# Solved: Help Need with Vundo &amp; ComboFix



## byanoseau (Jun 3, 2002)

Hi Everyone,

Would someone please guide me through the removal of Vundo, and no doubt other problems, using ComboFix and any other tools that might be required to remove malware etc.

Thanks.

Byn


----------



## Cookiegal (Aug 27, 2003)

*Click here* to download *HJTsetup.exe*.

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Addition Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.	
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required. 

*Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.*


----------



## byanoseau (Jun 3, 2002)

Hi Cookiegal,
Thanks for the reply, I appreciate your help. I had a problem with HJT copying the log file to notepad because I got the Notepad.exe Application Error message. However, it did produce a log file that I was able to open in another program.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:51 AM, on 29/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
D:\Clipboard Pile\Clipboard Pile.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PowerISO 3.7\PWRISOVM.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp Pro 5.5\winampa.exe
C:\WINDOWS\PowerS.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hppapml0.exe
C:\PROGRA~1\MOZILL~1.6\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/resetpw.srf?lc=3081
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {85950A56-B777-4374-91F3-6DE058F5F2DF} - C:\WINDOWS\system32\tuvVNEvu.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [Clipboard Pile] D:\Clipboard Pile\Clipboard Pile.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO 3.7\PWRISOVM.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp Pro 5.5\winampa.exe"
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [BM07bbee78] Rundll32.exe "C:\WINDOWS\system32\bxianugb.dll",s
O4 - HKLM\..\Run: [0488dde4] rundll32.exe "C:\WINDOWS\system32\ygyakhdt.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
O4 - Global Startup: Suitcase Startup.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\\DownloadPDF.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - 
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1211766713296
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - 
O17 - HKLM\System\CCS\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O17 - HKLM\System\CS1\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O17 - HKLM\System\CS2\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O17 - HKLM\System\CS3\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0055136.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 12193 bytes

Thanks.
Byn


----------



## Cookiegal (Aug 27, 2003)

Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix:

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.


----------



## byanoseau (Jun 3, 2002)

Hi Cookiegal,
I have a problem installing ComboFix. I get two (2) error messages.
1. cmd.exe Application Error
2. rundll32.exe Application Error
These errors are preventing me from installing ComboFix.
What do you suggest?
Thanks
Byn


----------



## Cookiegal (Aug 27, 2003)

Are you sure you had all security programs disabled?

Let's remove the program you downloaded and try again but this time when downloading the ComboFix.exe, rename is to Combo-Fix.exe as your saving it.

*Follow these steps to uninstall Combofix and tools used in the removal of malware*

 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Then go back to the same link as before and download it again, renaming it in the process.


----------



## byanoseau (Jun 3, 2002)

Hi Cookiegal,
The problem might be that I can't turn off Windows Firewall because when I attempt to do so I get the rundll32.exe error.
Is there any other way I can disable it?
Thanks.
Byn


----------



## Cookiegal (Aug 27, 2003)

No, the Windows firewall doesn't need to be disabled.

Have you tried renaming ComboFix?


----------



## byanoseau (Jun 3, 2002)

Hi Cookiegal,
Yes, I've renamed ComboFix as you suggested. 
I get the same result as before.
1. cmd.exe Application Error
2. rundll32.exe Application Error
There's actually two of each of these error warnings.
Byn


----------



## Cookiegal (Aug 27, 2003)

Please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "Application" and "System" for recent (the last 48 hours or so) errors (shown in red) and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## byanoseau (Jun 3, 2002)

Hi Cookiegal,
As requested, errors from Event Viewer.

Event Type:	Error
Event Source:	FLEXnet Licensing Service
Event Category:	None
Event ID:	0
Date: 31/05/2008
Time: 10:22:38 AM
User: N/A
Computer:	JOHN
Description:
The description for Event ID ( 0 ) in Source ( FLEXnet Licensing Service ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: StartServiceCtrlDispatcher() failed.

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 30/05/2008
Time: 3:15:34 PM
User: N/A
Computer:	JOHN
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module acroiehelper.dll, version 8.0.0.456, fault address 0x00001fa3.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180 
0030: 69 6e 20 61 63 72 6f 69 in acroi
0038: 65 68 65 6c 70 65 72 2e ehelper.
0040: 64 6c 6c 20 38 2e 30 2e dll 8.0.
0048: 30 2e 34 35 36 20 61 74 0.456 at
0050: 20 6f 66 66 73 65 74 20 offset 
0058: 30 30 30 30 31 66 61 33 00001fa3
0060: 0d 0a ..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 30/05/2008
Time: 2:09:36 PM
User: N/A
Computer:	JOHN
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module acroiehelper.dll, version 8.0.0.456, fault address 0x00001fa3.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180 
0030: 69 6e 20 61 63 72 6f 69 in acroi
0038: 65 68 65 6c 70 65 72 2e ehelper.
0040: 64 6c 6c 20 38 2e 30 2e dll 8.0.
0048: 30 2e 34 35 36 20 61 74 0.456 at
0050: 20 6f 66 66 73 65 74 20 offset 
0058: 30 30 30 30 31 66 61 33 00001fa3
0060: 0d 0a ..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 30/05/2008
Time: 1:53:18 PM
User: N/A
Computer:	JOHN
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module acroiehelper.dll, version 8.0.0.456, fault address 0x00001fa3.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180 
0030: 69 6e 20 61 63 72 6f 69 in acroi
0038: 65 68 65 6c 70 65 72 2e ehelper.
0040: 64 6c 6c 20 38 2e 30 2e dll 8.0.
0048: 30 2e 34 35 36 20 61 74 0.456 at
0050: 20 6f 66 66 73 65 74 20 offset 
0058: 30 30 30 30 31 66 61 33 00001fa3
0060: 0d 0a ..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 30/05/2008
Time: 1:45:24 PM
User: N/A
Computer:	JOHN
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module acroiehelper.dll, version 8.0.0.456, fault address 0x00001fa3.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180 
0030: 69 6e 20 61 63 72 6f 69 in acroi
0038: 65 68 65 6c 70 65 72 2e ehelper.
0040: 64 6c 6c 20 38 2e 30 2e dll 8.0.
0048: 30 2e 34 35 36 20 61 74 0.456 at
0050: 20 6f 66 66 73 65 74 20 offset 
0058: 30 30 30 30 31 66 61 33 00001fa3
0060: 0d 0a ..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 30/05/2008
Time: 12:49:00 PM
User: N/A
Computer:	JOHN
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module ddrmmjxc.dll, version 0.0.0.0, fault address 0x00001fa3.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180 
0030: 69 6e 20 64 64 72 6d 6d in ddrmm
0038: 6a 78 63 2e 64 6c 6c 20 jxc.dll 
0040: 30 2e 30 2e 30 2e 30 20 0.0.0.0 
0048: 61 74 20 6f 66 66 73 65 at offse
0050: 74 20 30 30 30 30 31 66 t 00001f
0058: 61 33 0d 0a a3..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 30/05/2008
Time: 10:28:12 AM
User: N/A
Computer:	JOHN
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module ddrmmjxc.dll, version 0.0.0.0, fault address 0x00001fa3.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180 
0030: 69 6e 20 64 64 72 6d 6d in ddrmm
0038: 6a 78 63 2e 64 6c 6c 20 jxc.dll 
0040: 30 2e 30 2e 30 2e 30 20 0.0.0.0 
0048: 61 74 20 6f 66 66 73 65 at offse
0050: 74 20 30 30 30 30 31 66 t 00001f
0058: 61 33 0d 0a a3..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 30/05/2008
Time: 9:40:38 AM
User: N/A
Computer:	JOHN
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module acroiehelper.dll, version 8.0.0.456, fault address 0x00001fa3.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180 
0030: 69 6e 20 61 63 72 6f 69 in acroi
0038: 65 68 65 6c 70 65 72 2e ehelper.
0040: 64 6c 6c 20 38 2e 30 2e dll 8.0.
0048: 30 2e 34 35 36 20 61 74 0.456 at
0050: 20 6f 66 66 73 65 74 20 offset 
0058: 30 30 30 30 31 66 61 33 00001fa3
0060: 0d 0a ..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 30/05/2008
Time: 9:39:46 AM
User: N/A
Computer:	JOHN
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module acroiehelper.dll, version 8.0.0.456, fault address 0x00001fa3.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180 
0030: 69 6e 20 61 63 72 6f 69 in acroi
0038: 65 68 65 6c 70 65 72 2e ehelper.
0040: 64 6c 6c 20 38 2e 30 2e dll 8.0.
0048: 30 2e 34 35 36 20 61 74 0.456 at
0050: 20 6f 66 66 73 65 74 20 offset 
0058: 30 30 30 30 31 66 61 33 00001fa3
0060: 0d 0a ..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 30/05/2008
Time: 9:34:45 AM
User: N/A
Computer:	JOHN
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module acroiehelper.dll, version 8.0.0.456, fault address 0x00001fa3.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180 
0030: 69 6e 20 61 63 72 6f 69 in acroi
0038: 65 68 65 6c 70 65 72 2e ehelper.
0040: 64 6c 6c 20 38 2e 30 2e dll 8.0.
0048: 30 2e 34 35 36 20 61 74 0.456 at
0050: 20 6f 66 66 73 65 74 20 offset 
0058: 30 30 30 30 31 66 61 33 00001fa3
0060: 0d 0a ..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 29/05/2008
Time: 9:36:43 PM
User: N/A
Computer:	JOHN
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x10001fa3.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180 
0030: 69 6e 20 75 6e 6b 6e 6f in unkno
0038: 77 6e 20 30 2e 30 2e 30 wn 0.0.0
0040: 2e 30 20 61 74 20 6f 66 .0 at of
0048: 66 73 65 74 20 31 30 30 fset 100
0050: 30 31 66 61 33 0d 0a 01fa3..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 29/05/2008
Time: 4:16:21 PM
User: N/A
Computer:	JOHN
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x10001fa3.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180 
0030: 69 6e 20 75 6e 6b 6e 6f in unkno
0038: 77 6e 20 30 2e 30 2e 30 wn 0.0.0
0040: 2e 30 20 61 74 20 6f 66 .0 at of
0048: 66 73 65 74 20 31 30 30 fset 100
0050: 30 31 66 61 33 0d 0a 01fa3..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 29/05/2008
Time: 1:07:43 PM
User: N/A
Computer:	JOHN
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module ygyakhdt.dll, version 0.0.0.0, fault address 0x00001fa3.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180 
0030: 69 6e 20 79 67 79 61 6b in ygyak
0038: 68 64 74 2e 64 6c 6c 20 hdt.dll 
0040: 30 2e 30 2e 30 2e 30 20 0.0.0.0 
0048: 61 74 20 6f 66 66 73 65 at offse
0050: 74 20 30 30 30 30 31 66 t 00001f
0058: 61 33 0d 0a a3..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 29/05/2008
Time: 12:26:48 PM
User: N/A
Computer:	JOHN
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module ygyakhdt.dll, version 0.0.0.0, fault address 0x00001fa3.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180 
0030: 69 6e 20 79 67 79 61 6b in ygyak
0038: 68 64 74 2e 64 6c 6c 20 hdt.dll 
0040: 30 2e 30 2e 30 2e 30 20 0.0.0.0 
0048: 61 74 20 6f 66 66 73 65 at offse
0050: 74 20 30 30 30 30 31 66 t 00001f
0058: 61 33 0d 0a a3..

