogonScripts"=0
"HideLogoffScripts"=0
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0
"HideStartupScripts"=0
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDrives"=0
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"HideLegacyLogonScripts"=0
"HideLogoffScripts"=0
"HideStartupScripts"=0
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0
[HKEY_USERS\PE_E_ADMINISTRATOR\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
[HKEY_USERS\PE_E_ADMINISTRATOR\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=0
[HKEY_USERS\PE_E_GUEST\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
[HKEY_USERS\S-1-5-21-73586283-2052111302-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDrives"=0
[HKEY_USERS\S-1-5-21-73586283-2052111302-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"HideLegacyLogonScripts"=0
"HideLogoffScripts"=0
"HideStartupScripts"=0
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0
========== (O8) IE Context Menu Extensions ==========
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
&D&ownload &with BitComet: Reg Error: Value does not exist or could not be read. File not found
&D&ownload all video with BitComet: Reg Error: Value does not exist or could not be read. File not found
&D&ownload all with BitComet: Reg Error: Value does not exist or could not be read. File not found
&Yahoo! Search: File not found
E&xport to Microsoft Excel: E:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2005/05/27 16:06:54 | 10,095,808 | ---- | M] (Microsoft Corporation)
Yahoo! &Dictionary: File not found
Yahoo! &Maps: File not found
Yahoo! &SMS: File not found
[HKEY_USERS\S-1-5-21-73586283-2052111302-1801674531-1003\Software\Microsoft\Internet Explorer\MenuExt\]
&D&ownload &with BitComet: Reg Error: Value does not exist or could not be read. File not found
&D&ownload all video with BitComet: Reg Error: Value does not exist or could not be read. File not found
&D&ownload all with BitComet: Reg Error: Value does not exist or could not be read. File not found
&Yahoo! Search: File not found
E&xport to Microsoft Excel: E:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2005/05/27 16:06:54 | 10,095,808 | ---- | M] (Microsoft Corporation)
Yahoo! &Dictionary: File not found
Yahoo! &Maps: File not found
Yahoo! &SMS: File not found
========== (O9) IE Extensions ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [2008/06/10 04:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}: Button: Yahoo! Services -- %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [2006/10/31 16:29:16 | 00,198,136 | ---- | M] (Yahoo! Inc.)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/15 14:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}: Menu: Spybot - Search & Destroy Configuration -- %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [2008/09/15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/14 08:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/14 08:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %SystemRoot%\system32\msjava.dll [Web Browser Applet Control] -> [2003/03/01 10:26:26 | 00,947,472 | ---- | M] (Microsoft Corporation)
CmdMapping\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKLM] -> %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [Yahoo! IE Services Button] -> [2006/10/31 16:29:16 | 00,198,136 | ---- | M] (Yahoo! Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/15 14:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 08:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 08:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
[HKEY_USERS\PE_E_GUEST\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %SystemRoot%\system32\msjava.dll [Web Browser Applet Control] -> [2003/03/01 10:26:26 | 00,947,472 | ---- | M] (Microsoft Corporation)
CmdMapping\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKLM] -> %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [Yahoo! IE Services Button] -> [2006/10/31 16:29:16 | 00,198,136 | ---- | M] (Yahoo! Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/15 14:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 08:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 08:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
[HKEY_USERS\S-1-5-21-73586283-2052111302-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %SystemRoot%\system32\msjava.dll [Web Browser Applet Control] -> [2003/03/01 10:26:26 | 00,947,472 | ---- | M] (Microsoft Corporation)
CmdMapping\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKLM] -> %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [Yahoo! IE Services Button] -> [2006/10/31 16:29:16 | 00,198,136 | ---- | M] (Yahoo! Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/15 14:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 08:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
========== (O12) Internet Explorer Plugins ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery
========== (O13) Default Prefixes ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://
========== (O15) Trusted Sites ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
44 domain(s) and sub-domain(s) not assigned to a zone.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
//@install.mar@: msni in My Computer
//@mail.mar@: msni in Local intranet
43 domain(s) and sub-domain(s) not assigned to a zone.
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
43 domain(s) and sub-domain(s) not assigned to a zone.
[HKEY_USERS\PE_E_ADMINISTRATOR\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
43 domain(s) and sub-domain(s) not assigned to a zone.
[HKEY_USERS\PE_E_GUEST\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
43 domain(s) and sub-domain(s) not assigned to a zone.
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
43 domain(s) and sub-domain(s) not assigned to a zone.
[HKEY_USERS\S-1-5-21-73586283-2052111302-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
//@install.mar@: msni in My Computer
//@mail.mar@: msni in Local intranet
43 domain(s) and sub-domain(s) not assigned to a zone.
========== (O16) DPF ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{17492023-C23A-453E-A040-C7C580BBF700}: http://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab -- Windows Genuine Advantage Validation Tool
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}: http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab -- Reg Error: Key does not exist or could not be opened.
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab -- Java Plug-in 1.6.0_07
{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}: http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab -- Reg Error: Key does not exist or could not be opened.
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab -- Java Plug-in 1.5.0_06
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab -- Java Plug-in 1.6.0_01
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab -- Java Plug-in 1.6.0_03
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab -- Java Plug-in 1.6.0_05
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab -- Java Plug-in 1.6.0_07
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab -- Java Plug-in 1.6.0_07
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab -- Shockwave Flash Object
Microsoft XML Parser for Java: file://E:\WINDOWS\Java\classes\xmldso.cab -- Reg Error: Key does not exist or could not be opened.
========== (O17) DNS Name Servers ==========
{018E86D0-A337-4530-A807-00B99E35794A} (Servers: | Description: Broadcom 802.11b/g WLAN)
{A14FC9BB-8D33-4FE0-80FD-9C8397260BB9} (Servers: | Description: 1394 Net Adapter)
{B7AAA585-C055-4ECB-A29C-6BAD361EB6EC} (Servers: | Description: )
{C8163867-8ED5-47F8-9CE5-4907DFA79EBB} (Servers: | Description: Realtek RTL8139 Family PCI Fast Ethernet NIC)
{D41B1318-5AC5-41CF-A99A-D809ECC89090} (Servers: | Description: Sony Ericsson Device 046 USB Ethernet Emulation (NDIS 5))
========== (O20) Winlogon Notify Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
igfxcui: "DllName" = igfxsrvc.dll -- E:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
========== Safeboot Options ==========
"AlternateShell"=cmd.exe
========== CDRom AutoRun Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1
========== Autorun Files on Drives ==========
AUTO_FR.BAT [@echo off | set dircmd=/p/ogn | set dosdir=C:\FDOS | set path=C:\;C:\FDOS;C:\FDOS\bin; | C:\FDOS\bin\mouse.exe | C:\FDOS\bin\Shsucdx /D:FDCD0001 | set lang=FR | xkeyb c:\fdos\bin\key\fr | ]
[2004/03/06 04:19:32 | 00,000,305 | ---- | M] () -- C:\AUTO_FR.BAT -- [ FAT32 ]
AUTO_US.BAT [@echo off | set dircmd=/p/ogn | set dosdir=C:\FDOS | set path=C:\;C:\FDOS;C:\FDOS\bin; | C:\FDOS\bin\mouse.exe | C:\FDOS\bin\Shsucdx /D:FDCD0001 | set lang=EN | xkeyb c:\fdos\bin\key\us.key | ]
[2004/03/06 04:19:02 | 00,000,278 | ---- | M] () -- C:\AUTO_US.BAT -- [ FAT32 ]
AUTO_IT.BAT [@echo off | set dircmd=/p/ogn | set dosdir=C:\FDOS | set path=C:\;C:\FDOS;C:\FDOS\bin; | C:\FDOS\bin\mouse.exe | C:\FDOS\bin\Shsucdx /D:FDCD0001 | set lang=IT | xkeyb c:\fdos\bin\key\it | ]
[2004/03/06 04:34:12 | 00,000,306 | ---- | M] () -- C:\AUTO_IT.BAT -- [ FAT32 ]
AUTO_GR.BAT [@echo off | set dircmd=/p/ogn | set dosdir=C:\FDOS | set path=C:\;C:\FDOS;C:\FDOS\bin; | C:\FDOS\bin\mouse.exe | C:\FDOS\bin\Shsucdx /D:FDCD0001 | set lang=GR | xkeyb c:\fdos\bin\key\gr | ]
[2004/03/06 04:33:40 | 00,000,305 | ---- | M] () -- C:\AUTO_GR.BAT -- [ FAT32 ]
AUTO_SP.BAT [@echo off | set dircmd=/p/ogn | set dosdir=C:\FDOS | set path=C:\;C:\FDOS;C:\FDOS\bin; | C:\FDOS\bin\mouse.exe | C:\FDOS\bin\Shsucdx /D:FDCD0001 | set lang=SP | xkeyb c:\fdos\bin\key\sp | ]
[2004/03/06 04:35:08 | 00,000,305 | ---- | M] () -- C:\AUTO_SP.BAT -- [ FAT32 ]
AUTO_LA.BAT [@echo off | set dircmd=/p/ogn | set dosdir=C:\FDOS | set path=C:\;C:\FDOS;C:\FDOS\bin; | C:\FDOS\bin\mouse.exe | C:\FDOS\bin\Shsucdx /D:FDCD0001 | set lang=LA | xkeyb c:\fdos\bin\key\la | ]
[2004/03/06 04:36:34 | 00,000,305 | ---- | M] () -- C:\AUTO_LA.BAT -- [ FAT32 ]
Auto_bp.bat [@echo off | set dircmd=/p/ogn | set dosdir=C:\FDOS | set path=C:\;C:\FDOS;C:\FDOS\bin; | C:\FDOS\bin\mouse.exe | C:\FDOS\bin\Shsucdx /D:FDCD0001 | set lang=BP | xkeyb c:\fdos\bin\key\br274.key | ]
[2004/03/06 05:53:32 | 00,000,281 | ---- | M] () -- C:\Auto_bp.bat -- [ FAT32 ]
AUTO_PT.BAT [@echo off | set dircmd=/p/ogn | set dosdir=C:\FDOS | set path=C:\;C:\FDOS;C:\FDOS\bin; | C:\FDOS\bin\mouse.exe | C:\FDOS\bin\Shsucdx /D:FDCD0001 | set lang=PT | xkeyb c:\fdos\bin\key\po.key | ]
[2004/03/06 05:53:54 | 00,000,278 | ---- | M] () -- C:\AUTO_PT.BAT -- [ FAT32 ]
AUTO_IE.BAT [@echo off | set dircmd=/p/ogn | set dosdir=C:\FDOS | set path=C:\;C:\FDOS;C:\FDOS\bin; | C:\FDOS\bin\mouse.exe | C:\FDOS\bin\Shsucdx /D:FDCD0001 | set lang=EN | xkeyb c:\fdos\bin\key\us.key | ]
[2004/03/06 04:19:02 | 00,000,278 | ---- | M] () -- C:\AUTO_IE.BAT -- [ FAT32 ]
AUTOEXEC.BAT []
[2006/01/21 16:07:24 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ FAT32 ]
========== Files/Folders - Created Within 30 Days ==========
[4 E:\WINDOWS\*.tmp files]
[2008/10/22 23:03:35 | 00,421,888 | ---- | C] (OldTimer Tools) -- E:\Documents and Settings\User\Desktop\OTViewIt.exe
[2008/10/22 22:40:20 | 00,000,000 | ---D | C] -- E:\_OTMoveIt
[2008/10/22 22:39:56 | 00,334,848 | ---- | C] (OldTimer Tools) -- E:\Documents and Settings\User\Desktop\OTMoveIt3.exe
[2008/10/22 22:18:44 | 00,617,912 | ---- | C] () -- E:\WINDOWS\System32\drivers\HOSTS
[2008/10/22 21:57:29 | 00,000,000 | ---D | C] -- E:\Documents and Settings\User\Application Data\WinPatrol
[2008/10/22 21:57:10 | 00,000,000 | ---D | C] -- E:\Program Files\BillP Studios
[2008/10/21 18:20:05 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- E:\WINDOWS\System32\drivers\mbam.sys
[2008/10/21 18:20:02 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- E:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/10/21 18:20:00 | 00,000,000 | ---D | C] -- E:\Program Files\Malwarebytes' Anti-Malware
[2008/10/20 22:20:40 | 00,000,000 | -HSD | C] -- E:\RECYCLER
[2008/10/20 19:54:39 | 00,000,000 | ---D | C] -- E:\WINDOWS\ERDNT
[2008/10/19 20:50:16 | 00,000,000 | ---D | C] -- E:\Program Files\Trend Micro
[2008/10/18 22:55:43 | 00,000,000 | ---D | C] -- E:\Program Files\Lavasoft
[2008/10/18 22:55:36 | 00,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\Lavasoft