Event Type:	Error
Event Source:	Application Hang
Event Category:	(101)
Event ID:	1002
Date: 29/05/2008
Time: 12:26:21 PM
User: N/A
Computer:	JOHN
Description:
Hanging application explorer.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 65 78 70 6c 6f 72 explor
0018: 65 72 2e 65 78 65 20 36 er.exe 6
0020: 2e 30 2e 32 39 30 30 2e .0.2900.
0028: 32 31 38 30 20 69 6e 20 2180 in 
0030: 68 75 6e 67 61 70 70 20 hungapp 
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0 
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 30 30 30 30 30 t 000000
0050: 30 30 00

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 29/05/2008
Time: 11:19:11 AM
User: N/A
Computer:	JOHN
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module ygyakhdt.dll, version 0.0.0.0, fault address 0x00001fa3.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180 
0030: 69 6e 20 79 67 79 61 6b in ygyak
0038: 68 64 74 2e 64 6c 6c 20 hdt.dll 
0040: 30 2e 30 2e 30 2e 30 20 0.0.0.0 
0048: 61 74 20 6f 66 66 73 65 at offse
0050: 74 20 30 30 30 30 31 66 t 00001f
0058: 61 33 0d 0a a3..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 29/05/2008
Time: 10:25:30 AM
User: N/A
Computer:	JOHN
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module ygyakhdt.dll, version 0.0.0.0, fault address 0x00001fa3.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180 
0030: 69 6e 20 79 67 79 61 6b in ygyak
0038: 68 64 74 2e 64 6c 6c 20 hdt.dll 
0040: 30 2e 30 2e 30 2e 30 20 0.0.0.0 
0048: 61 74 20 6f 66 66 73 65 at offse
0050: 74 20 30 30 30 30 31 66 t 00001f
0058: 61 33 0d 0a a3..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 28/05/2008
Time: 10:42:50 AM
User: N/A
Computer:	JOHN
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module pqpnewbs.dll, version 0.0.0.0, fault address 0x00001fa3.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180 
0030: 69 6e 20 70 71 70 6e 65 in pqpne
0038: 77 62 73 2e 64 6c 6c 20 wbs.dll 
0040: 30 2e 30 2e 30 2e 30 20 0.0.0.0 
0048: 61 74 20 6f 66 66 73 65 at offse
0050: 74 20 30 30 30 30 31 66 t 00001f
0058: 61 33 0d 0a a3..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 28/05/2008
Time: 10:22:07 AM
User: N/A
Computer:	JOHN
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module pqpnewbs.dll, version 0.0.0.0, fault address 0x00001fa3.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180 
0030: 69 6e 20 70 71 70 6e 65 in pqpne
0038: 77 62 73 2e 64 6c 6c 20 wbs.dll 
0040: 30 2e 30 2e 30 2e 30 20 0.0.0.0 
0048: 61 74 20 6f 66 66 73 65 at offse
0050: 74 20 30 30 30 30 31 66 t 00001f
0058: 61 33 0d 0a a3..

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7011
Date: 31/05/2008
Time: 10:23:58 AM
User: N/A
Computer:	JOHN
Description:
Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 31/05/2008
Time: 10:23:37 AM
User: N/A
Computer:	JOHN
Description:
The FLEXnet Licensing Service service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7009
Date: 31/05/2008
Time: 10:23:07 AM
User: N/A
Computer:	JOHN
Description:
Timeout (30000 milliseconds) waiting for the FLEXnet Licensing Service service to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 31/05/2008
Time: 10:19:16 AM
User: N/A
Computer:	JOHN
Description:
The Application Layer Gateway Service service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7009
Date: 31/05/2008
Time: 10:19:15 AM
User: N/A
Computer:	JOHN
Description:
Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10005
Date: 30/05/2008
Time: 3:41:15 PM
User: JOHN\Administrator
Computer:	JOHN
Description:
DCOM got error "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. " attempting to start the service wuauserv with arguments "" in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10005
Date: 30/05/2008
Time: 3:41:11 PM
User: JOHN\Administrator
Computer:	JOHN
Description:
DCOM got error "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. " attempting to start the service wuauserv with arguments "" in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10010
Date: 30/05/2008
Time: 1:45:53 PM
User: JOHN\Administrator
Computer:	JOHN
Description:
The server {601AC3DC-786A-4EB0-BF40-EE3521E70BFB} did not register with DCOM within the required timeout.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10010
Date: 30/05/2008
Time: 1:45:47 PM
User: JOHN\Administrator
Computer:	JOHN
Description:
The server {98087D89-B93F-4BCF-A998-AE4D9F607C14} did not register with DCOM within the required timeout.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10010
Date: 30/05/2008
Time: 1:01:19 PM
User: JOHN\Administrator
Computer:	JOHN
Description:
The server {98087D89-B93F-4BCF-A998-AE4D9F607C14} did not register with DCOM within the required timeout.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10010
Date: 30/05/2008
Time: 12:49:27 PM
User: JOHN\Administrator
Computer:	JOHN
Description:
The server {601AC3DC-786A-4EB0-BF40-EE3521E70BFB} did not register with DCOM within the required timeout.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10010
Date: 30/05/2008
Time: 9:38:28 AM
User: JOHN\Administrator
Computer:	JOHN
Description:
The server {98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C} did not register with DCOM within the required timeout.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 30/05/2008
Time: 9:19:18 AM
User: N/A
Computer:	JOHN
Description:
The Application Layer Gateway Service service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7009
Date: 30/05/2008
Time: 9:19:18 AM
User: N/A
Computer:	JOHN
Description:
Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 29/05/2008
Time: 4:22:52 PM
User: N/A
Computer:	JOHN
Description:
The Application Layer Gateway Service service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7009
Date: 29/05/2008
Time: 4:22:52 PM
User: N/A
Computer:	JOHN
Description:
Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10005
Date: 29/05/2008
Time: 4:20:00 PM
User: NT AUTHORITY\SYSTEM
Computer:	JOHN
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10005
Date: 29/05/2008
Time: 4:16:48 PM
User: JOHN\Administrator
Computer:	JOHN
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service netman with arguments "" in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7026
Date: 29/05/2008
Time: 4:15:01 PM
User: N/A
Computer:	JOHN
Description:
The following boot-start or system-start driver(s) failed to load: 
AFD
AmdK7
bdftdif
Fips
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
SCDEmu
Tcpip

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 29/05/2008
Time: 4:15:01 PM
User: N/A
Computer:	JOHN
Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: 
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 29/05/2008
Time: 4:15:01 PM
User: N/A
Computer:	JOHN
Description:
The ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: 
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 29/05/2008
Time: 4:15:01 PM
User: N/A
Computer:	JOHN
Description:
The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: 
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 29/05/2008
Time: 4:15:01 PM
User: N/A
Computer:	JOHN
Description:
The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: 
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 29/05/2008
Time: 4:15:01 PM
User: N/A
Computer:	JOHN
Description:
The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: 
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10005
Date: 29/05/2008
Time: 4:14:05 PM
User: NT AUTHORITY\SYSTEM
Computer:	JOHN
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Thanks
Byn


----------



## Cookiegal (Aug 27, 2003)

Please download *SmitfraudFix* (by *S!Ri*) to your Desktop.

Double-click *SmitfraudFix.exe*
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move *SmitfraudFix.exe* directly to the root of the system drive (usually *C:*), and launch from there.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Warning: Do not run Option #2 until you are instructed to do so. Running option #2 on a non infected computer will remove your Desktop background.


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,

No joy I'm afraid. I tried launching from desktop and C:

I now get....
1. cmd.exe Application Error
2. find.exe Application error

Thanks.

Byn


----------



## Cookiegal (Aug 27, 2003)

Click on the following link and extract (unzip) the file which is VArestorepolicies.inf. Right-click on the file and select "install". This will fix some policies that may have been changed by the malware. Then try running ComboFix again.

http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,

Still no luck I'm afraid.

rundll32.exe Application error this time.

CookieGal, unfortunately I have to go to meeting out of town and have to leave now. I'll pick this up tomorrow if that's ok. Thanks for your patience.

Byn


----------



## Cookiegal (Aug 27, 2003)

Sure. I'll post new instructions for you either this evening or tomorrow morning.


----------



## Cookiegal (Aug 27, 2003)

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of SDFix and make sure you are disconnected from the Internet after downloading the program but before extracting the files.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with SDFix and remove some of its embedded files which may cause _"unpredictable results"_.
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive% 
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
Instead of Windows loading as normal, the Advanced Options Menu should appear
Select the first option, to run Windows in Safe Mode, then press *Enter*
Choose your usual account.

Open the extracted SDFix folder and double click *RunThis.bat* to start the script. 
Type *Y* to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot. 
Press any Key and it will restart the PC. 
When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt* 
(Report.txt will also be copied to the clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log.


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,
Fortunately I was able to run SDFix and below is a copy of report along with new HJT log as requested.

*SDFix: Version 1.185 *
Run by Administrator on Mon 02/06/2008 at 10:10

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

*Checking Services *:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

*Checking Files *:

No Trojan Files Found

Removing Temp Files

*ADS Check *:

*Final Check *:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-02 10:24:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\CLSID]
"\30 A?E?2?A?E?D?8?F?-?5?6?9?5?-?4?a?6?d?-?9?7?0?9?-?1?4?E?5?1?C?D?1?7?B?1?C?'?"=""

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

*Remaining Services *:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\eMule 0.48a\\emule.exe"="C:\\Program Files\\eMule 0.48a\\emule.exe:*:Enabled:eMule"
"D:\\mIRC\\mirc.exe"="D:\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"F:\\Program Files\\SightSpeed\\SightSpeed.exe"="F:\\Program Files\\SightSpeed\\SightSpeed.exe:*:Enabled:SightSpeed"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\ICQ6\\ICQ.exe"="C:\\Program Files\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"
"C:\\Program Files\\Adobe\\Adobe Photoshop CS3\\Photoshop.exe"="C:\\Program Files\\Adobe\\Adobe Photoshop CS3\\Photoshop.exe:*isabled:Adobe Photoshop CS3"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

*Remaining Files *:

File Backups: - C:\SDFix\backups\backups.zip

*Files with Hidden Attributes *:

Mon 6 Aug 2007 211 A.SH. --- "C:\BOOT.BAK"
Mon 6 Aug 2007 225,280 A..H. --- "C:\Documents and Settings\TEMP\prf1.tmp"
Wed 28 May 2008 1,454,262 A.SH. --- "C:\WINDOWS\system32\sbwenpqp.tmp"
Thu 29 May 2008 1,474,320 A.SH. --- "C:\WINDOWS\system32\tdhkaygy.tmp"
Mon 2 Jun 2008 153 A.SH. --- "C:\WINDOWS\system32\tvucpygv.tmp"
Mon 2 Jun 2008 1,485,926 A.SH. --- "C:\WINDOWS\system32\tvucpygv.tmp2"
Sat 29 Sep 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

*Finished!*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:38, on 2/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
D:\Clipboard Pile\Clipboard Pile.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PowerISO 3.7\PWRISOVM.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp Pro 5.5\winampa.exe
C:\WINDOWS\PowerS.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\hppapml0.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroDist.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/resetpw.srf?lc=3081
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12290545-E013-4A92-9D39-CA1CD2834446} - C:\WINDOWS\system32\tuvVNEvu.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [Clipboard Pile] D:\Clipboard Pile\Clipboard Pile.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO 3.7\PWRISOVM.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp Pro 5.5\winampa.exe"
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [0488dde4] rundll32.exe "C:\WINDOWS\system32\vgypcuvt.dll",b
O4 - HKLM\..\Run: [BM07bbee78] Rundll32.exe "C:\WINDOWS\system32\hcenfcgy.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
O4 - Global Startup: Suitcase Startup.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\\DownloadPDF.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - 
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1211766713296
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - 
O17 - HKLM\System\CCS\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O17 - HKLM\System\CS1\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O17 - HKLM\System\CS2\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O17 - HKLM\System\CS3\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 11957 bytes

Thanks
Byn


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,
I have a new situation here, as if I didn't have enough already, in that my antivirus program has just expired. Would you please let me know how to proceed as you mentioned not to install any new software while you're going through the repair procedure. Being heavily involved in this area, is there any particular Antivirus/Internet security software you'd recommend? I currently use BitDefender Internet Security.
Thanks.
Byn


----------



## Cookiegal (Aug 27, 2003)

If you're willing to pay for an anti-virus program then I recommend either Nod32 or Kaspersky as they are the best ones. Otherwise, you can get AVG8 or Avast for free but you definitely need to get immediately since Bit Defender has expired you won't be able to get any new virus definitions.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

*O2 - BHO: (no name) - {12290545-E013-4A92-9D39-CA1CD2834446} - C:\WINDOWS\system32\tuvVNEvu.dll

O4 - HKLM\..\Run: [0488dde4] rundll32.exe "C:\WINDOWS\system32\vgypcuvt.dll",b

O4 - HKLM\..\Run: [BM07bbee78] Rundll32.exe "C:\WINDOWS\system32\hcenfcgy.dll",s*

Please *download* the *OTMoveIt2 by OldTimer*.

 *Save* it to your *desktop*.
Please double-click *OTMoveIt2.exe* to run it. (*Note:* If you are running on Vista, right-click on the file and choose *Run As Administrator*).
*Copy the lines in the codebox below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):


```
C:\WINDOWS\system32\vgypcuvt.dll
C:\WINDOWS\system32\hcenfcgy.dll
C:\Documents and Settings\TEMP\prf1.tmp
C:\WINDOWS\system32\sbwenpqp.tmp
C:\WINDOWS\system32\tdhkaygy.tmp
C:\WINDOWS\system32\tvucpygv.tmp
C:\WINDOWS\system32\tvucpygv.tmp2
C:\WINDOWS\system32\tuvVNEvu.dll
```

 Return to OTMoveIt2, right click in the *Paste Custom List Of Files/Patterns To Move* window (under the yellow bar) and choose *Paste*.

Click the red *Moveit!* button.
*Copy everything in the Results window (under the green bar) to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTMoveIt2*
*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.* In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter **.log* and press the Enter key, navigate to the *C:\_OTMoveIt\MovedFiles* folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post with a new HijackThis log.


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,
I'll buy one of the antivirus programs you suggested immediately and follow the newest instructions.
Thanks.
Byn


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,
I have downloaded NOD32 but I am unable to install it due to Setup.exe Application Error. I have uninstalled BitDefender.
One of the files you listed for fix checked in HJT was not there...O2-BHO: (no name) - {12290545-E013-4A92-9D39-CA1CD2834446} - C:\WINDOWS\system32\tuvVNEvu.dll
Find below, logs as requested

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:02:51, on 3/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
D:\Clipboard Pile\Clipboard Pile.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PowerISO 3.7\PWRISOVM.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp Pro 5.5\winampa.exe
C:\WINDOWS\PowerS.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\hppapml0.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/resetpw.srf?lc=3081
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [Clipboard Pile] D:\Clipboard Pile\Clipboard Pile.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO 3.7\PWRISOVM.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp Pro 5.5\winampa.exe"
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [0488dde4] rundll32.exe "C:\WINDOWS\system32\elwihpph.dll",b
O4 - HKLM\..\Run: [BM07bbee78] Rundll32.exe "C:\WINDOWS\system32\vmowbudt.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
O4 - Global Startup: Suitcase Startup.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\\DownloadPDF.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - 
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1211766713296
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - 
O17 - HKLM\System\CCS\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O17 - HKLM\System\CS1\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O17 - HKLM\System\CS2\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O17 - HKLM\System\CS3\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00DA8B8.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 11758 bytes

File/Folder C:\WINDOWS\system32\vgypcutv.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\hcenfcgy.dll
C:\WINDOWS\system32\hcenfcgy.dll NOT unregistered.
C:\WINDOWS\system32\hcenfcgy.dll moved successfully.
C:\Documents and settings\TEMP\prf1.tmp moved successfully.
C:\WINDOWS\system32\sbwenpqp.tmp moved successfully.
C:\WINDOWS\system32\tdhkaygy.tmp moved successfully.
C:\WINDOWS\system32\tvucpygv.tmp moved successfully.
File/Folder C:\WINDOWS\system32\tvucpygv.tmp2 not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\tuvVNEvu.dll
C:\WINDOWS\system32\tuvVNEvu.dll NOT unregistered.
C:\WINDOWS\system32\tuvVNEvu.dll moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06032008_091443

Thanks
Byn


----------



## Cookiegal (Aug 27, 2003)

Can you tell me the exact error you're getting when trying to install Nod32 please?