[2008/10/18 22:51:03 | 00,000,000 | ---D | C] -- E:\Program Files\Common Files\Wise Installation Wizard
[2008/10/18 21:51:19 | 00,000,000 | ---D | C] -- E:\Documents and Settings\User\Application Data\Malwarebytes
[2008/10/18 21:50:09 | 00,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008/10/16 23:12:26 | 00,000,208 | ---- | C] () -- E:\WINDOWS\wininit.ini
[2008/10/16 21:44:11 | 00,076,257 | ---- | C] () -- E:\Documents and Settings\User\Desktop\IMG_4297.jpg
[2008/10/16 20:44:49 | 00,000,000 | ---D | C] -- E:\Documents and Settings\User\Application Data\ESET
[2008/10/16 20:12:02 | 00,262,144 | ---- | C] () -- E:\ntuser.dat
[2008/10/15 18:51:18 | 02,145,280 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2008/10/15 18:51:13 | 02,189,184 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2008/10/15 18:51:09 | 02,023,936 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2008/10/15 18:51:02 | 02,066,048 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2008/10/15 18:46:36 | 00,333,824 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\dllcache\srv.sys
[2008/10/15 18:44:12 | 01,846,400 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\dllcache\win32k.sys
[2008/10/05 00:00:42 | 00,000,000 | ---D | C] -- E:\Program Files\Alwil Software
[2008/10/04 14:20:51 | 00,000,000 | ---D | C] -- E:\Program Files\Common Files\Windows Live
[2008/10/03 23:14:27 | 00,015,872 | ---- | C] () -- E:\WINDOWS\System32\drivers\bfturboh.sys
[2008/10/03 23:14:07 | 00,000,000 | ---D | C] -- E:\Program Files\BUFFALO
[2008/09/30 22:29:52 | 00,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\Fugazo
[2008/09/30 22:28:36 | 00,000,000 | ---D | C] -- E:\Program Files\Fashion Fits
[2008/09/30 11:51:24 | 00,000,000 | ---D | C] -- E:\Program Files\Believe In Santa
[2008/09/30 11:37:26 | 00,000,000 | ---D | C] -- E:\Program Files\Dr Daisy Pet Vet
[2008/09/30 11:20:53 | 00,000,000 | ---D | C] -- E:\Program Files\Happy Hour
[2008/09/30 09:47:37 | 00,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\Gogii
[2008/09/30 09:43:20 | 00,000,000 | ---D | C] -- E:\Program Files\Babysitting Mania
[2008/09/30 08:45:07 | 00,000,000 | ---D | C] -- E:\Program Files\Farm Frenzy
[2008/09/30 07:52:39 | 00,000,000 | ---D | C] -- E:\Program Files\Daycare Nightmare
[2008/09/30 07:27:36 | 00,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\Sandlot Games
[2008/09/30 07:26:48 | 00,000,000 | ---D | C] -- E:\Program Files\Cake Mania
[2008/09/29 21:21:47 | 00,004,096 | ---- | C] () -- E:\WINDOWS\d3dx.dat
[2008/09/29 21:17:19 | 00,000,000 | ---D | C] -- E:\Program Files\Sallys Salon
========== Files - Modified Within 30 Days ==========
[2 E:\WINDOWS\System32\*.tmp files]
[4 E:\WINDOWS\*.tmp files]
[2008/10/22 23:03:43 | 00,421,888 | ---- | M] (OldTimer Tools) -- E:\Documents and Settings\User\Desktop\OTViewIt.exe
[2008/10/22 22:40:09 | 00,334,848 | ---- | M] (OldTimer Tools) -- E:\Documents and Settings\User\Desktop\OTMoveIt3.exe
[2008/10/22 22:27:05 | 00,002,262 | ---- | M] () -- E:\WINDOWS\System32\wpa.dbl
[2008/10/22 22:24:05 | 00,000,006 | -H-- | M] () -- E:\WINDOWS\tasks\SA.DAT
[2008/10/22 22:23:30 | 00,002,048 | --S- | M] () -- E:\WINDOWS\bootstat.dat
[2008/10/20 20:29:26 | 00,000,227 | ---- | M] () -- E:\WINDOWS\system.ini
[2008/10/19 16:55:36 | 00,000,208 | ---- | M] () -- E:\WINDOWS\wininit.ini
[2008/10/19 10:36:15 | 01,196,544 | -HS- | M] () -- E:\Documents and Settings\User\Desktop\Thumbs.db
@Alternate Data Stream - 0 bytes -> E:\Documents and Settings\User\Desktop\Thumbs.db:encryptable
[2008/10/16 23:22:08 | 03,711,778 | -H-- | M] () -- E:\Documents and Settings\User\Local Settings\Application Data\IconCache.db
[2008/10/16 21:44:24 | 00,076,257 | ---- | M] () -- E:\Documents and Settings\User\Desktop\IMG_4297.jpg
[2008/10/16 20:25:46 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- E:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/10/16 20:25:34 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- E:\WINDOWS\System32\drivers\mbam.sys
[2008/10/16 20:12:02 | 00,262,144 | ---- | M] () -- E:\ntuser.dat
[2008/10/16 08:19:39 | 00,644,344 | ---- | M] () -- E:\WINDOWS\System32\FNTCACHE.DAT
[2008/10/15 20:45:03 | 00,054,156 | -H-- | M] () -- E:\WINDOWS\QTFont.qfn
[2008/10/10 19:41:02 | 00,000,040 | ---- | M] () -- E:\WINDOWS\nero.INI
[2008/10/08 03:19:40 | 16,721,856 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\System32\MRT.exe
[2008/10/05 07:09:07 | 00,002,577 | ---- | M] () -- E:\WINDOWS\System32\CONFIG.NT
[2008/10/04 01:41:15 | 06,066,176 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\System32\ieframe.dll
[2008/10/04 01:41:15 | 06,066,176 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\System32\dllcache\ieframe.dll
[2008/09/29 21:21:47 | 00,004,096 | ---- | M] () -- E:\WINDOWS\d3dx.dat
[2008/09/28 13:36:08 | 00,000,035 | ---- | M] () -- E:\WINDOWS\Ulead32.INI
[2008/09/28 13:33:38 | 00,000,808 | ---- | M] () -- E:\WINDOWS\win.ini
[2008/09/23 11:43:08 | 00,617,912 | ---- | M] () -- E:\WINDOWS\System32\drivers\HOSTS
[2008/09/23 11:43:08 | 00,617,912 | ---- | M] () -- E:\WINDOWS\System32\drivers\etc\HOSTS.MVP
[2008/09/23 11:43:08 | 00,617,912 | ---- | M] () -- E:\WINDOWS\System32\drivers\etc\HOSTS
< End of report >
And here is my Extras.Txt log:
OTViewIt Extras logfile created on: 10/22/2008 11:11:25 PM - Run 3
OTViewIt by OldTimer - Version 1.0.17.0 Folder = E:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1014.42 Mb Total Physical Memory | 586.16 Mb Available Physical Memory | 57.78% Memory free
2.38 Gb Paging File | 2.01 Gb Available in Paging File | 84.30% Paging File free
Paging file location(s): C:\pagefile.sys 0 0;
%SystemDrive% = E: | %SystemRoot% = E:\WINDOWS | %ProgramFiles% = E:\Program Files
Drive C: | 5.37 Gb Total Space | 3.15 Gb Free Space | 58.63% Space Free | Partition Type: FAT32
Drive D: | 700.99 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 31.87 Gb Total Space | 13.74 Gb Free Space | 43.13% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: SUZANNE
Current User Name: User
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- E:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.url [@ = InternetShortcut] -- E:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=1
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
"DoNotAllowExceptions"=0
"DisableNotifications"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/14 08:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/14 02:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/14 08:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2007/08/30 17:43:18 | 00,091,376 | ---- | M] (Yahoo! Inc.) -- E:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
[2008/04/14 02:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2008/10/17 09:56:35 | 00,514,560 | ---- | M] (GRISOFT, s.r.o.) -- E:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe
[2007/11/30 09:19:28 | 00,418,816 | ---- | M] (GRISOFT, s.r.o.) -- E:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe
[2008/10/17 09:56:33 | 00,590,848 | ---- | M] (GRISOFT, s.r.o.) -- E:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe
[2008/01/07 21:06:25 | 00,406,528 | ---- | M] (GRISOFT, s.r.o.) -- E:\Program Files\Grisoft\AVG7\avgemc.exe:*:Enabled:avgemc.exe
[2007/08/30 17:43:18 | 04,670,704 | ---- | M] (Yahoo! Inc.) -- E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
[2008/09/08 08:05:49 | 00,342,848 | ---- | M] (BitTorrent, Inc.) -- E:\Program Files\DNA\btdna.exe:*:Enabled:DNA
File not found -- E:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client
========== HKEY_USERS Protocol Defaults ==========
[HKEY_USERS\PE_E_..\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
@ivt -- @ivt protocol not assigned
file -- file protocol not assigned
ftp -- ftp protocol not assigned
http -- http protocol not assigned
https -- https protocol not assigned
shell -- shell protocol not assigned
========== HKEY_USERS Protocol Defaults ==========
[HKEY_USERS\PE_E_ALL USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
@ivt -- @ivt protocol not assigned
file -- file protocol not assigned
ftp -- ftp protocol not assigned
http -- http protocol not assigned
https -- https protocol not assigned
shell -- shell protocol not assigned
========== (O18) Protocol Handlers ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 18:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) E:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 18:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) E:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 18:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) E:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2005/06/03 15:36:20 | 07,252,672 | ---- | M] (Microsoft Corporation) E:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (mso-offdap:{3D9F03FA-7A94-11D3-BE81-0050048385D1} (HKLM) [Data Page Pluggable Protocol mso-offdap Handler])
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2005/04/26 04:29:56 | 08,071,360 | ---- | M] (Microsoft Corporation) E:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])
========== (O18) Protocol Filters ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003/07/15 14:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) E:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0176AC71-9EDE-48A0-AC3B-94FEB38B1FFE}"=Noiseware Professional Plug-in
"{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}"=OpenOffice.org Installer 1.0
"{1EBFA30C-6206-4FD8-8B82-3A29F0D01B28}"=ACDSee 8 Media Support Package
"{20E5F823-61A4-4BCE-9DF4-5DB43F302B69}"=Diskeeper Professional Premier Edition
"{236BB7C4-4419-42FD-0409-1E257A25E34D}"=Adobe Photoshop CS2
"{3248F0A8-6813-11D6-A77B-00B0D0150060}"=J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160010}"=Java(TM) SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160030}"=Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}"=Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}"=Java(TM) 6 Update 7
"{345C90FB-FA10-11D5-9C2A-0080C85A0C2D}"=ABBYY FineReader OCR Engine for Microtek
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{374F962E-9322-4118-9A64-4B6997E2A8B5}"=QuickFix
"{44AAA5AD-A24B-11D7-B1FE-002018398620}"=greenstreet National Geographic Photo Browser
"{5D97A4A7-C274-4B63-86D9-07A33435F505}"=InterVideo DVD Check
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}"=Windows Genuine Advantage v1.3.0254.0
"{687E87C0-E4C2-414A-B8A2-E2B9B83670AA}"=RealGrain Plug-in
"{8A708DD8-A5E6-11D4-A706-000629E95E20}"=Intel(R) Graphics Media Accelerator Driver for Mobile
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}"=Adobe Common File Installer
"{90110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}"=InterVideo WinDVD
"{929408E6-D265-4174-805F-81D1D914E2A4}"=QuickTime
"{9E50DEC9-081B-441F-B647-98DBEA8B01DD}"=CorelDRAW 10
"{AC76BA86-1033-0000-7760-000000000001}"=Adobe Acrobat 6.0 Professional
"{AE80641A-0C8D-4670-A518-B4EC154B1027}"=ACDSee 8
"{B08D262E-D902-11D5-9C28-0080C85A0C2D}"=ScanWizard 5
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{CBCDEDF3-A2E5-4402-8E9E-E2C23DBE1DA8}"=Adobe Photoshop Lightroom
"{CEB326EC-8F40-47B2-BA22-BB092565D66F}"=Quick Launch Buttons 5.10 B5
"{D301EE05-D1E1-4A58-B89C-A0EFDAB491E2}"=Portraiture Plug-in
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}"=Ad-Aware
"{E9787678-1033-0000-8E67-000000000001}"=Adobe Help Center 1.0
"{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}"=Adobe Stock Photos 1.0
"{FF6F491D-BC82-4DCC-A72F-1824957C6466}"=TIxx21
"Adobe Atmosphere Player"=Adobe Atmosphere Player for Acrobat and Adobe Reader
"Adobe Flash Player Plugin"=Adobe Flash Player Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}"=Adobe Photoshop CS2
"AdobeESD"=Adobe Download Manager 2.0 (Remove Only)
"AVG7Uninstall"=AVG 7.5
"Broadcom 802.11b Network Adapter"=Broadcom 802.11 Wireless LAN Adapter
"CCleaner"=CCleaner (remove only)
"CNXT_AUDIO"=Conexant AC-Link Audio
"CNXT_MODEM_PCI_VEN_8086&DEV_266D&SUBSYS_3080103C"=Soft Data Fax Modem with SmartCP
"Conexant PCI Audio"=Conexant AC-Link Audio
"CorelDRAW 10"=CorelDRAW 10
"EPSON Printer and Utilities"=EPSON Printer Software
"HijackThis"=HijackThis 2.0.2
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"InstallShield_{929408E6-D265-4174-805F-81D1D914E2A4}"=QuickTime
"InstallShield_{FF6F491D-BC82-4DCC-A72F-1824957C6466}"=Texas Instruments PCIxx21/x515 drivers.
"Macromedia Shockwave Player"=Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"Mozilla Firefox (3.0.3)"=Mozilla Firefox (3.0.3)
"MSN Music Assistant"=MSN Music Assistant
"MSNINST"=MSN
"Nero - Burning Rom!UninstallKey"=Ahead Nero Burning ROM
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"RoboEnhancer Trial"=RoboEnhancer Trial
"Shockwave"=Shockwave
"ShockwaveFlash"=Adobe Flash Player 9 ActiveX
"SynTPDeinstKey"=Synaptics Pointing Device Driver
"The Font Thing"=The Font Thing
"TimeToPhoto_is1"=TimeToPhoto 2.3.4345
"UN080325"=BUFFALO TurboUSB for FLASH/HDD
"UnzipThemAll_is1"=UnzipThemAll 1.3
"WebPost"=Microsoft Web Publishing Wizard 1.52
"Windows Media Format Runtime"=Windows Media Format Runtime
"Windows Media Player"=Windows Media Player 10
"Windows XP Service Pack"=Windows XP Service Pack 3
"WinPatrol"=WinPatrol 2008
"WinRAR archiver"=WinRAR archiver
"Yahoo! Companion"=Yahoo! Toolbar
"Yahoo! Customizations"=Yahoo! extras
"Yahoo! Messenger"=Yahoo! Messenger
"Yahoo! Search Defender"=Yahoo! Search Protection
"Yahoo! Toolbar"=Yahoo! Toolbar
"YInstHelper"=Yahoo! Install Manager
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent DNA"=DNA
========== HKEY_USERS Uninstall List ==========
[HKEY_USERS\S-1-5-21-73586283-2052111302-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent DNA"=DNA
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 10/19/2008 9:26:59 AM | Computer Name = SUZANNE | Source = AVG7 | ID = 100
Description = 2008-10-19 13:26:59,656 SUZANNE [001344:001408] ERROR 000 AVG7.WTS.CAvgAmWts
ProcessIdToSessionId(1396) call failed with WIN32 error 87, returning session id
is 0
Error - 10/19/2008 9:27:18 AM | Computer Name = SUZANNE | Source = AVG7 | ID = 100
Description = 2008-10-19 13:27:18,296 SUZANNE [001344:001408] ERROR 000 AVG7.WTS.CAvgAmWts
ProcessIdToSessionId(1756) call failed with WIN32 error 87, returning session id
is 0
Error - 10/19/2008 9:27:22 AM | Computer Name = SUZANNE | Source = AVG7 | ID = 100
Description = 2008-10-19 13:27:22,734 SUZANNE [001344:001408] ERROR 000 AVG7.WTS.CAvgAmWts
ProcessIdToSessionId(1952) call failed with WIN32 error 87, returning session id
is 0
Error - 10/19/2008 9:27:36 AM | Computer Name = SUZANNE | Source = AVG7 | ID = 100
Description = 2008-10-19 13:27:36,875 SUZANNE [001344:001408] ERROR 000 AVG7.WTS.CAvgAmWts
ProcessIdToSessionId(2208) call failed with WIN32 error 87, returning session id
is 0
Error - 10/19/2008 9:28:36 AM | Computer Name = SUZANNE | Source = AVG7 | ID = 100
Description = 2008-10-19 13:28:36,968 SUZANNE [001344:001408] ERROR 000 AVG7.WTS.CAvgAmWts
ProcessIdToSessionId(3004) call failed with WIN32 error 87, returning session id
is 0
Error - 10/20/2008 1:10:32 AM | Computer Name = SUZANNE | Source = Spybot - Search & Destroy | ID = 0
Description =
Error - 10/22/2008 11:05:28 AM | Computer Name = SUZANNE | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.29.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
Error - 10/22/2008 11:06:27 AM | Computer Name = SUZANNE | Source = Application Hang | ID = 1002
Description = Hanging application SpybotSD.exe, version 1.6.0.30, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
Error - 10/22/2008 11:08:31 AM | Computer Name = SUZANNE | Source = Application Hang | ID = 1002
Description = Hanging application OTViewIt.exe, version 1.0.17.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
Error - 10/22/2008 11:11:09 AM | Computer Name = SUZANNE | Source = Application Hang | ID = 1002
Description = Hanging application OTViewIt.exe, version 1.0.17.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
[ System Events ]
Error - 10/19/2008 6:01:17 AM | Computer Name = SUZANNE | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for E:\Program Files\DNA\DNAcpl.cpl.
Reference
error message: The operation completed successfully. .
Error - 10/19/2008 9:28:54 AM | Computer Name = SUZANNE | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.CRT could not be found and Last
Error was The referenced assembly is not installed on your system.
Error - 10/19/2008 9:28:54 AM | Computer Name = SUZANNE | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error
message: The referenced assembly is not installed on your system. .
Error - 10/19/2008 9:28:54 AM | Computer Name = SUZANNE | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for E:\Program Files\DNA\DNAcpl.cpl.
Reference
error message: The operation completed successfully. .
Error - 10/19/2008 11:36:58 AM | Computer Name = SUZANNE | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring
the volume.
Error - 10/19/2008 11:39:36 AM | Computer Name = SUZANNE | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
PCIIde
Error - 10/19/2008 11:40:20 AM | Computer Name = SUZANNE | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.CRT could not be found and Last
Error was The referenced assembly is not installed on your system.
Error - 10/19/2008 11:40:20 AM | Computer Name = SUZANNE | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error
message: The referenced assembly is not installed on your system. .
Error - 10/19/2008 11:40:20 AM | Computer Name = SUZANNE | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for E:\Program Files\DNA\DNAcpl.cpl.
Reference
error message: The operation completed successfully. .
Error - 10/22/2008 5:49:18 AM | Computer Name = SUZANNE | Source = Server | ID = 2505
Description = The server could not bind to the transport \Device\NetBT_Tcpip_{C8163867-8ED5-47F8-9CE5-4907DFA79EBB}
because another computer on the network has the same name. The server could not
start.
< End of report >
And here is my Extras.Txt log:
OTViewIt Extras logfile created on: 10/22/2008 11:11:25 PM - Run 3
OTViewIt by OldTimer - Version 1.0.17.0 Folder = E:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1014.42 Mb Total Physical Memory | 586.16 Mb Available Physical Memory | 57.78% Memory free
2.38 Gb Paging File | 2.01 Gb Available in Paging File | 84.30% Paging File free
Paging file location(s): C:\pagefile.sys 0 0;
%SystemDrive% = E: | %SystemRoot% = E:\WINDOWS | %ProgramFiles% = E:\Program Files
Drive C: | 5.37 Gb Total Space | 3.15 Gb Free Space | 58.63% Space Free | Partition Type: FAT32
Drive D: | 700.99 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 31.87 Gb Total Space | 13.74 Gb Free Space | 43.13% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: SUZANNE
Current User Name: User
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- E:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.url [@ = InternetShortcut] -- E:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=1
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
"DoNotAllowExceptions"=0
"DisableNotifications"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/14 08:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/14 02:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/14 08:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2007/08/30 17:43:18 | 00,091,376 | ---- | M] (Yahoo! Inc.) -- E:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
[2008/04/14 02:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2008/10/17 09:56:35 | 00,514,560 | ---- | M] (GRISOFT, s.r.o.) -- E:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe
[2007/11/30 09:19:28 | 00,418,816 | ---- | M] (GRISOFT, s.r.o.) -- E:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe
[2008/10/17 09:56:33 | 00,590,848 | ---- | M] (GRISOFT, s.r.o.) -- E:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe
[2008/01/07 21:06:25 | 00,406,528 | ---- | M] (GRISOFT, s.r.o.) -- E:\Program Files\Grisoft\AVG7\avgemc.exe:*:Enabled:avgemc.exe
[2007/08/30 17:43:18 | 04,670,704 | ---- | M] (Yahoo! Inc.) -- E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
[2008/09/08 08:05:49 | 00,342,848 | ---- | M] (BitTorrent, Inc.) -- E:\Program Files\DNA\btdna.exe:*:Enabled:DNA
File not found -- E:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client
========== HKEY_USERS Protocol Defaults ==========
[HKEY_USERS\PE_E_..\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
@ivt -- @ivt protocol not assigned
file -- file protocol not assigned
ftp -- ftp protocol not assigned
http -- http protocol not assigned
https -- https protocol not assigned
shell -- shell protocol not assigned
========== HKEY_USERS Protocol Defaults ==========
[HKEY_USERS\PE_E_ALL USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
@ivt -- @ivt protocol not assigned
file -- file protocol not assigned
ftp -- ftp protocol not assigned
http -- http protocol not assigned
https -- https protocol not assigned
shell -- shell protocol not assigned
========== (O18) Protocol Handlers ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 18:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) E:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 18:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) E:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 18:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) E:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2005/06/03 15:36:20 | 07,252,672 | ---- | M] (Microsoft Corporation) E:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (mso-offdap:{3D9F03FA-7A94-11D3-BE81-0050048385D1} (HKLM) [Data Page Pluggable Protocol mso-offdap Handler])
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2005/04/26 04:29:56 | 08,071,360 | ---- | M] (Microsoft Corporation) E:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])
========== (O18) Protocol Filters ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003/07/15 14:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) E:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0176AC71-9EDE-48A0-AC3B-94FEB38B1FFE}"=Noiseware Professional Plug-in
"{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}"=OpenOffice.org Installer 1.0
"{1EBFA30C-6206-4FD8-8B82-3A29F0D01B28}"=ACDSee 8 Media Support Package
"{20E5F823-61A4-4BCE-9DF4-5DB43F302B69}"=Diskeeper Professional Premier Edition
"{236BB7C4-4419-42FD-0409-1E257A25E34D}"=Adobe Photoshop CS2
"{3248F0A8-6813-11D6-A77B-00B0D0150060}"=J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160010}"=Java(TM) SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160030}"=Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}"=Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}"=Java(TM) 6 Update 7
"{345C90FB-FA10-11D5-9C2A-0080C85A0C2D}"=ABBYY FineReader OCR Engine for Microtek
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{374F962E-9322-4118-9A64-4B6997E2A8B5}"=QuickFix
"{44AAA5AD-A24B-11D7-B1FE-002018398620}"=greenstreet National Geographic Photo Browser
"{5D97A4A7-C274-4B63-86D9-07A33435F505}"=InterVideo DVD Check
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}"=Windows Genuine Advantage v1.3.0254.0
"{687E87C0-E4C2-414A-B8A2-E2B9B83670AA}"=RealGrain Plug-in
"{8A708DD8-A5E6-11D4-A706-000629E95E20}"=Intel(R) Graphics Media Accelerator Driver for Mobile
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}"=Adobe Common File Installer
"{90110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}"=InterVideo WinDVD
"{929408E6-D265-4174-805F-81D1D914E2A4}"=QuickTime
"{9E50DEC9-081B-441F-B647-98DBEA8B01DD}"=CorelDRAW 10
"{AC76BA86-1033-0000-7760-000000000001}"=Adobe Acrobat 6.0 Professional
"{AE80641A-0C8D-4670-A518-B4EC154B1027}"=ACDSee 8
"{B08D262E-D902-11D5-9C28-0080C85A0C2D}"=ScanWizard 5
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{CBCDEDF3-A2E5-4402-8E9E-E2C23DBE1DA8}"=Adobe Photoshop Lightroom
"{CEB326EC-8F40-47B2-BA22-BB092565D66F}"=Quick Launch Buttons 5.10 B5
"{D301EE05-D1E1-4A58-B89C-A0EFDAB491E2}"=Portraiture Plug-in
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}"=Ad-Aware
"{E9787678-1033-0000-8E67-000000000001}"=Adobe Help Center 1.0
"{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}"=Adobe Stock Photos 1.0
"{FF6F491D-BC82-4DCC-A72F-1824957C6466}"=TIxx21
"Adobe Atmosphere Player"=Adobe Atmosphere Player for Acrobat and Adobe Reader
"Adobe Flash Player Plugin"=Adobe Flash Player Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}"=Adobe Photoshop CS2
"AdobeESD"=Adobe Download Manager 2.0 (Remove Only)
"AVG7Uninstall"=AVG 7.5
"Broadcom 802.11b Network Adapter"=Broadcom 802.11 Wireless LAN Adapter
"CCleaner"=CCleaner (remove only)
"CNXT_AUDIO"=Conexant AC-Link Audio
"CNXT_MODEM_PCI_VEN_8086&DEV_266D&SUBSYS_3080103C"=Soft Data Fax Modem with SmartCP
"Conexant PCI Audio"=Conexant AC-Link Audio
"CorelDRAW 10"=CorelDRAW 10
"EPSON Printer and Utilities"=EPSON Printer Software
"HijackThis"=HijackThis 2.0.2
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"InstallShield_{929408E6-D265-4174-805F-81D1D914E2A4}"=QuickTime
"InstallShield_{FF6F491D-BC82-4DCC-A72F-1824957C6466}"=Texas Instruments PCIxx21/x515 drivers.