Download *OTScanIt.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *OTScanIt* on your desktop.

Close any open browsers.
Disconnect from the Internet.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of OTScanIt.
Open the *OTScanIt* folder and double-click on OTScanIt.exe to start the program.
Check the box that says *Scan All User Accounts*
Under Drivers select the radio button for *All*
Check the Radio buttons for Files/Folders Created Within *90 Days* and Files/Folders Modified Within *90 Days* 
Under Additional Scans check the following:
Reg - BotCheck
Reg - Disabled MS Config Items
Reg - NeverShowExt Settings
Reg - Security Settings
Reg - Shell Spawning
Reg - Software Policy Settings
Reg - Uninstall List
File - Additional Folder Scans

Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it automatically.
Save that Notepad file. Click the *Format* menu and make sure that *Word wrap* is not checked. If it is then click on it to uncheck it.
Use the *Reply* button and upload Notepad file here as an attachment please.


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,
Firstly, when I open Windows Explorer, I get the message, Windows Explorer has encountered a problem and needs to close. If I click on the don't send button, Windows Explorer shuts down. I can still use Windows Explorer if I just leave this message displayed.
Next, when I try to install NOD32, I get the message...Setup.exe Application Error..The application failed to initialize properly (0xc0000005) click OK to terminate the application. When I do this the installation stops.

I'll install the OTScanIt now and get back to you.

Thanks.
Byn


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,
I encountered the same problem with Notepad as I did when I tried to install NOD32. Same error message except Notepad.exe
It still created the .txt file so I hope it attaches here properly.

Thanks 
Byn


----------



## Cookiegal (Aug 27, 2003)

ComboFix wouldn't run initially because of the rootkit on board but it's been updated to take care of that so please do the following to remove the version you have now and redownload it please.

*Follow these steps to uninstall Combofix and tools used in the removal of malware*

 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix:

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,
I think there's finally some light at the end of the tunnel. )
At the start of this procedure you requested that I not install any new software whilst you were running the repair process. Is it ok to try and install NOD32 again?
Please find below logs for ComboFix and HJT.

ComboFix 08-06-04.1 - Administrator 2008-06-05 10:47:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1115 [GMT 10:00]
Running from: C:\Documents and Settings\Administrator.JOHN.000\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM07bbee78.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bkldxiuy.exe
C:\WINDOWS\system32\bvognwus.dll
C:\WINDOWS\system32\bxianugb.dll
C:\WINDOWS\system32\ddrmmjxc.dll
C:\WINDOWS\system32\ddxrkinn.dll
C:\WINDOWS\system32\doaewapg.ini
C:\WINDOWS\system32\dvmcpmjl.dll
C:\WINDOWS\system32\elwihpph.dll
C:\WINDOWS\system32\eohpamxn.dll
C:\WINDOWS\system32\fprexdlt.ini
C:\WINDOWS\system32\hcenbces.ini
C:\WINDOWS\system32\hfhsjltj.ini
C:\WINDOWS\system32\hpphiwle.ini
C:\WINDOWS\system32\jpgleotk.exe
C:\WINDOWS\system32\khpduywk.dll
C:\WINDOWS\system32\kiwskuuv.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\oxftcnkk.dll
C:\WINDOWS\system32\plidgebq.ini
C:\WINDOWS\system32\qbegdilp.dll
C:\WINDOWS\system32\qfbnwggv.dll
C:\WINDOWS\system32\secbnech.dll
C:\WINDOWS\system32\shfelqko.dll
C:\WINDOWS\system32\stpuoird.exe
C:\WINDOWS\system32\suwngovb.ini
C:\WINDOWS\system32\tdhkaygy.ini
C:\WINDOWS\system32\tdhkaygy.ini2
C:\WINDOWS\system32\tldxerpf.dll
C:\WINDOWS\system32\tvucpygv.ini
C:\WINDOWS\system32\tvucpygv.ini2
C:\WINDOWS\system32\uvENVvut.ini
C:\WINDOWS\system32\uvENVvut.ini2
C:\WINDOWS\system32\vmowbudt.dll
C:\WINDOWS\system32\vqecwmjd.exe
C:\WINDOWS\system32\wnukurst.exe
C:\WINDOWS\system32\ygjcwyty.dll
C:\WINDOWS\system32\ytywcjgy.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-06-03 09:24 . 2008-06-03 09:24 d--------	C:\WINDOWS\SxsCaPendDel
2008-06-03 09:14 . 2008-06-03 09:14 d--------	C:\_OTMoveIt
2008-06-03 09:01 . 2008-06-03 09:01 d--------	C:\Program Files\ESET
2008-06-03 08:37 . 2008-06-03 08:37	51,200	--a------	C:\WINDOWS\system32\sobgsber.dll
2008-06-03 08:37 . 2008-06-03 08:37	51,200	--a------	C:\WINDOWS\system32\__c00DA8B8.dat
2008-06-02 09:09 . 2008-06-02 09:09 d--------	C:\WINDOWS\ERUNT
2008-06-02 09:02 . 2008-06-02 10:35 d--------	C:\SDFix
2008-06-02 08:41 . 2008-06-02 08:41	51,200	--a------	C:\WINDOWS\system32\uktidoim.dll
2008-06-02 08:35 . 2008-06-02 08:35	51,200	--a------	C:\WINDOWS\system32\qdpwsixu.dll
2008-06-01 07:58 . 2008-05-29 10:00 d--------	C:\SmitfraudFix
2008-06-01 07:53 . 2008-06-01 07:53	1,392,671	--a------	C:\SmitfraudFix.exe
2008-05-31 19:17 . 2008-05-31 19:17	51,200	--a------	C:\WINDOWS\system32\ocdankqx.dll
2008-05-31 19:17 . 2008-05-31 19:17	51,200	--a------	C:\WINDOWS\system32\__c00A2E51.dat
2008-05-31 12:01 . 2008-05-31 12:05 d--------	C:\Combo-Fix
2008-05-31 10:32 . 2008-05-31 10:32	51,200	--a------	C:\WINDOWS\system32\gpgqtani.dll
2008-05-30 09:58 . 2008-05-30 09:58	51,200	--a------	C:\WINDOWS\system32\ipudeygg.dll
2008-05-30 09:58 . 2008-05-30 09:58	51,200	--a------	C:\WINDOWS\system32\__c008C21.dat
2008-05-29 13:36 . 2008-05-29 13:36	91	--a------	C:\WINDOWS\fnerr.dat
2008-05-29 09:55 . 2008-05-29 09:55	51,200	--a------	C:\WINDOWS\system32\gsfwqgjm.dll
2008-05-29 09:55 . 2008-05-29 09:55	51,200	--a------	C:\WINDOWS\system32\__c0055136.dat
2008-05-28 16:03 . 2008-05-28 16:03	51,200	--a------	C:\WINDOWS\system32\fmjucxwj.dll
2008-05-28 10:00 . 2008-05-28 10:00	51,200	--a------	C:\WINDOWS\system32\xfpfwjhj.dll
2008-05-28 10:00 . 2008-05-28 10:00	51,200	--a------	C:\WINDOWS\system32\__c002BCC6.dat
2008-05-27 16:07 . 2008-05-27 16:07	51,200	--a------	C:\WINDOWS\system32\jkhjegoc.dll
2008-05-26 11:56 . 2008-05-26 11:56	51,200	--a------	C:\WINDOWS\system32\rwcpaxva.dll
2008-05-26 11:56 . 2008-05-26 11:56	51,200	--a------	C:\WINDOWS\system32\__c005AD87.dat
2008-05-26 11:48 . 2008-05-26 11:48	51,200	--a------	C:\WINDOWS\system32\ccviaexp.dll
2008-05-26 09:15 . 2008-05-26 09:15	51,200	--a------	C:\WINDOWS\system32\rroskxdh.dll
2008-05-26 09:15 . 2008-05-26 09:15	51,200	--a------	C:\WINDOWS\system32\__c0074398.dat
2008-05-25 12:51 . 2008-05-25 12:53 d--------	C:\Program Files\Panda Security
2008-05-25 12:51 . 2008-05-25 12:51	1,885	--a------	C:\WINDOWS\mozver.dat
2008-05-25 11:50 . 2008-05-25 11:50	51,200	--a------	C:\WINDOWS\system32\jodilovy.dll
2008-05-22 12:14 . 2008-05-22 12:14	51,200	--a------	C:\WINDOWS\system32\wjlqshig.dll
2008-05-22 12:14 . 2008-05-22 12:14	51,200	--a------	C:\WINDOWS\system32\__c00996F7.dat
2008-05-21 13:03 . 2008-05-21 13:03 d--------	C:\WINDOWS\system32\Kaspersky Lab
2008-05-21 13:03 . 2008-05-21 13:03 d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-21 12:59 . 2008-05-21 12:59 d---s----	C:\Documents and Settings\Administrator.JOHN.000\UserData
2008-05-21 10:53 . 2008-05-21 10:52	102,664	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-21 10:52 . 2008-05-21 11:03 d--------	C:\Documents and Settings\Administrator.JOHN.000\.housecall6.6
2008-05-21 09:41 . 2008-06-03 09:21	121	--a------	C:\WINDOWS\bdagent.INI
2008-05-21 09:38 . 2008-05-21 09:38 d--------	C:\Program Files\BitDefender
2008-05-21 09:37 . 2008-05-21 14:01 d--------	C:\Program Files\Common Files\BitDefender
2008-05-09 09:54 . 2008-05-09 10:00 d--------	C:\Documents and Settings\Administrator.JOHN.000\Application Data\onOne Software
2008-05-05 15:41 . 2008-05-05 15:41 d--h-----	C:\WINDOWS\PIF
2008-05-05 12:22 . 2008-05-18 13:25 d--------	C:\Program Files\The Logo Creator v5
2008-05-05 11:54 . 2008-05-05 11:54 d--------	C:\WINDOWS\Logo Design Studio Pro
2008-05-05 11:54 . 2008-05-05 11:54 d--------	C:\Program Files\Summitsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 00:38	---------	d-----w	C:\Program Files\Mozilla Firefox 2.0.0.6
2008-05-28 02:24	---------	d-----w	C:\Program Files\eMule 0.48a
2008-05-22 02:25	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-21 00:47	---------	d-----w	C:\Documents and Settings\Administrator.JOHN.000\Application Data\uTorrent
2008-05-20 23:34	---------	d-----w	C:\Program Files\InterActual
2008-05-08 23:54	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-05-08 23:54	---------	d-----w	C:\Program Files\onOne Software
2008-04-30 01:24	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-28 04:37	---------	d-----w	C:\Documents and Settings\All Users\Application Data\MumboJumbo
2008-04-28 04:36	---------	d-----w	C:\Documents and Settings\Administrator.JOHN.000\Application Data\SpinTop
2008-04-18 00:59	---------	d-----w	C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-18 00:47	---------	d-----w	C:\Program Files\DVD Shrink
2008-04-17 00:20	---------	d-----w	C:\Program Files\Common Files\ACD Systems
2008-04-17 00:20	---------	d-----w	C:\Program Files\ACD Systems
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:07 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 13:18 202024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Clipboard Pile"="D:\Clipboard Pile\Clipboard Pile.exe" [2000-05-24 14:23 959488]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"HP SchedIndexer"="C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe" [2001-02-19 14:36 86016]
"HP AutoIndexer"="C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe" [2001-02-19 14:36 77824]
"PWRISOVM.EXE"="C:\Program Files\PowerISO 3.7\PWRISOVM.EXE" [2007-04-09 22:23 200704]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 18:54 623992]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-08-10 12:10 221184]
"DMXLauncher"="C:\Program Files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 01:07 102400]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-07-31 09:00 1116920]
"RegistryMechanic"="" []
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 11:18 49152]
"WinampAgent"="C:\Program Files\Winamp Pro 5.5\winampa.exe" [2007-10-10 15:28 36352]
"PowerS"="C:\WINDOWS\PowerS.exe" [2001-08-03 16:56 159800]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 13:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 07:51 1836328]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 11:07 15360]