"Macromedia Shockwave Player"=Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"Mozilla Firefox (3.0.3)"=Mozilla Firefox (3.0.3)
"MSN Music Assistant"=MSN Music Assistant
"MSNINST"=MSN
"Nero - Burning Rom!UninstallKey"=Ahead Nero Burning ROM
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"RoboEnhancer Trial"=RoboEnhancer Trial
"Shockwave"=Shockwave
"ShockwaveFlash"=Adobe Flash Player 9 ActiveX
"SynTPDeinstKey"=Synaptics Pointing Device Driver
"The Font Thing"=The Font Thing
"TimeToPhoto_is1"=TimeToPhoto 2.3.4345
"UN080325"=BUFFALO TurboUSB for FLASH/HDD
"UnzipThemAll_is1"=UnzipThemAll 1.3
"WebPost"=Microsoft Web Publishing Wizard 1.52
"Windows Media Format Runtime"=Windows Media Format Runtime
"Windows Media Player"=Windows Media Player 10
"Windows XP Service Pack"=Windows XP Service Pack 3
"WinPatrol"=WinPatrol 2008
"WinRAR archiver"=WinRAR archiver
"Yahoo! Companion"=Yahoo! Toolbar
"Yahoo! Customizations"=Yahoo! extras
"Yahoo! Messenger"=Yahoo! Messenger
"Yahoo! Search Defender"=Yahoo! Search Protection
"Yahoo! Toolbar"=Yahoo! Toolbar
"YInstHelper"=Yahoo! Install Manager
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent DNA"=DNA
========== HKEY_USERS Uninstall List ==========
[HKEY_USERS\S-1-5-21-73586283-2052111302-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent DNA"=DNA
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 10/19/2008 9:26:59 AM | Computer Name = SUZANNE | Source = AVG7 | ID = 100
Description = 2008-10-19 13:26:59,656 SUZANNE [001344:001408] ERROR 000 AVG7.WTS.CAvgAmWts
ProcessIdToSessionId(1396) call failed with WIN32 error 87, returning session id
is 0
Error - 10/19/2008 9:27:18 AM | Computer Name = SUZANNE | Source = AVG7 | ID = 100
Description = 2008-10-19 13:27:18,296 SUZANNE [001344:001408] ERROR 000 AVG7.WTS.CAvgAmWts
ProcessIdToSessionId(1756) call failed with WIN32 error 87, returning session id
is 0
Error - 10/19/2008 9:27:22 AM | Computer Name = SUZANNE | Source = AVG7 | ID = 100
Description = 2008-10-19 13:27:22,734 SUZANNE [001344:001408] ERROR 000 AVG7.WTS.CAvgAmWts
ProcessIdToSessionId(1952) call failed with WIN32 error 87, returning session id
is 0
Error - 10/19/2008 9:27:36 AM | Computer Name = SUZANNE | Source = AVG7 | ID = 100
Description = 2008-10-19 13:27:36,875 SUZANNE [001344:001408] ERROR 000 AVG7.WTS.CAvgAmWts
ProcessIdToSessionId(2208) call failed with WIN32 error 87, returning session id
is 0
Error - 10/19/2008 9:28:36 AM | Computer Name = SUZANNE | Source = AVG7 | ID = 100
Description = 2008-10-19 13:28:36,968 SUZANNE [001344:001408] ERROR 000 AVG7.WTS.CAvgAmWts
ProcessIdToSessionId(3004) call failed with WIN32 error 87, returning session id
is 0
Error - 10/20/2008 1:10:32 AM | Computer Name = SUZANNE | Source = Spybot - Search & Destroy | ID = 0
Description =
Error - 10/22/2008 11:05:28 AM | Computer Name = SUZANNE | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.29.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
Error - 10/22/2008 11:06:27 AM | Computer Name = SUZANNE | Source = Application Hang | ID = 1002
Description = Hanging application SpybotSD.exe, version 1.6.0.30, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
Error - 10/22/2008 11:08:31 AM | Computer Name = SUZANNE | Source = Application Hang | ID = 1002
Description = Hanging application OTViewIt.exe, version 1.0.17.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
Error - 10/22/2008 11:11:09 AM | Computer Name = SUZANNE | Source = Application Hang | ID = 1002
Description = Hanging application OTViewIt.exe, version 1.0.17.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
[ System Events ]
Error - 10/19/2008 6:01:17 AM | Computer Name = SUZANNE | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for E:\Program Files\DNA\DNAcpl.cpl.
Reference
error message: The operation completed successfully. .
Error - 10/19/2008 9:28:54 AM | Computer Name = SUZANNE | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.CRT could not be found and Last
Error was The referenced assembly is not installed on your system.
Error - 10/19/2008 9:28:54 AM | Computer Name = SUZANNE | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error
message: The referenced assembly is not installed on your system. .
Error - 10/19/2008 9:28:54 AM | Computer Name = SUZANNE | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for E:\Program Files\DNA\DNAcpl.cpl.
Reference
error message: The operation completed successfully. .
Error - 10/19/2008 11:36:58 AM | Computer Name = SUZANNE | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring
the volume.
Error - 10/19/2008 11:39:36 AM | Computer Name = SUZANNE | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
PCIIde
Error - 10/19/2008 11:40:20 AM | Computer Name = SUZANNE | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.CRT could not be found and Last
Error was The referenced assembly is not installed on your system.
Error - 10/19/2008 11:40:20 AM | Computer Name = SUZANNE | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error
message: The referenced assembly is not installed on your system. .
Error - 10/19/2008 11:40:20 AM | Computer Name = SUZANNE | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for E:\Program Files\DNA\DNAcpl.cpl.
Reference
error message: The operation completed successfully. .
Error - 10/22/2008 5:49:18 AM | Computer Name = SUZANNE | Source = Server | ID = 2505
Description = The server could not bind to the transport \Device\NetBT_Tcpip_{C8163867-8ED5-47F8-9CE5-4907DFA79EBB}
because another computer on the network has the same name. The server could not
start.
< End of report >
Oops, sorry for double posting.
Hi
1 - teatimer
Please disable Teatimer as it may interfere with the fix.
First: Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
Choose Exit Spybot S&D Resident
Second: Open Spybot S&D
Click Mode, check Advanced Mode
Go To Left Panel, Click Tools, then also in left panel, click Resident
If your firewall raises a question, say OK
Uncheck the box labeled Resident Tea-Timer and OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
Don't forget to re-enable it, when your computer is clean.
2 - Remove bad HijackThis entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O4 - HKCU\..\Run: [RegCom32] E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
3 - Download and run OTMoveIt3
Download OTMoveIt3 by OldTimer from here (http://oldtimer.geekstogo.com/OTMoveIt3.exe) and save it to your desktop
Launch OTMoveIt3.exe and copy the text from the codebox below into the lefthand box below "Paste Instructions for Items to be Moved"
:files
E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP
Double-check that the input matches the code box above and then click the MoveIt! button to start the script. If you're prompted about rebooting allow the request.
Once OTMoveIt finishes, a log will be located at C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss. (mmddyyyy_hhmmss is a timestamp from when the log was created)
Include this log in your next reply
4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
Please reply with
1. the OTMoveIt3 log
2 a fresh HijackThis log
Thanks peku006
Hello again!
Here is my OTMoveIt log:
========== FILES ==========
File/Folder E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP not found.
OTMoveIt3 by OldTimer - Version 1.0.5.0 log created on 10222008_234747
and my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:08 PM, on 10/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
E:\WINDOWS\system32\igfxtray.exe
E:\WINDOWS\system32\hkcmd.exe
E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://alifeinbloom.blogspot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [WatchDog] E:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "E:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [WinPatrol] E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = E:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - E:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
--
End of file - 8461 bytes
And it reappeared after a minute or so, as warned by Scotty. Is it because I turned my Teatimer again? Here is the another fresh HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:19 PM, on 10/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
E:\WINDOWS\system32\igfxtray.exe
E:\WINDOWS\system32\hkcmd.exe
E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://alifeinbloom.blogspot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [WatchDog] E:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "E:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [WinPatrol] E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RegCom32] E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = E:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - E:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
--
End of file - 8664 bytes
When then, should the teatimer be turned on again? Once you declare that my laptop is clean?
I just want to clarify since I am confused. And it seems that nasty file appears in logs along with teatimer. Just an observation, though.
Please let me know as I might be doing the wrong thing.
Thanks again!
Hi
Launch OTMoveIt3.exe and copy the text from the codebox below into the lefthand box below "Paste Instructions for Items to be Moved"
:Reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegCom32"=-
Double-check that the input matches the code box above and then click the MoveIt! button to start the script. If you're prompted about rebooting allow the request.
Once OTMoveIt finishes, a log will be located at C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss. (mmddyyyy_hhmmss is a timestamp from when the log was created)
Include this log in your next reply
GMER
Download GMER by GMER from here (http://gmer.net/gmer.zip)
Unzip it to a folder on your desktop
Double click on gmer.exe to launch GMER
If asked, allow the gmer.sys driver load
If it warns you about rootkit activity and asks if you want to run scan, click OK
If you don't get a warning then
Click the rootkit tab
Click Scan
Once the scan has finished, click copy
Paste the log into notepad using Ctrl+V
Save it to your desktop as gmerrk.txt
Click on the >>> tab
This will open up the rest of the tabs for you
Click on the Autostart tab
Click on Scan
Once the scan has finished, click copy
Paste the log into notepad using Ctrl+V
Save it to your desktop as gmerautos.txt
Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic
Hello again! I'm sorry, I had a bad headache last night, thus, I was not able to go online.
Anyways, here is my gmerautos log:
GMER 1.0.14.14536 - http://www.gmer.net
Autostart scan 2008-10-24 08:48:33
Windows 5.1.2600 Service Pack 3
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@BootExecute = autocheck autochk * /*file not found*/
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\SYSTEM\CurrentControlSet\Control\WOW@cmdline = %SystemRoot%\system32\ntvdm.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >>>
@UserinitE:\WINDOWS\system32\userinit.exe, = E:\WINDOWS\system32\userinit.exe,
@ShellExplorer.exe = Explorer.exe
@System =
@UIHostlogonui.exe = logonui.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
crypt32chain@DLLName = crypt32.dll
cryptnet@DLLName = cryptnet.dll
cscdll@DLLName = cscdll.dll
dimsntfy@DLLName = %SystemRoot%\System32\dimsntfy.dll
igfxcui@DLLName = igfxsrvc.dll
ScCertProp@DLLName = wlnotify.dll
Schedule@DLLName = wlnotify.dll
sclgntfy@DLLName = sclgntfy.dll
SensLogn@DLLName = WlNotify.dll
termsrv@DLLName = wlnotify.dll
WgaLogon@DLLName = WgaLogon.dll
wlballoon@DLLName = wlnotify.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs =
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aawservice@ = "E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe"
AudioSrv@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Avg7Alrt@ = E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
Avg7UpdSvc@ = E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
AVGEMS@ = E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
Browser@ = %SystemRoot%\system32\svchost.exe -k netsvcs
CryptSvc@ = %SystemRoot%\system32\svchost.exe -k netsvcs
DcomLaunch@ = %SystemRoot%\system32\svchost -k DcomLaunch
Dhcp@ = %SystemRoot%\system32\svchost.exe -k netsvcs
Diskeeper@ = "E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe"
dmserver@ = %SystemRoot%\System32\svchost.exe -k netsvcs
ERSvc@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Eventlog@ = %SystemRoot%\system32\services.exe
helpsvc@ = %SystemRoot%\System32\svchost.exe -k netsvcs
lanmanserver@ = %SystemRoot%\system32\svchost.exe -k netsvcs
lanmanworkstation@ = %SystemRoot%\system32\svchost.exe -k netsvcs
LmHosts@ = %SystemRoot%\system32\svchost.exe -k LocalService
PlugPlay@ = %SystemRoot%\system32\services.exe
PolicyAgent@ = %SystemRoot%\system32\lsass.exe
ProtectedStorage@ = %SystemRoot%\system32\lsass.exe
RpcSs@ = %SystemRoot%\system32\svchost -k rpcss
SamSs@ = %SystemRoot%\system32\lsass.exe
Schedule@ = %SystemRoot%\System32\svchost.exe -k netsvcs
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
seclogon@ = %SystemRoot%\System32\svchost.exe -k netsvcs
SENS@ = %SystemRoot%\system32\svchost.exe -k netsvcs
SharedAccess@ = %SystemRoot%\System32\svchost.exe -k netsvcs
ShellHWDetection@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Spooler@ = %SystemRoot%\system32\spoolsv.exe
srservice@ = %SystemRoot%\system32\svchost.exe -k netsvcs
stisvc@ = %SystemRoot%\system32\svchost.exe -k imgsvc
Themes@ = %SystemRoot%\System32\svchost.exe -k netsvcs
TrkWks@ = %SystemRoot%\system32\svchost.exe -k netsvcs
UMWdf@ = E:\WINDOWS\system32\wdfmgr.exe
W32Time@ = %SystemRoot%\System32\svchost.exe -k netsvcs
WebClient@ = %SystemRoot%\system32\svchost.exe -k LocalService
winmgmt@ = %systemroot%\system32\svchost.exe -k netsvcs
wscsvc@ = %SystemRoot%\System32\svchost.exe -k netsvcs
wuauserv@ = %systemroot%\system32\svchost.exe -k netsvcs
WZCSVC@ = %SystemRoot%\System32\svchost.exe -k netsvcs
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@IgfxTrayE:\WINDOWS\system32\igfxtray.exe = E:\WINDOWS\system32\igfxtray.exe
@HotKeysCmdsE:\WINDOWS\system32\hkcmd.exe = E:\WINDOWS\system32\hkcmd.exe
@eabconfg.cplE:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start /*file not found*/ = E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start /*file not found*/
@WatchDogE:\Program Files\InterVideo\DVD Check\DVDCheck.exe = E:\Program Files\InterVideo\DVD Check\DVDCheck.exe
@QuickTime Task"E:\Program Files\QuickTime\qttask.exe" -atboottime = "E:\Program Files\QuickTime\qttask.exe" -atboottime
@SunJavaUpdateSched"E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" = "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
@SynTPLprE:\Program Files\Synaptics\SynTP\SynTPLpr.exe = E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
@SynTPEnhE:\Program Files\Synaptics\SynTP\SynTPEnh.exe = E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
@AVG7_CCE:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP = E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
@YSearchProtection"E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" = "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
@DiskeeperSystray"E:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" = "E:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
@WinPatrolE:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot /*file not found*/ = E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot /*file not found*/
HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ctfmon.exeE:\WINDOWS\system32\ctfmon.exe = E:\WINDOWS\system32\ctfmon.exe
@YSearchProtectionE:\Program Files\Yahoo!\Search Protection\SearchProtection.exe = E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
@SpybotSD TeaTimerE:\Program Files\Spybot - Search & Destroy\TeaTimer.exe = E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
@RegCom32E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe /*file not found*/ = E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe /*file not found*/
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad >>>
@PostBootReminder%SystemRoot%\system32\SHELL32.dll = %SystemRoot%\system32\SHELL32.dll
@CDBurn%SystemRoot%\system32\SHELL32.dll = %SystemRoot%\system32\SHELL32.dll
@WebCheckE:\WINDOWS\system32\webcheck.dll = E:\WINDOWS\system32\webcheck.dll
@SysTray%systemroot%\system32\stobject.dll = %systemroot%\system32\stobject.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler >>>
@{438755C2-A8BA-11D1-B96B-00A0C90312E1}%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{8C7461EF-2B13-11d2-BE35-3078302C2030}%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
HKLM\Software\Classes\Folder\shell\open\command@ = %SystemRoot%\Explorer.exe /idlist,%I,%L
HKLM\Software\Classes\Folder\shell\explore\command@ = %SystemRoot%\Explorer.exe /e,/idlist,%I,%L
HKLM\Software\Classes\ >>>
.exe@ = "%1" %*
.com@ = "%1" %*
.cmd@ = "%1" %*
.bat@ = "%1" %*
.pif@ = "%1" %*
.scr@ = "%1" /S
.hta@ = E:\WINDOWS\system32\mshta.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{AEB6717E-7E19-11d0-97EE-00C04FD91972} = shell32.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{00022613-0000-0000-C000-000000000046} /*Multimedia File Property Sheet*/mmsys.cpl = mmsys.cpl
@{176d6597-26d3-11d1-b350-080036a75b03} /*ICM Scanner Management*/icmui.dll = icmui.dll
@{1F2E5C40-9550-11CE-99D2-00AA006E086C} /*NTFS Security Page*/rshx32.dll = rshx32.dll
@{3EA48300-8CF6-101B-84FB-666CCB9BCD32} /*OLE Docfile Property Page*/docprop.dll = docprop.dll
@{40dd6e20-7c17-11ce-a804-00aa003ca9f6} /*Shell extensions for sharing*/ntshrui.dll = ntshrui.dll
@{41E300E0-78B6-11ce-849B-444553540000} /*PlusPack CPL Extension*/%SystemRoot%\system32\themeui.dll = %SystemRoot%\system32\themeui.dll
@{42071712-76d4-11d1-8b24-00a0c9068ff3} /*Display Adapter CPL Extension*/deskadp.dll = deskadp.dll
@{42071713-76d4-11d1-8b24-00a0c9068ff3} /*Display Monitor CPL Extension*/deskmon.dll = deskmon.dll
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/(null) =
@{4E40F770-369C-11d0-8922-00A024AB2DBB} /*DS Security Page*/dssec.dll = dssec.dll
@{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} /*Compatibility Page*/SlayerXP.dll = SlayerXP.dll
@{56117100-C0CD-101B-81E2-00AA004AE837} /*Shell Scrap DataHandler*/shscrap.dll = shscrap.dll
@{59099400-57FF-11CE-BD94-0020AF85B590} /*Disk Copy Extension*/diskcopy.dll = diskcopy.dll
@{59be4990-f85c-11ce-aff7-00aa003ca9f6} /*Shell extensions for Microsoft Windows Network objects*/ntlanui2.dll = ntlanui2.dll
@{5DB2625A-54DF-11D0-B6C4-0800091AA605} /*ICM Monitor Management*/%SystemRoot%\System32\icmui.dll = %SystemRoot%\System32\icmui.dll
@{675F097E-4C4D-11D0-B6C1-0800091AA605} /*ICM Printer Management*/%SystemRoot%\system32\icmui.dll = %SystemRoot%\system32\icmui.dll
@{764BF0E1-F219-11ce-972D-00AA00A14F56} /*Shell extensions for file compression*/(null) =
@{77597368-7b15-11d0-a0c2-080036af3f03} /*Web Printer Shell Extension*/printui.dll = printui.dll
@{7988B573-EC89-11cf-9C00-00AA00A14F56} /*Disk Quota UI*/dskquoui.dll = dskquoui.dll
@{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} /*Encryption Context Menu*/(null) =
@{85BBD920-42A0-1069-A2E4-08002B30309D} /*Briefcase*/syncui.dll = syncui.dll
@{88895560-9AA2-1069-930E-00AA0030EBC8} /*HyperTerminal Icon Ext*/E:\WINDOWS\system32\hticons.dll = E:\WINDOWS\system32\hticons.dll
@{BD84B380-8CA2-1069-AB1D-08000948F534} /*Fonts*/fontext.dll = fontext.dll
@{DBCE2480-C732-101B-BE72-BA78E9AD5B27} /*ICC Profile*/%SystemRoot%\system32\icmui.dll = %SystemRoot%\system32\icmui.dll
@{F37C5810-4D3F-11d0-B4BF-00AA00BBB723} /*Printers Security Page*/rshx32.dll = rshx32.dll
@{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} /*Shell extensions for sharing*/ntshrui.dll = ntshrui.dll
@{f92e8c40-3d33-11d2-b1aa-080036a75b03} /*Display TroubleShoot CPL Extension*/deskperf.dll = deskperf.dll
@{7444C717-39BF-11D1-8CD9-00C04FC29D45} /*Crypto PKO Extension*/E:\WINDOWS\system32\cryptext.dll = E:\WINDOWS\system32\cryptext.dll
@{7444C719-39BF-11D1-8CD9-00C04FC29D45} /*Crypto Sign Extension*/E:\WINDOWS\system32\cryptext.dll = E:\WINDOWS\system32\cryptext.dll
@{7007ACC7-3202-11D1-AAD2-00805FC1270E} /*Network Connections*/E:\WINDOWS\system32\NETSHELL.dll = E:\WINDOWS\system32\NETSHELL.dll
@{992CFFA0-F557-101A-88EC-00DD010CCC48} /*Network Connections*/E:\WINDOWS\system32\NETSHELL.dll = E:\WINDOWS\system32\NETSHELL.dll
@{E211B736-43FD-11D1-9EFB-0000F8757FCD} /*Scanners & Cameras*/wiashext.dll = wiashext.dll
@{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD} /*Scanners & Cameras*/wiashext.dll = wiashext.dll
@{905667aa-acd6-11d2-8080-00805f6596d2} /*Scanners & Cameras*/wiashext.dll = wiashext.dll
@{3F953603-1008-4f6e-A73A-04AAC7A992F1} /*Scanners & Cameras*/wiashext.dll = wiashext.dll
@{83bbcbf3-b28a-4919-a5aa-73027445d672} /*Scanners & Cameras*/wiashext.dll = wiashext.dll
@{F0152790-D56E-4445-850E-4F3117DB740C} /*Remote Sessions CPL Extension*/E:\WINDOWS\system32\remotepg.dll = E:\WINDOWS\system32\remotepg.dll
@{60254CA5-953B-11CF-8C96-00AA00B8708C} /*Shell extensions for Windows Script Host*/E:\WINDOWS\system32\wshext.dll = E:\WINDOWS\system32\wshext.dll
@{2206CDB2-19C1-11D1-89E0-00C04FD7A829} /*Microsoft Data Link*/E:\Program Files\Common Files\System\Ole DB\oledb32.dll = E:\Program Files\Common Files\System\Ole DB\oledb32.dll
@{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF} /*Tasks Folder Icon Handler*/E:\WINDOWS\system32\mstask.dll = E:\WINDOWS\system32\mstask.dll
@{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF} /*Tasks Folder Shell Extension*/E:\WINDOWS\system32\mstask.dll = E:\WINDOWS\system32\mstask.dll