C:\Documents and Settings\Administrator.JOHN\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

C:\Documents and Settings\JWW\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

C:\Documents and Settings\Administrator.JOHN.000\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44 282624]
HP LaserJet Director.lnk - C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe [2007-08-06 15:22:48 212992]
Suitcase Startup.lnk - C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe [2007-08-08 21:37:04 3354624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= E:\Eudora\Decetch\EuShlExt.dll [2001-04-12 18:05 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\eMule 0.48a\\emule.exe"=
"D:\\mIRC\\mirc.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Adobe\\Adobe Photoshop CS3\\Photoshop.exe"=

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-01 20:06]
R2 BT848;Conexant's BtPCI WDM Video Capture;C:\WINDOWS\system32\DRIVERS\BT848.sys [2007-12-04 13:55]
R3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);C:\WINDOWS\system32\drivers\ES1370MP.sys [2001-08-17 22:19]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-29 00:03:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 10:54:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hppapml0.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-06-05 11:02:48 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-06-05 01:02:16

Pre-Run: 40,583,012,352 bytes free
Post-Run: 40,931,201,024 bytes free

221
*******************************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:22 AM, on 5/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
D:\Clipboard Pile\Clipboard Pile.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PowerISO 3.7\PWRISOVM.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp Pro 5.5\winampa.exe
C:\WINDOWS\PowerS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
C:\WINDOWS\system32\hppapml0.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/resetpw.srf?lc=3081
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll (file missing)
O4 - HKLM\..\Run: [Clipboard Pile] D:\Clipboard Pile\Clipboard Pile.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO 3.7\PWRISOVM.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp Pro 5.5\winampa.exe"
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
O4 - Global Startup: Suitcase Startup.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\\DownloadPDF.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - 
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1211766713296
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - 
O17 - HKLM\System\CCS\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O17 - HKLM\System\CS1\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O17 - HKLM\System\CS2\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O17 - HKLM\System\CS3\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 10988 bytes

Thanks
Byn


----------



## Cookiegal (Aug 27, 2003)

Please try installing Nod32 after you've run the following fix and before posting your next HijackThis log.