@{D6277990-4C6A-11CF-8D87-00AA0060F5BF} /*Scheduled Tasks*/E:\WINDOWS\system32\mstask.dll = E:\WINDOWS\system32\mstask.dll
@{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0} /*Set Program Access and Defaults*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{5F327514-6C5E-4d60-8F16-D07FA08A78ED} /*Auto Update Property Sheet Extension*/E:\WINDOWS\system32\wuaucpl.cpl = E:\WINDOWS\system32\wuaucpl.cpl
@{0DF44EAA-FF21-4412-828E-260A8728E7F1} /*Taskbar and Start Menu*/(null) =
@{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0} /*Search*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0} /*Help and Support*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0} /*Help and Support*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0} /*Run...*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0} /*Internet*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0} /*E-mail*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{D20EA4E1-3957-11d2-A40B-0C5020524152} /*Fonts*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{D20EA4E1-3957-11d2-A40B-0C5020524153} /*Administrative Tools*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/E:\WINDOWS\system32\twext.dll = E:\WINDOWS\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/E:\WINDOWS\system32\twext.dll = E:\WINDOWS\system32\twext.dll
@{875CB1A1-0F29-45de-A1AE-CFB4950D0B78} /*Audio Media Properties Handler*/%SystemRoot%\system32\shmedia.dll = %SystemRoot%\system32\shmedia.dll
@{40C3D757-D6E4-4b49-BB41-0E5BBEA28817} /*Video Media Properties Handler*/%SystemRoot%\system32\shmedia.dll = %SystemRoot%\system32\shmedia.dll
@{E4B29F9D-D390-480b-92FD-7DDB47101D71} /*Wav Properties Handler*/%SystemRoot%\system32\shmedia.dll = %SystemRoot%\system32\shmedia.dll
@{87D62D94-71B3-4b9a-9489-5FE6850DC73E} /*Avi Properties Handler*/%SystemRoot%\system32\shmedia.dll = %SystemRoot%\system32\shmedia.dll
@{A6FD9E45-6E44-43f9-8644-08598F5A74D9} /*Midi Properties Handler*/%SystemRoot%\system32\shmedia.dll = %SystemRoot%\system32\shmedia.dll
@{c5a40261-cd64-4ccf-84cb-c394da41d590} /*Video Thumbnail Extractor*/%SystemRoot%\system32\shmedia.dll = %SystemRoot%\system32\shmedia.dll
@{5E6AB780-7743-11CF-A12B-00AA004AE837} /*Microsoft Internet Toolbar*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{22BF0C20-6DA7-11D0-B373-00A0C9034938} /*Download Status*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{91EA3F8B-C99B-11d0-9815-00C04FD91972} /*Augmented Shell Folder*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{6413BA2C-B461-11d1-A18A-080036B11A03} /*Augmented Shell Folder 2*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{F61FFEC1-754F-11d0-80CA-00AA005B4383} /*BandProxy*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{7BA4C742-9E81-11CF-99D3-00AA004AE837} /*Microsoft BrowserBand*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{169A0691-8DF9-11d1-A1C4-00C04FD75D13} /*In-pane search*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{07798131-AF23-11d1-9111-00A0C98BA67D} /*Web Search*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{AF4F6510-F982-11d0-8595-00AA004CD6D8} /*Registry Tree Options Utility*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{01E04581-4EEE-11d0-BFE9-00AA005B4383} /*&Address*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{A08C11D2-A228-11d0-825B-00AA005B4383} /*Address EditBox*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{00BB2763-6A77-11D0-A535-00C04FD7D062} /*Microsoft AutoComplete*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{7376D660-C583-11d0-A3A5-00C04FD706EC} /*TridentImageExtractor*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{6756A641-DE71-11d0-831B-00AA005B4383} /*MRU AutoComplete List*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A} /*Custom MRU AutoCompleted List*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{7e653215-fa25-46bd-a339-34a2790f3cb7} /*Accessible*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{acf35015-526e-4230-9596-becbe19f0ac9} /*Track Popup Bar*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{00BB2764-6A77-11D0-A535-00C04FD7D062} /*Microsoft History AutoComplete List*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{03C036F1-A186-11D0-824A-00AA005B4383} /*Microsoft Shell Folder AutoComplete List*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{00BB2765-6A77-11D0-A535-00C04FD7D062} /*Microsoft Multiple AutoComplete List Container*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{ECD4FC4E-521C-11D0-B792-00A0C90312E1} /*Shell Band Site Menu*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{3CCF8A41-5C85-11d0-9796-00AA00B90ADF} /*Shell DeskBarApp*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{ECD4FC4C-521C-11D0-B792-00A0C90312E1} /*Shell DeskBar*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{ECD4FC4D-521C-11D0-B792-00A0C90312E1} /*Shell Rebar BandSite*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{DD313E04-FEFF-11d1-8ECD-0000F87A470C} /*User Assist*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11} /*Global Folder Settings*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{EFA24E61-B078-11d0-89E4-00C04FC9E26E} /*Favorites Band*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{0A89A860-D7B1-11CE-8350-444553540000} /*Shell Automation Inproc Service*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{A5E46E3A-8849-11D1-9D8C-00C04FC99D61} /*Microsoft Browser Architecture*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC} /*IE4 Suite Splash Screen*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{67EA19A0-CCEF-11d0-8024-00C04FD75D13} /*CDF Extension Copy Hook*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{131A6951-7F78-11D0-A979-00C04FD705A2} /*ISFBand OC*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{9461b922-3c5a-11d2-bf8b-00c04fb93661} /*Search Assistant OC*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{EFA24E64-B078-11d0-89E4-00C04FC9E26E} /*Explorer Band*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} /*Sendmail service*/E:\WINDOWS\system32\sendmail.dll = E:\WINDOWS\system32\sendmail.dll
@{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} /*Sendmail service*/E:\WINDOWS\system32\sendmail.dll = E:\WINDOWS\system32\sendmail.dll
@{88C6C381-2E85-11D0-94DE-444553540000} /*ActiveX Cache Folder*/E:\WINDOWS\system32\occache.dll = E:\WINDOWS\system32\occache.dll
@{E6FB5E20-DE35-11CF-9C87-00AA005127ED} /*WebCheck*/E:\WINDOWS\system32\webcheck.dll = E:\WINDOWS\system32\webcheck.dll
@{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE} /*Subscription Mgr*/E:\WINDOWS\system32\webcheck.dll = E:\WINDOWS\system32\webcheck.dll
@{F5175861-2688-11d0-9C5E-00AA00A45957} /*Subscription Folder*/E:\WINDOWS\system32\webcheck.dll = E:\WINDOWS\system32\webcheck.dll
@{08165EA0-E946-11CF-9C87-00AA005127ED} /*WebCheckWebCrawler*/E:\WINDOWS\system32\webcheck.dll = E:\WINDOWS\system32\webcheck.dll
@{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB} /*WebCheckChannelAgent*/%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7} /*TrayAgent*/%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@{7D559C10-9FE9-11d0-93F7-00AA0059CE02} /*Code Download Agent*/E:\WINDOWS\system32\webcheck.dll = E:\WINDOWS\system32\webcheck.dll
@{E6CC6978-6B6E-11D0-BECA-00C04FD940BE} /*ConnectionAgent*/%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@{D8BD2030-6FC9-11D0-864F-00AA006809D9} /*PostAgent*/%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB} /*WebCheck SyncMgr Handler*/E:\WINDOWS\system32\webcheck.dll = E:\WINDOWS\system32\webcheck.dll
@{352EC2B7-8B9A-11D1-B8AE-006008059382} /*Shell Application Manager*/%SystemRoot%\system32\appwiz.cpl = %SystemRoot%\system32\appwiz.cpl
@{0B124F8F-91F0-11D1-B8B5-006008059382} /*Installed Apps Enumerator*/%SystemRoot%\system32\appwiz.cpl = %SystemRoot%\system32\appwiz.cpl
@{CFCCC7A0-A282-11D1-9082-006008059382} /*Darwin App Publisher*/%SystemRoot%\system32\appwiz.cpl = %SystemRoot%\system32\appwiz.cpl
@{e84fda7c-1d6a-45f6-b725-cb260c236066} /*Shell Image Verbs*/%SystemRoot%\system32\shimgvw.dll = %SystemRoot%\system32\shimgvw.dll
@{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178} /*Shell Image Data Factory*/%SystemRoot%\system32\shimgvw.dll = %SystemRoot%\system32\shimgvw.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{3F30C968-480A-4C6C-862D-EFC0897BB84B} /*GDI+ file thumbnail extractor*/E:\WINDOWS\system32\shimgvw.dll = E:\WINDOWS\system32\shimgvw.dll
@{9DBD2C50-62AD-11d0-B806-00C04FD706EC} /*Summary Info Thumbnail handler (DOCFILES)*/E:\WINDOWS\system32\shimgvw.dll = E:\WINDOWS\system32\shimgvw.dll
@{EAB841A0-9550-11cf-8C16-00805F1408F3} /*HTML Thumbnail Extractor*/E:\WINDOWS\system32\shimgvw.dll = E:\WINDOWS\system32\shimgvw.dll
@{eb9b1153-3b57-4e68-959a-a3266bc3d7fe} /*Shell Image Property Handler*/%SystemRoot%\system32\shimgvw.dll = %SystemRoot%\system32\shimgvw.dll
@{CC6EEFFB-43F6-46c5-9619-51D571967F7D} /*Web Publishing Wizard*/%SystemRoot%\system32\netplwiz.dll = %SystemRoot%\system32\netplwiz.dll
@{add36aa8-751a-4579-a266-d66f5202ccbb} /*Print Ordering via the Web*/%SystemRoot%\system32\netplwiz.dll = %SystemRoot%\system32\netplwiz.dll
@{6b33163c-76a5-4b6c-bf21-45de9cd503a1} /*Shell Publishing Wizard Object*/%SystemRoot%\system32\netplwiz.dll = %SystemRoot%\system32\netplwiz.dll
@{58f1f272-9240-4f51-b6d4-fd63d1618591} /*Get a Passport Wizard*/%SystemRoot%\system32\netplwiz.dll = %SystemRoot%\system32\netplwiz.dll
@{7A9D77BD-5403-11d2-8785-2E0420524153} /*User Accounts*/(null) =
@{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31} /*Compressed (zipped) Folder*/%SystemRoot%\system32\zipfldr.dll = %SystemRoot%\system32\zipfldr.dll
@{BD472F60-27FA-11cf-B8B4-444553540000} /*Compressed (zipped) Folder Right Drag Handler*/%SystemRoot%\system32\zipfldr.dll = %SystemRoot%\system32\zipfldr.dll
@{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} /*Compressed (zipped) Folder SendTo Target*/%SystemRoot%\system32\zipfldr.dll = %SystemRoot%\system32\zipfldr.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/E:\WINDOWS\system32\extmgr.dll = E:\WINDOWS\system32\extmgr.dll
@{63da6ec0-2e98-11cf-8d82-444553540000} /*FTP Folders Webview*/E:\WINDOWS\system32\msieftp.dll = E:\WINDOWS\system32\msieftp.dll
@{883373C3-BF89-11D1-BE35-080036B11A03} /*Microsoft DocProp Shell Ext*/E:\WINDOWS\system32\docprop2.dll = E:\WINDOWS\system32\docprop2.dll
@{A9CF0EAE-901A-4739-A481-E35B73E47F6D} /*Microsoft DocProp Inplace Edit Box Control*/E:\WINDOWS\system32\docprop2.dll = E:\WINDOWS\system32\docprop2.dll
@{8EE97210-FD1F-4B19-91DA-67914005F020} /*Microsoft DocProp Inplace ML Edit Box Control*/E:\WINDOWS\system32\docprop2.dll = E:\WINDOWS\system32\docprop2.dll
@{0EEA25CC-4362-4A12-850B-86EE61B0D3EB} /*Microsoft DocProp Inplace Droplist Combo Control*/E:\WINDOWS\system32\docprop2.dll = E:\WINDOWS\system32\docprop2.dll
@{6A205B57-2567-4A2C-B881-F787FAB579A3} /*Microsoft DocProp Inplace Calendar Control*/E:\WINDOWS\system32\docprop2.dll = E:\WINDOWS\system32\docprop2.dll
@{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33} /*Microsoft DocProp Inplace Time Control*/E:\WINDOWS\system32\docprop2.dll = E:\WINDOWS\system32\docprop2.dll
@{8A23E65E-31C2-11d0-891C-00A024AB2DBB} /*Directory Query UI*/%SystemRoot%\system32\dsquery.dll = %SystemRoot%\system32\dsquery.dll
@{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} /*Shell properties for a DS object*/%SystemRoot%\system32\dsquery.dll = %SystemRoot%\system32\dsquery.dll
@{163FDC20-2ABC-11d0-88F0-00A024AB2DBB} /*Directory Object Find*/%SystemRoot%\system32\dsquery.dll = %SystemRoot%\system32\dsquery.dll
@{F020E586-5264-11d1-A532-0000F8757D7E} /*Directory Start/Search Find*/%SystemRoot%\system32\dsquery.dll = %SystemRoot%\system32\dsquery.dll
@{0D45D530-764B-11d0-A1CA-00AA00C16E65} /*Directory Property UI*/%SystemRoot%\system32\dsuiext.dll = %SystemRoot%\system32\dsuiext.dll
@{62AE1F9A-126A-11D0-A14B-0800361B1103} /*Directory Context Menu Verbs*/%SystemRoot%\system32\dsuiext.dll = %SystemRoot%\system32\dsuiext.dll
@{ECF03A33-103D-11d2-854D-006008059367} /*MyDocs Copy Hook*/%SystemRoot%\system32\mydocs.dll = %SystemRoot%\system32\mydocs.dll
@{ECF03A32-103D-11d2-854D-006008059367} /*MyDocs Drop Target*/%SystemRoot%\system32\mydocs.dll = %SystemRoot%\system32\mydocs.dll
@{4a7ded0a-ad25-11d0-98a8-0800361b1103} /*MyDocs Properties*/%SystemRoot%\system32\mydocs.dll = %SystemRoot%\system32\mydocs.dll
@{750fdf0e-2a26-11d1-a3ea-080036587f03} /*Offline Files Menu*/%SystemRoot%\System32\cscui.dll = %SystemRoot%\System32\cscui.dll
@{10CFC467-4392-11d2-8DB4-00C04FA31A66} /*Offline Files Folder Options*/%SystemRoot%\System32\cscui.dll = %SystemRoot%\System32\cscui.dll
@{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E} /*Offline Files Folder*/%SystemRoot%\System32\cscui.dll = %SystemRoot%\System32\cscui.dll
@{143A62C8-C33B-11D1-84FE-00C04FA34A14} /*Microsoft Agent Character Property Sheet Handler*/E:\WINDOWS\msagent\agentpsh.dll = E:\WINDOWS\msagent\agentpsh.dll
@{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6} /*DfsShell*/E:\WINDOWS\system32\dfsshlex.dll = E:\WINDOWS\system32\dfsshlex.dll
@{60fd46de-f830-4894-a628-6fa81bc0190d} /*%DESC_PublishDropTarget%*/%SystemRoot%\system32\photowiz.dll = %SystemRoot%\system32\photowiz.dll
@{7A80E4A8-8005-11D2-BCF8-00C04F72C717} /*MMC Icon Handler*/%SystemRoot%\System32\mmcshext.dll = %SystemRoot%\System32\mmcshext.dll
@{0CD7A5C0-9F37-11CE-AE65-08002B2E1262} /*.CAB file viewer*/cabview.dll = cabview.dll
@{32714800-2E5F-11d0-8B85-00AA0044F941} /*For &People...*/E:\Program Files\Outlook Express\wabfind.dll = E:\Program Files\Outlook Express\wabfind.dll
@{8DD448E6-C188-4aed-AF92-44956194EB1F} /*Windows Media Player Play as Playlist Context Menu Handler*/E:\WINDOWS\system32\wmpshell.dll = E:\WINDOWS\system32\wmpshell.dll
@{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C} /*Windows Media Player Burn Audio CD Context Menu Handler*/E:\WINDOWS\system32\wmpshell.dll = E:\WINDOWS\system32\wmpshell.dll
@{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD} /*Windows Media Player Add to Playlist Context Menu Handler*/E:\WINDOWS\system32\wmpshell.dll = E:\WINDOWS\system32\wmpshell.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/E:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = E:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/E:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = E:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/E:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = E:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/E:\Program Files\Microsoft Office\OFFICE11\msohev.dll = E:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD} /*CorelDRAW Shell Extension Component*/(null) =
@{21569614-B795-46b1-85F4-E737A8DC09AD} /*Shell Search Band*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{5464D816-CF16-4784-B9F3-75C0DB52B499} /*Yahoo! Mail*/E:\PROGRA~1\Yahoo!\Common\ymmapi.dll = E:\PROGRA~1\Yahoo!\Common\ymmapi.dll
@{640167b4-59b0-47a6-b335-a6b3c0695aea} /*Portable Media Devices*/%SystemRoot%\system32\Audiodev.dll = %SystemRoot%\system32\Audiodev.dll
@{cc86590a-b60a-48e6-996b-41d25ed39a1e} /*Portable Media Devices Menu*/%SystemRoot%\system32\Audiodev.dll = %SystemRoot%\system32\Audiodev.dll
@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} /*Adobe.Acrobat.ContextMenu*/E:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll = E:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
@{2F603045-309F-11CF-9774-0020AFD0CFF6} /*Synaptics Control Panel*/E:\Program Files\Synaptics\SynTP\SynTPCpl.dll = E:\Program Files\Synaptics\SynTP\SynTPCpl.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{1D2680C9-0E2A-469d-B787-065558BC7D43} /*Fusion Cache*/E:\WINDOWS\system32\mscoree.dll = E:\WINDOWS\system32\mscoree.dll
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/E:\Program Files\Grisoft\AVG7\avgse.dll = E:\Program Files\Grisoft\AVG7\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/E:\Program Files\Grisoft\AVG7\avgse.dll = E:\Program Files\Grisoft\AVG7\avgse.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/E:\Program Files\WinRAR\rarext.dll = E:\Program Files\WinRAR\rarext.dll
@{738D66C6-0149-4D40-84E4-A7BB2D0CE949} /*File Manager*/(null) =
@{97C1D2CE-3AB4-4459-9142-D50D9338CB9A} /*ScriptDropShellExt*/E:\Program Files\ACD Systems\RoboEnhancer\ScriptDropShellExt.dll = E:\Program Files\ACD Systems\RoboEnhancer\ScriptDropShellExt.dll
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Adobe.Acrobat.ContextMenu@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = E:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = E:\Program Files\Grisoft\AVG7\avgse.dll
Offline Files@{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
Open With@{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
Open With EncryptionMenu@{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = E:\Program Files\WinRAR\rarext.dll
Yahoo! Mail@{5464D816-CF16-4784-B9F3-75C0DB52B499} = E:\PROGRA~1\Yahoo!\Common\ymmapi.dll
HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} = %SystemRoot%\system32\SHELL32.dll
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
EncryptionMenu@{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
Offline Files@{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
Sharing@{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = E:\Program Files\WinRAR\rarext.dll
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = E:\Program Files\Grisoft\AVG7\avgse.dll
MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = E:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = E:\Program Files\WinRAR\rarext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{02478D38-C3F9-4efb-9B51-7695ECA05670}E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll = E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll = E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}E:\PROGRA~1\SPYBOT~1\SDHelper.dll = E:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}E:\Program Files\Yahoo!\Common\yiesrvc.dll = E:\Program Files\Yahoo!\Common\yiesrvc.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll = E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
@{AE7CD045-E861-484f-8273-0445EE161910}E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll = E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKCU\Control Panel\Desktop@SCRNSAVE.EXE = E:\WINDOWS\system32\logon.scr
HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.yahoo.com/ = http://www.yahoo.com/
@Start Pagehttp://www.yahoo.com/ = http://www.yahoo.com/
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://alifeinbloom.blogspot.com/ = http://alifeinbloom.blogspot.com/
@Local PageE:\WINDOWS\system32\blank.htm = E:\WINDOWS\system32\blank.htm
HKLM\Software\Classes\PROTOCOLS\Filter\ >>>
application/octet-stream@CLSID = E:\WINDOWS\system32\mscoree.dll
application/x-complus@CLSID = E:\WINDOWS\system32\mscoree.dll
application/x-msdownload@CLSID = E:\WINDOWS\system32\mscoree.dll
Class Install Handler@CLSID = E:\WINDOWS\system32\urlmon.dll
deflate@CLSID = E:\WINDOWS\system32\urlmon.dll
gzip@CLSID = E:\WINDOWS\system32\urlmon.dll
lzdhtml@CLSID = E:\WINDOWS\system32\urlmon.dll
text/webviewhtml@CLSID = %SystemRoot%\system32\SHELL32.dll
text/xml@CLSID = E:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
about@CLSID = E:\WINDOWS\system32\mshtml.dll
cdl@CLSID = E:\WINDOWS\system32\urlmon.dll
dvd@CLSID = E:\WINDOWS\system32\msvidctl.dll
file@CLSID = E:\WINDOWS\system32\urlmon.dll
ftp@CLSID = E:\WINDOWS\system32\urlmon.dll
gopher@CLSID = E:\WINDOWS\system32\urlmon.dll
http@CLSID = E:\WINDOWS\system32\urlmon.dll
https@CLSID = E:\WINDOWS\system32\urlmon.dll
its@CLSID = E:\WINDOWS\system32\itss.dll
javascript@CLSID = E:\WINDOWS\system32\mshtml.dll
local@CLSID = E:\WINDOWS\system32\urlmon.dll
mailto@CLSID = E:\WINDOWS\system32\mshtml.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
mk@CLSID = E:\WINDOWS\system32\urlmon.dll
ms-its@CLSID = E:\WINDOWS\system32\itss.dll
mso-offdap@CLSID = E:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = E:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
res@CLSID = E:\WINDOWS\system32\mshtml.dll
sysimage@CLSID = %SystemRoot%\system32\mshtml.dll
tv@CLSID = E:\WINDOWS\system32\msvidctl.dll
vbscript@CLSID = E:\WINDOWS\system32\mshtml.dll
wia@CLSID = E:\WINDOWS\system32\wiascr.dll
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@Domain =
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ >>>
000000000001@LibraryPath = %SystemRoot%\System32\mswsock.dll
000000000002@LibraryPath = %SystemRoot%\System32\winrnr.dll
000000000003@LibraryPath = %SystemRoot%\System32\mswsock.dll
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000002@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000003@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000004@PackedCatalogItem = %SystemRoot%\system32\rsvpsp.dll
000000000005@PackedCatalogItem = %SystemRoot%\system32\rsvpsp.dll
000000000006@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000007@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000008@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000009@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000010@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000011@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000012@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000013@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000014@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000015@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000016@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000017@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000018@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000019@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000020@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000021@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000022@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
E:\Documents and Settings\User\Start Menu\Programs\Startup = Adobe Gamma.lnk
E:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Acrobat Assistant.lnk = Acrobat Assistant.lnk
Microtek Scanner Finder.lnk = Microtek Scanner Finder.lnk
---- EOF - GMER 1.0.14 ----
Hello! I had to split and zip the .txt file of my gmerrk log because of the file size which prevents me from posting the full log here.
I hope it's OK.