Open Notepad and copy and paste the text in the code box below into it:


```
File::
C:\WINDOWS\system32\sobgsber.dll
C:\WINDOWS\system32\__c00DA8B8.dat
C:\WINDOWS\system32\uktidoim.dll
C:\WINDOWS\system32\qdpwsixu.dll
C:\WINDOWS\system32\ocdankqx.dll
C:\WINDOWS\system32\__c00A2E51.dat
C:\WINDOWS\system32\gpgqtani.dll
C:\WINDOWS\system32\ipudeygg.dll
C:\WINDOWS\system32\__c008C21.dat
C:\WINDOWS\fnerr.dat
C:\WINDOWS\system32\gsfwqgjm.dll
C:\WINDOWS\system32\__c0055136.dat
C:\WINDOWS\system32\fmjucxwj.dll
C:\WINDOWS\system32\xfpfwjhj.dll
C:\WINDOWS\system32\__c002BCC6.dat
C:\WINDOWS\system32\jkhjegoc.dll
C:\WINDOWS\system32\rwcpaxva.dll
C:\WINDOWS\system32\__c005AD87.dat
C:\WINDOWS\system32\ccviaexp.dll
C:\WINDOWS\system32\rroskxdh.dll
C:\WINDOWS\system32\__c0074398.dat
C:\WINDOWS\system32\jodilovy.dll
C:\WINDOWS\system32\wjlqshig.dll
C:\WINDOWS\system32\__c00996F7.dat
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,
NOD32 installed successfully. Please find requested logs below.

ComboFix 08-06-04.1 - Administrator 2008-06-06 8:46:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1117 [GMT 10:00]
Running from: C:\Documents and Settings\Administrator.JOHN.000\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator.JOHN.000\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\fnerr.dat
C:\WINDOWS\system32\__c002BCC6.dat
C:\WINDOWS\system32\__c0055136.dat
C:\WINDOWS\system32\__c005AD87.dat
C:\WINDOWS\system32\__c0074398.dat
C:\WINDOWS\system32\__c008C21.dat
C:\WINDOWS\system32\__c00996F7.dat
C:\WINDOWS\system32\__c00A2E51.dat
C:\WINDOWS\system32\__c00DA8B8.dat
C:\WINDOWS\system32\ccviaexp.dll
C:\WINDOWS\system32\fmjucxwj.dll
C:\WINDOWS\system32\gpgqtani.dll
C:\WINDOWS\system32\gsfwqgjm.dll
C:\WINDOWS\system32\ipudeygg.dll
C:\WINDOWS\system32\jkhjegoc.dll
C:\WINDOWS\system32\jodilovy.dll
C:\WINDOWS\system32\ocdankqx.dll
C:\WINDOWS\system32\qdpwsixu.dll
C:\WINDOWS\system32\rroskxdh.dll
C:\WINDOWS\system32\rwcpaxva.dll
C:\WINDOWS\system32\sobgsber.dll
C:\WINDOWS\system32\uktidoim.dll
C:\WINDOWS\system32\wjlqshig.dll
C:\WINDOWS\system32\xfpfwjhj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator.JOHN\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\fnerr.dat
C:\WINDOWS\system32\__c002BCC6.dat
C:\WINDOWS\system32\__c0055136.dat
C:\WINDOWS\system32\__c005AD87.dat
C:\WINDOWS\system32\__c0074398.dat
C:\WINDOWS\system32\__c008C21.dat
C:\WINDOWS\system32\__c00996F7.dat
C:\WINDOWS\system32\__c00A2E51.dat
C:\WINDOWS\system32\__c00DA8B8.dat
C:\WINDOWS\system32\ccviaexp.dll
C:\WINDOWS\system32\fmjucxwj.dll
C:\WINDOWS\system32\gpgqtani.dll
C:\WINDOWS\system32\gsfwqgjm.dll
C:\WINDOWS\system32\ipudeygg.dll
C:\WINDOWS\system32\jkhjegoc.dll
C:\WINDOWS\system32\jodilovy.dll
C:\WINDOWS\system32\ocdankqx.dll
C:\WINDOWS\system32\qdpwsixu.dll
C:\WINDOWS\system32\rroskxdh.dll
C:\WINDOWS\system32\rwcpaxva.dll
C:\WINDOWS\system32\sobgsber.dll
C:\WINDOWS\system32\uktidoim.dll
C:\WINDOWS\system32\wjlqshig.dll
C:\WINDOWS\system32\xfpfwjhj.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-06-03 09:24 . 2008-06-03 09:24 d--------	C:\WINDOWS\SxsCaPendDel
2008-06-03 09:14 . 2008-06-03 09:14 d--------	C:\_OTMoveIt
2008-06-03 09:01 . 2008-06-03 09:01 d--------	C:\Program Files\ESET
2008-06-02 09:09 . 2008-06-02 09:09 d--------	C:\WINDOWS\ERUNT
2008-06-02 09:02 . 2008-06-02 10:35 d--------	C:\SDFix
2008-06-01 07:58 . 2008-05-29 10:00 d--------	C:\SmitfraudFix
2008-06-01 07:53 . 2008-06-01 07:53	1,392,671	--a------	C:\SmitfraudFix.exe
2008-05-31 12:01 . 2008-05-31 12:05 d--------	C:\Combo-Fix
2008-05-25 12:51 . 2008-05-25 12:53 d--------	C:\Program Files\Panda Security
2008-05-25 12:51 . 2008-05-25 12:51	1,885	--a------	C:\WINDOWS\mozver.dat
2008-05-21 13:03 . 2008-05-21 13:03 d--------	C:\WINDOWS\system32\Kaspersky Lab
2008-05-21 13:03 . 2008-05-21 13:03 d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-21 12:59 . 2008-05-21 12:59 d---s----	C:\Documents and Settings\Administrator.JOHN.000\UserData
2008-05-21 10:53 . 2008-05-21 10:52	102,664	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-21 10:52 . 2008-05-21 11:03 d--------	C:\Documents and Settings\Administrator.JOHN.000\.housecall6.6
2008-05-21 09:41 . 2008-06-03 09:21	121	--a------	C:\WINDOWS\bdagent.INI
2008-05-21 09:38 . 2008-05-21 09:38 d--------	C:\Program Files\BitDefender
2008-05-21 09:37 . 2008-05-21 14:01 d--------	C:\Program Files\Common Files\BitDefender
2008-05-09 09:54 . 2008-05-09 10:00 d--------	C:\Documents and Settings\Administrator.JOHN.000\Application Data\onOne Software
2008-05-05 15:41 . 2008-05-05 15:41 d--h-----	C:\WINDOWS\PIF
2008-05-05 12:22 . 2008-05-18 13:25 d--------	C:\Program Files\The Logo Creator v5
2008-05-05 11:54 . 2008-05-05 11:54 d--------	C:\WINDOWS\Logo Design Studio Pro
2008-05-05 11:54 . 2008-05-05 11:54 d--------	C:\Program Files\Summitsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 22:39	---------	d-----w	C:\Program Files\Mozilla Firefox 2.0.0.6
2008-06-01 23:53	81,984	----a-w	C:\WINDOWS\system32\bdod.bin
2008-05-28 02:24	---------	d-----w	C:\Program Files\eMule 0.48a
2008-05-22 02:25	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-21 00:47	---------	d-----w	C:\Documents and Settings\Administrator.JOHN.000\Application Data\uTorrent
2008-05-20 23:34	---------	d-----w	C:\Program Files\InterActual
2008-05-08 23:54	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-05-08 23:54	---------	d-----w	C:\Program Files\onOne Software
2008-04-30 01:24	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-28 04:37	---------	d-----w	C:\Documents and Settings\All Users\Application Data\MumboJumbo
2008-04-28 04:36	---------	d-----w	C:\Documents and Settings\Administrator.JOHN.000\Application Data\SpinTop
2008-04-18 00:59	---------	d-----w	C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-18 00:47	---------	d-----w	C:\Program Files\DVD Shrink
2008-04-17 00:20	---------	d-----w	C:\Program Files\Common Files\ACD Systems
2008-04-17 00:20	---------	d-----w	C:\Program Files\ACD Systems
2008-03-31 23:56	12,632	----a-w	C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((( [email protected]_11.01.59.34 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-05 00:53:24	2,048	--s-a-w	C:\WINDOWS\bootstat.dat
+ 2008-06-05 22:37:39	2,048	--s-a-w	C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:07 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 13:18 202024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Clipboard Pile"="D:\Clipboard Pile\Clipboard Pile.exe" [2000-05-24 14:23 959488]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"HP SchedIndexer"="C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe" [2001-02-19 14:36 86016]
"HP AutoIndexer"="C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe" [2001-02-19 14:36 77824]
"PWRISOVM.EXE"="C:\Program Files\PowerISO 3.7\PWRISOVM.EXE" [2007-04-09 22:23 200704]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 18:54 623992]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-08-10 12:10 221184]
"DMXLauncher"="C:\Program Files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 01:07 102400]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-07-31 09:00 1116920]
"RegistryMechanic"="" []
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 11:18 49152]
"WinampAgent"="C:\Program Files\Winamp Pro 5.5\winampa.exe" [2007-10-10 15:28 36352]
"PowerS"="C:\WINDOWS\PowerS.exe" [2001-08-03 16:56 159800]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 13:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 07:51 1836328]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 11:07 15360]

C:\Documents and Settings\Administrator.JOHN\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

C:\Documents and Settings\JWW\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

C:\Documents and Settings\Administrator.JOHN.000\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44 282624]
HP LaserJet Director.lnk - C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe [2007-08-06 15:22:48 212992]
Suitcase Startup.lnk - C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe [2007-08-08 21:37:04 3354624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= E:\Eudora\Decetch\EuShlExt.dll [2001-04-12 18:05 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\eMule 0.48a\\emule.exe"=
"D:\\mIRC\\mirc.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Adobe\\Adobe Photoshop CS3\\Photoshop.exe"=

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-01 20:06]
R2 BT848;Conexant's BtPCI WDM Video Capture;C:\WINDOWS\system32\DRIVERS\BT848.sys [2007-12-04 13:55]
R3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);C:\WINDOWS\system32\drivers\ES1370MP.sys [2001-08-17 22:19]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-29 00:03:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 08:49:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-06-06 8:51:36
ComboFix-quarantined-files.txt 2008-06-05 22:50:33
ComboFix2.txt 2008-06-05 01:02:49

Pre-Run: 40,932,745,216 bytes free
Post-Run: 40,919,552,000 bytes free

199

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:21 AM, on 6/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Clipboard Pile\Clipboard Pile.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PowerISO 3.7\PWRISOVM.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp Pro 5.5\winampa.exe
C:\WINDOWS\PowerS.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\hppapml0.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/resetpw.srf?lc=3081
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll (file missing)
O4 - HKLM\..\Run: [Clipboard Pile] D:\Clipboard Pile\Clipboard Pile.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO 3.7\PWRISOVM.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp Pro 5.5\winampa.exe"
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
O4 - Global Startup: Suitcase Startup.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\\DownloadPDF.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - 
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1211766713296
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - 
O17 - HKLM\System\CCS\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O17 - HKLM\System\CS1\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O17 - HKLM\System\CS2\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O17 - HKLM\System\CS3\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 11232 bytes

Thanks
Byn


----------



## Cookiegal (Aug 27, 2003)

The HijackThis log looks good now.

Since we removed lots of files with ComboFix, would you please run OTScanIt again with the same instructions as the last time and post that log so I can see if there are any leftovers.


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,
Things are looking pretty good from this end. Please find OTScanIt log attached as requested.

Thanks.
Byn


----------



## Cookiegal (Aug 27, 2003)

There are some leftovers of BitDefender that we will remove.

Start *OTScanIt*. Copy/Paste the information in the code box below into the pane where it says *"Paste fix here"* and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the OK button and Notepad will open with a log of actions taken during the fix. *Post that information back here along with a new HijackThis log please.



Code:


[Kill Explorer]
[Unregister Dlls]
[Driver Services - All]
YY -> (Profos) Profos [Kernel | On_Demand | Stopped] -> %CommonProgramFiles%\BitDefender\BitDefender Threat Scanner\profos.sys
YY -> (Trufos) Trufos [Kernel | On_Demand | Stopped] -> %CommonProgramFiles%\BitDefender\BitDefender Threat Scanner\trufos.sys
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> RegistryMechanic -> []
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> 2 domain(s) and sub-domain(s) not assigned to a zone. -> 
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> {381FFDE8-2394-4f90-B10D-FC6124A40F8C} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\BitDefender\BitDefender 2008\IEToolbar.dll [BitDefender Toolbar]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab[Java Plug-in 1.6.0_05]
YN -> {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab[Java Plug-in 1.6.0_02]
YN -> {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03]
YN -> {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab[Java Plug-in 1.6.0_05]
YN -> {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab[Java Plug-in 1.6.0_05]
[Registry - Additional Scans - Non-Microsoft Only]
< Uninstall List [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
YN -> {3248F0A8-6813-11D6-A77B-00B0D0160020} -> Java(TM) 6 Update 2
YN -> {3248F0A8-6813-11D6-A77B-00B0D0160030} -> Java(TM) 6 Update 3
[Files/Folders - Created Within 90 days]
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> bdagent.INI -> %SystemRoot%\bdagent.INI