Hi
Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
Please reply with
a fresh HijackThis log
Thanks peku006
Hello peku006. Here is a fresh HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:39 PM, on 10/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\igfxtray.exe
E:\WINDOWS\system32\hkcmd.exe
E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\WINDOWS\system32\WISPTIS.EXE
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://alifeinbloom.blogspot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [WatchDog] E:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "E:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RegCom32] E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = E:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - E:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
--
End of file - 8326 bytes
Hi
1 - teatimer
Please disable Teatimer as it may interfere with the fix.
First: Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
Choose Exit Spybot S&D Resident
Second: Open Spybot S&D
Click Mode, check Advanced Mode
Go To Left Panel, Click Tools, then also in left panel, click Resident
If your firewall raises a question, say OK
Uncheck the box labeled Resident Tea-Timer and OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
Don't forget to re-enable it, when your computer is clean.
2 - Remove bad HijackThis entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O4 - HKCU\..\Run: [RegCom32] E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
run OTMoveIt3
Launch OTMoveIt3.exe and copy the text from the codebox below into the lefthand box below "Paste Instructions for Items to be Moved"
:Reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegCom32"=-
Double-check that the input matches the code box above and then click the MoveIt! button to start the script. If you're prompted about rebooting allow the request.
Once OTMoveIt finishes, a log will be located at C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss. (mmddyyyy_hhmmss is a timestamp from when the log was created)
Include this log in your next reply
After that, Reboot
4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
Please reply with
1. the OTMoveIt3 log
2 a fresh HijackThis log
Thanks peku006
Hello!
Here is my OTMoveIt3 log:
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\RegCom32 not found.
OTMoveIt3 by OldTimer - Version 1.0.5.0 log created on 10242008_210134
And my fresh HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:52 PM, on 10/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\igfxtray.exe
E:\WINDOWS\system32\hkcmd.exe
E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://alifeinbloom.blogspot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [WatchDog] E:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "E:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = E:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - E:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
--
End of file - 8181 bytes
Hi
1 - F-Secure Online Scan
Please go to F-Secure website (http://support.f-secure.com/ols3beta/start.html) to perform an online scan. Click on Start scanning at the bottom of the page.
You may be prompted to install an ActiveX before you are able to accept the License Agreement. If prompted, please install it. After installing, the Accept button will be available.
Click on Accept to accept the License Agreement.
Click on Custom Scan. Under Virus Scan Options, select the Scan whole system option.
Under Other Scan Options, select these options: Scan all files
Scan whole system for rootkits
Scan whole system for spyware
Scan inside archives
Use advanced heuristics Click Start.
It will start installing the scanner and virus definitions. Once the installation is done, it will start scanning automatically. This takes a while. Please be patient.
Click on I want decide item by item.
Under Actions, select None for all infections found.
Click Next.
Click on Show Report.
Please copy and paste this report in your next reply.
Click Finish.
2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
3 - Status Check
Please reply with
1. the F-Secure online scanner report
2. a fresh HijackThis log
Thanks peku006
OK. F-Secure is downloading now.
I have a question. I have not re-enable Tea Time yet. Should I be doing that now? I am a bit confused about this:
Don't forget to re-enable it, when your computer is clean
When can I say that it is already clean?
Thanks again!
Hi
I have not re-enable Tea Time yet. Should I be doing that now?
After F-Secure Online Scan........:)
OK. Thanks again! I will be posting the required logs most likely tomorrow. :) Have a good day/ night! (It's night from where I am.)
Hello! Here is my F-Secure report:
Scanning Report
Friday, October 24, 2008 23:05:58 - 04:56:24
Computer name: SUZANNE
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ E:\
Result: 1 malware found
TrackingCookie.Yieldmanager (spyware)
* System
Statistics
Scanned:
* Files: 207660
* System: 3409
* Not scanned: 47
Actions:
* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 1
* Submitted: 0
Files not scanned:
* C:\PAGEFILE.SYS
* C:\FDOS\SOURCE\SHSUCD\2KBLOCK.DAT
* C:\FDOS\SOURCE\SHSUCD\SHSUDRV0.IMG
* C:\FDOS\SOURCE\SHSUCD\SHSUDRV1.IMG
* E:\WINDOWS\TEMP\PERFLIB_PERFDATA_1C4.DAT
* E:\WINDOWS\TEMP\PERFLIB_PERFDATA_238.DAT
* E:\WINDOWS\TEMP\PERFLIB_PERFDATA_240.DAT
* E:\WINDOWS\TEMP\PERFLIB_PERFDATA_278.DAT
* E:\WINDOWS\TEMP\PERFLIB_PERFDATA_300.DAT
* E:\WINDOWS\TEMP\PERFLIB_PERFDATA_548.DAT
* E:\WINDOWS\TEMP\PERFLIB_PERFDATA_568.DAT
* E:\WINDOWS\TEMP\PERFLIB_PERFDATA_57C.DAT
* E:\WINDOWS\TEMP\PERFLIB_PERFDATA_5D0.DAT
* E:\WINDOWS\TEMP\PERFLIB_PERFDATA_638.DAT
* E:\WINDOWS\TEMP\PERFLIB_PERFDATA_784.DAT
* E:\WINDOWS\SYSTEM32\BIOS1.ROM
* E:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* E:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
* E:\WINDOWS\SYSTEM32\CONFIG\SAM
* E:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
* E:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* E:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
* E:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* E:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
* E:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* E:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
* E:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG
* E:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB
* E:\DOCUMENTS AND SETTINGS\USER\NTUSER.DAT
* E:\DOCUMENTS AND SETTINGS\USER\NTUSER.DAT.LOG
* E:\Documents and Settings\User\My Documents\Downloads\Adobe.Photoshop.Actions.for.Photographers.rar\Craigs Actions Vol. 1-2-3-4-5-7-8\Craigs Actions Volumes 7, 8\CMA Power Processor CMYK Vol 8\DUMP FILES\CMYK Dump\Icon_
* E:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\ETILQS_F3OM6WRTJGIFQIKG5XOD
* E:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H00QUZNT.DEFAULT USER\CACHE\_CACHE_001_
* E:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H00QUZNT.DEFAULT USER\CACHE\_CACHE_002_
* E:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H00QUZNT.DEFAULT USER\CACHE\_CACHE_003_
* E:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
* E:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG
* E:\DOCUMENTS AND SETTINGS\USER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H00QUZNT.DEFAULT USER\PARENT.LOCK
* E:\DOCUMENTS AND SETTINGS\USER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H00QUZNT.DEFAULT USER\PLACES.SQLITE-JOURNAL
* E:\DOCUMENTS AND SETTINGS\NETWORKSERVICE.NT AUTHORITY\NTUSER.DAT
* E:\DOCUMENTS AND SETTINGS\NETWORKSERVICE.NT AUTHORITY\NTUSER.DAT.LOG
* E:\DOCUMENTS AND SETTINGS\NETWORKSERVICE.NT AUTHORITY\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
* E:\DOCUMENTS AND SETTINGS\NETWORKSERVICE.NT AUTHORITY\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG
* E:\DOCUMENTS AND SETTINGS\LOCALSERVICE.NT AUTHORITY\NTUSER.DAT
* E:\DOCUMENTS AND SETTINGS\LOCALSERVICE.NT AUTHORITY\NTUSER.DAT.LOG
* E:\DOCUMENTS AND SETTINGS\LOCALSERVICE.NT AUTHORITY\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
* E:\DOCUMENTS AND SETTINGS\LOCALSERVICE.NT AUTHORITY\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG
Options
Scanning engines:
* F-Secure USS: 2.30.0
* F-Secure Hydra: 2.8.8110, 2008-10-24
* F-Secure AVP: 7.0.171, 2008-10-24
* F-Secure Pegasus: 1.20.0, 2008-09-22
* F-Secure Blacklight: 1.0.68
Scanning options:
* Scan all files
* Scan inside archives
* Use Advanced heuristics
Copyright © 1998-2007 Product support |Send virus sample to F-Secure
=========================================================
And my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:03:42 AM, on 10/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\igfxtray.exe
E:\WINDOWS\system32\hkcmd.exe
E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\DOCUME~1\User\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
E:\DOCUME~1\User\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://alifeinbloom.blogspot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [WatchDog] E:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "E:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = E:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {664088B0-6AF3-4514-AF9D-A0DC3A3DF24A} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols3beta/fscax.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - E:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
--
End of file - 8509 bytes
Thanks again!
Hi
O4 - HKCU\..\Run: [RegCom32] E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe
is away........
Everything is good now
Hello! Unfortunately, it's still there. I re-enabled Spybot after the F-Secure scan and then ran HJT and here's what I got:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:56 PM, on 10/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\igfxtray.exe
E:\WINDOWS\system32\hkcmd.exe
E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://alifeinbloom.blogspot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [WatchDog] E:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "E:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RegCom32] E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = E:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {664088B0-6AF3-4514-AF9D-A0DC3A3DF24A} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols3beta/fscax.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - E:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
--
End of file - 8502 bytes
==========================================================
It's there again. :( Does this mean that Spybot is the one causing its reappearance? Thanks again!
Hi
Does this mean that Spybot is the one causing its reappearance?
I´m not sure......, i think that IXP004.TMP is a "windows-folder"..........
When you start Windows, do you have some kind of error message
Download RegSearch (http://download.bleepingcomputer.com/steelwerx/regsearch.zip) by Bobbi Flekman.
Create a folder in your C: drive C:\Regsearch, and extract all the files from the zip archive into that folder.
Double click regsearch.exe to launch the programme.
Copy/Paste the following into the Search Box RegCom32
Click OK.
Regsearch will now search your Registry for the required strings, when it is finished it will open a Notepad file RegSearch.txt, saved to the Regsearch folder.
Copy/Paste that file into your next post.
I disabled TeaTimer and here is the RegSearch log:
Windows Registry Editor Version 5.00
; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0
; Results at 10/25/2008 3:38:40 PM for strings:
; 'regcom32'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS
[HKEY_LOCAL_MACHINE\SOFTWARE\BillP Studios\WinPatrol\Disabled]
"RegCom32"="11"
[HKEY_LOCAL_MACHINE\SOFTWARE\BillP Studios\WinPatrol\Disabled\Run]
"RegCom32"="E:\\DOCUME~1\\User\\LOCALS~1\\Temp\\IXP004.TMP\\svchost.exe"
; End Of The Log...
Thanks!
Hi zu921
lets try this........
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible.
Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.
Remove bad HijackThis entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O4 - HKCU\..\Run: [RegCom32] E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
Boot into Safe Mode
Reboot your computer in Safe Mode.
If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.
Registry editing
Go to Start > Run
Type regedit and click OK.
On the leftside, click to highlight My Computer at the top.
Go up to "File > Export"
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put backup
Choose to save it to C:\ or in somewhere else safe location so that you will remember where you put it (don't put it on the Desktop!)
Click Save and then go to File > Exit.
Open Notepad and copy the contents of the following box to a new file.
Windows Registry Editor Version 5.00
[[HKEY_LOCAL_MACHINE\SOFTWARE\BillP Studios\WinPatrol\Disabled]
"RegCom32"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\BillP Studios\WinPatrol\Disabled\Run]
"RegCom32"=-
Save it as fix.reg (save type: "All files" (*.*)) to your desktop.
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Go to Desktop, double-click fix.reg and merge the infomation with the registry.
Restart your PC
4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
Please reply with
a fresh HijackThis log
Thanks peku006
Hello peku006. I did as instructed. However, I did not turn TeaTimer on anymore. Here is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:11:44 PM, on 10/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\igfxtray.exe
E:\WINDOWS\system32\hkcmd.exe
E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://alifeinbloom.blogspot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [WatchDog] E:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "E:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = E:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {664088B0-6AF3-4514-AF9D-A0DC3A3DF24A} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols3beta/fscax.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - E:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
--
End of file - 7663 bytes
When you start Windows, do you have some kind of error messageCopy/Paste that file into your next post.
Nope, I don't encounter any error message when I start Windows.
Remove bad HijackThis entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O4 - HKCU\..\Run: [RegCom32] E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe
[/list]
I was not able to find this file.
Hi zu921
It´s away again......
How is the computer running now ?
Hello peku006!
My computer is OK now, I think. :) However, I did not re-enable TeaTimer again.