NY -> 5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> 5 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp
NY -> BitDefender -> %CommonProgramFiles%\BitDefender
NY -> BitDefender -> %ProgramFiles%\BitDefender
[Files/Folders - Modified Within 90 days]
NY -> bdod.bin -> %SystemRoot%\System32\bdod.bin
NY -> 5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> bdagent.INI -> %SystemRoot%\bdagent.INI
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 98 bytes -> %AllUsersProfile%\Application Data\TEMP:2913008E
NY -> @Alternate Data Stream - 107 bytes -> %AllUsersProfile%\Application Data\TEMP:BAFDD950
NY -> BitDefender -> %CommonProgramFiles%\BitDefender
[Empty Temp Folders]
[Start Explorer]
[Reboot]

*


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,

OTScanIT & HJT log files as requested.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:35 AM, on 7/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Clipboard Pile\Clipboard Pile.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PowerISO 3.7\PWRISOVM.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp Pro 5.5\winampa.exe
C:\WINDOWS\PowerS.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\hppapml0.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/resetpw.srf?lc=3081
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Clipboard Pile] D:\Clipboard Pile\Clipboard Pile.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO 3.7\PWRISOVM.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp Pro 5.5\winampa.exe"
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
O4 - Global Startup: Suitcase Startup.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\\DownloadPDF.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - 
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1211766713296
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - 
O17 - HKLM\System\CCS\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O17 - HKLM\System\CS1\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O17 - HKLM\System\CS2\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O17 - HKLM\System\CS3\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 11080 bytes

*************************************************************************************

Explorer killed successfully
[Driver Services - All]
Service Profos stopped successfully.
Service Profos deleted successfully.
File C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\profos.sys not found.
Service Trufos stopped successfully.
Service Trufos deleted successfully.
File C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\trufos.sys not found.
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\RegistryMechanic deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{381FFDE8-2394-4f90-B10D-FC6124A40F8C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{381FFDE8-2394-4f90-B10D-FC6124A40F8C}\ deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\Contains\Files\ not found.
not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\Contains\Files\ not found.
not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\Contains\Files\ not found.
not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\Contains\Files\ not found.
not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\Contains\Files\ not found.
not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
[Registry - Additional Scans - Non-Microsoft Only]
[Files/Folders - Created Within 90 days]
C:\WINDOWS\bdagent.INI moved successfully.
[Files Created - Additional Folder Scans - Non-Microsoft Only]
C:\Program Files\Common Files\BitDefender\Setup Information folder moved successfully.
C:\Program Files\Common Files\BitDefender\BitDefender Update Service folder moved successfully.
C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_6180 folder moved successfully.
C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_6169 folder moved successfully.
C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_6094 folder moved successfully.
C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_6087 folder moved successfully.
C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_6069 folder moved successfully.
C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_6039 folder moved successfully.
C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_6037 folder moved successfully.
C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_6011 folder moved successfully.
C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_5993 folder moved successfully.
C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_5983 folder moved successfully.
C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_5960 folder moved successfully.
C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_5929 folder moved successfully.
C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_5901 folder moved successfully.
C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit\Plugins folder moved successfully.
C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit folder moved successfully.
C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner folder moved successfully.
C:\Program Files\Common Files\BitDefender\BitDefender Firewall folder moved successfully.
C:\Program Files\Common Files\BitDefender\BitDefender Communicator folder moved successfully.
C:\Program Files\Common Files\BitDefender folder moved successfully.
C:\Program Files\BitDefender\BitDefender 2008\tbextension\locale\en-US folder moved successfully.
C:\Program Files\BitDefender\BitDefender 2008\tbextension\locale folder moved successfully.
C:\Program Files\BitDefender\BitDefender 2008\tbextension\content folder moved successfully.
C:\Program Files\BitDefender\BitDefender 2008\tbextension folder moved successfully.
C:\Program Files\BitDefender\BitDefender 2008\Skin\Default folder moved successfully.
C:\Program Files\BitDefender\BitDefender 2008\Skin folder moved successfully.
C:\Program Files\BitDefender\BitDefender 2008\pic folder moved successfully.
C:\Program Files\BitDefender\BitDefender 2008\NAG\Trial folder moved successfully.
C:\Program Files\BitDefender\BitDefender 2008\NAG\Invalid folder moved successfully.
C:\Program Files\BitDefender\BitDefender 2008\NAG\Expired folder moved successfully.
C:\Program Files\BitDefender\BitDefender 2008\NAG\Close2Exp folder moved successfully.
C:\Program Files\BitDefender\BitDefender 2008\NAG folder moved successfully.
C:\Program Files\BitDefender\BitDefender 2008 folder moved successfully.
C:\Program Files\BitDefender folder moved successfully.
[Files/Folders - Modified Within 90 days]
C:\WINDOWS\System32\bdod.bin moved successfully.
File C:\WINDOWS\bdagent.INI not found!
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
ADS C:\Documents and Settings\All Users\Application Data\TEMP:2913008E deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:BAFDD950 deleted successfully.
File C:\Program Files\Common Files\BitDefender not found!
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Administrator.JOHN.000\Local Settings\Temp\hpodvd09.log scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.15.10 fix logfile created on 06072008_105752

Files moved on Reboot...
C:\Documents and Settings\Administrator.JOHN.000\Local Settings\Temp\hpodvd09.log moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.

Thanks.
Byn


----------



## Cookiegal (Aug 27, 2003)

Other than an outdated version of Java, the log looks fine.

Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

*Upgrading Java*:


Download the latest version of *Java Runtime Environment (JRE) 6 Update 6*.
Scroll down to where it says * Java Runtime Environment (JRE) 6 Update 6. The Java SE Runtime Environment (JRE) allows end-users to run Java applications* (the fifth one in the list).
Click the "*Download*" button to the right. A new page will open.
Select your platform and check the box that says: *I agree to the Java SE Runtime Environment 6 License Agreement*.
Click *Continue*.
Click on the link under *Windows Offline Installation* (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager.
Go to *Start* - *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Close any programs you may have running - especially your web browser.
Then from your desktop double-click on the download to install the newest version.

Tell me how are things with the system now?


----------



## byanoseau (Jun 3, 2002)

Ho CookieGal,

Removed Java 5 update ok but there's still two references to Java, Update 2 & 3 each of 111.00Mb, that I cannot remove because there is no remove/change option. There's still a Java icon in the control panel which opens Java settings. How do you want me to proceed?
Apart from that, I'm pleased to report my system is up to speed and running like a Swiss watch. )

Thanks
Byn


----------



## Cookiegal (Aug 27, 2003)

I'm glad things are working well now. :up:

Let's use HijackThis to remove those old Javas.

Open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Now highlight the entries you want to remove and click on "Delete this entry".


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,

There's no reference to Java in HJT.

Byn.


----------



## Cookiegal (Aug 27, 2003)

We should be able to get it from the registry so please do the following to export a registry key:

Go to *Start *- *Run *- copy and paste the following and then click OK.

regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\*Uninstall"*

You won't see anything happen and it will only take a few seconds but it will export this registry key to a file located at:

C:\look.txt

Please navigate to that file and open it and copy and paste the entire contents here.


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,

Seems it was too much to paste so I've attached the file instead.

Thanks.
Byn


----------



## Cookiegal (Aug 27, 2003)

Download the Registry Search Tool here:

http://www.billsway.com/vbspage/

Unzip it and double click on the file to run it. If your antivirus interferes you may have to disable script blocking in the antivirus. Copy and Paste the following in the search box, one at a time:

*3248F0A8-6813-11D6-A77B-00B0D0160020

3248F0A8-6813-11D6-A77B-00B0D0160030*

Copy and paste the results here please.


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,

Results as requested.

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "3248F0A8-6813-11D6-A77B-00B0D0160020" 9/06/2008 6:35:00 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{3248F0A8-6813-11D6-A77B-00B0D0160020}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\WINDOWS\\Installer\\{3248F0A8-6813-11D6-A77B-00B0D0160020}\\"=""

****************************************************************************

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "3248F0A8-6813-11D6-A77B-00B0D0160030" 9/06/2008 6:38:13 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{3248F0A8-6813-11D6-A77B-00B0D0160030}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\WINDOWS\\Installer\\{3248F0A8-6813-11D6-A77B-00B0D0160030}\\"=""

Thanks.
Byn


----------



## Cookiegal (Aug 27, 2003)

I'm attaching a FixJava.zip file. Save it to your desktop. Unzip it and double-click the FixJava.reg file and allow it to enter into the registry.

Reboot and let me know if those entries are gone from the Add/Remove list please.


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,

Sorry to be a pain, but the reference to the two Java entries are still in the add/remove programs listing. The only difference is that there is no file size showing on the right hand side of the window. In the Program Files directory, all the files for the two references are still there.

Thanks.

Byn


----------



## Cookiegal (Aug 27, 2003)

Please run OTScanIt as follows:


Close any open browsers.
Disconnect from the Internet.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of OTScanIt.
Open the *OTScanIt* folder and double-click on OTScanIt.exe to start the program.
Check the box that says *Scan All User Accounts*
Under Drivers select the radio button for *All*
Check the Radio buttons for Files/Folders Created Within *90 Days* and Files/Folders Modified Within *90 Days* 
Under Additional Scans check the following:
Reg - Uninstall List

Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it automatically.
Save that Notepad file. Click the *Format* menu and make sure that *Word wrap* is not checked. If it is then click on it to uncheck it.
Use the *Reply* button and upload Notepad file here as an attachment please.


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,

OTScanIt log attached as requested.

Thanks.

Byn


----------



## Cookiegal (Aug 27, 2003)

Start *OTScanIt*. Copy/Paste the information in the code box below into the pane where it says *"Paste fix here"* and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log please.


```
[Kill Explorer]
[Unregister Dlls]
[Processes - Non-Microsoft Only]
YY -> jusched.exe -> %ProgramFiles%\Java\jre1.6.0_03\bin\jusched.exe
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_03\bin\jusched.exe ["C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"]
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> 2 domain(s) and sub-domain(s) not assigned to a zone. -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [SSVHelper Class]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YY -> {08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java Console]
YY -> {08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} [HKEY_CURRENT_USER] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [Sun Java Console]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YY -> CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java Console]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YY -> CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java Console]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YY -> CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java Console]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-776561741-436374069-839522115-500\] > -> HKEY_USERS\S-1-5-21-776561741-436374069-839522115-500\Software\Microsoft\Internet Explorer\Extensions\
YY -> CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java Console]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> [url]http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[/url][Java Plug-in 1.6.0_03]
YN -> {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> [url]http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[/url][Java Plug-in 1.6.0_03]
YN -> {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> [url]http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[/url][Java Plug-in 1.6.0_03]
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,

OTScanIT & HJT logs as requested.

Explorer killed successfully
[Processes - Non-Microsoft Only]
Process jusched.exe killed successfully.
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe moved successfully.
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SunJavaUpdateSched deleted successfully.
File C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ deleted successfully.
C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll NOT unregistered.
C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}\ deleted successfully.
C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll unregistered successfully.
C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}\ not found.
File C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ not found.
File C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ not found.
File C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ not found.
File C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll not found.
Registry value HKEY_USERS\S-1-5-21-776561741-436374069-839522115-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ not found.
File C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\Contains\Files\ not found.
not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\Contains\Files\ not found.
not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\Contains\Files\ not found.
not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Administrator.JOHN.000\Local Settings\Temp\hpodvd09.log scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.15.10 fix logfile created on 06112008_050148

Files moved on Reboot...
C:\Documents and Settings\Administrator.JOHN.000\Local Settings\Temp\hpodvd09.log moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.

********************************************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:00 AM, on 11/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
D:\Clipboard Pile\Clipboard Pile.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PowerISO 3.7\PWRISOVM.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp Pro 5.5\winampa.exe
C:\WINDOWS\PowerS.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
C:\WINDOWS\system32\hppapml0.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/resetpw.srf?lc=3081
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Clipboard Pile] D:\Clipboard Pile\Clipboard Pile.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO 3.7\PWRISOVM.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp Pro 5.5\winampa.exe"
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
O4 - Global Startup: Suitcase Startup.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\\DownloadPDF.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - 
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1211766713296
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - 
O17 - HKLM\System\CCS\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O17 - HKLM\System\CS1\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O17 - HKLM\System\CS2\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O17 - HKLM\System\CS3\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 10557 bytes

Thanks.

Byn


----------



## Cookiegal (Aug 27, 2003)

Are the pesky older Java entries still in Add/Remove programs?


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,

Sadly I have to report that the two Java entries are still in the add/remove programs list. There is still a Java directory, with two sub-directories for update 2 & 3, in the Program Files also. I'd have made a bit stronger reference than "pesky" CookieGal. )

Thanks.

Byn


----------



## Cookiegal (Aug 27, 2003)

Let's use this tool to clean them up then:

http://www.majorgeeks.com/AddRemove_Program_Cleaner_d5111.html

Let me know how it goes please.


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,

No Java programs are in the add/remove list of the Majorgeeks program. 

Thanks.

Byn


----------



## Cookiegal (Aug 27, 2003)

Have you rebooted since we started trying to remove these entries?

Exactly how are they displayed? Can you attach a screen shot?


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,

I reboot after I try your recommendations. I've just done so again. Please find attached file, Control Panel.jpg

Is it possible that the only remaining files of the two Java updates are contained in the two sub-directories of the Java directory in the Program Files directory? By that I mean that you have deleted all other references of Java from the registry and elsewhere.

I don't know much about this but it's just a thought.

Thanks.

Byn


----------



## Cookiegal (Aug 27, 2003)

Yes, it's possible. Let's try deleting the sub-directories for those specific versions and see if that does the trick.

There could still be other registry keys though as well.


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,

I deleted the earliest sub-directory of Java from the Program Files and that went as expected. I rebooted and checked the add/remove panel and the listing I'd just deleted was still there.
I went back to the Program Files Java directory and tried to delete it but this time I got a warning message. I've attached a screenshot, Java.jpg

Will I proceed with the deletion and then install the new version of Java?

Thanks.

Byn


----------



## Cookiegal (Aug 27, 2003)

Please go ahead and install the new version. We can work on uninstalling the older ones after that.


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,

I've successfully installed the latest Java version. I was able to delete the earlier version of Java from the Program Files, however, the two older versions are still visible in the add/remove programs. The new Java version is in the add/remove list of course and it shows the correct Java icon. The other two references only show the installation icon. I'm not sure of the correct terminology for those icons.

Thanks.

Byn


----------



## Cookiegal (Aug 27, 2003)

Please do another registry search as I had you do before but this time search for the following and let me know if any instances are found:

*Java(TM)*


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,

This is the result of a registry search for Java(TM)

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "Java(TM)" 13/06/2008 6:09:44 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610002]
"ProductName"="Java(TM) 6 Update 2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610003]
"ProductName"="Java(TM) 6 Update 3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610006]
"ProductName"="Java(TM) 6 Update 6"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610002\InstallProperties]
"DisplayName"="Java(TM) 6 Update 2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610003\InstallProperties]
"DisplayName"="Java(TM) 6 Update 3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610006\InstallProperties]
"DisplayName"="Java(TM) 6 Update 6"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160060}]
"DisplayName"="Java(TM) 6 Update 6"

[HKEY_USERS\S-1-5-21-776561741-436374069-839522115-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe"="Java(TM) Platform SE binary"

[HKEY_USERS\S-1-5-21-776561741-436374069-839522115-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Java\\jre1.6.0_06\\bin\\jusched.exe"="Java(TM) Platform SE binary"

Thanks.

Byn


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,

This is the result of a registry search for Java(TM)

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "Java(TM)" 13/06/2008 6:09:44 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610002]
"ProductName"="Java(TM) 6 Update 2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610003]
"ProductName"="Java(TM) 6 Update 3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610006]
"ProductName"="Java(TM) 6 Update 6"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610002\InstallProperties]
"DisplayName"="Java(TM) 6 Update 2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610003\InstallProperties]
"DisplayName"="Java(TM) 6 Update 3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610006\InstallProperties]
"DisplayName"="Java(TM) 6 Update 6"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160060}]
"DisplayName"="Java(TM) 6 Update 6"

[HKEY_USERS\S-1-5-21-776561741-436374069-839522115-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe"="Java(TM) Platform SE binary"

[HKEY_USERS\S-1-5-21-776561741-436374069-839522115-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Java\\jre1.6.0_06\\bin\\jusched.exe"="Java(TM) Platform SE binary"

Thanks.

Byn


----------



## Cookiegal (Aug 27, 2003)

I'm attaching a RemoveJava.zip file. Save it to your desktop. Unzip it and double-click the RemoveJava.reg file and allow it to enter into the registry.

Reboot and let's see if this has done the trick.


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,

Bingo !!!! All gone, you're a clever girl. )

Thanks.

Byn


----------



## Cookiegal (Aug 27, 2003)

That's good news. 

Here are some final instructions for you.

The following program will remove the tools we've used and their associated files and backups and then it will delete itself.

Please download *OTMoveIt2 by OldTimer*.

*Save* it to your *desktop*.
Make sure you have an Internet Connection.
Double-click *OTMoveIt.exe* to run it. (Vista users, please right-click on *OTMoveIt2.exe* and select "Run as an *Administrator*")
Click on the *CleanUp!* button
A list of tool components used in the cleanup of malware will be downloaded.
If your firewall or real-time protection attempts to block OTMoveIt2 to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application which will delete itself.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose *Yes.*

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

Delete Temporary Files:

Go to *Start* - *Run* and type in *cleanmgr* and click OK. 
Let it scan your system for files to remove. 
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. 
Press OK to remove them.


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,

I've followed your final instructions and I'm happy to report all's well.
I'd like to thank you for patience and tenacity in repairing my computer. You're a very clever girl. It must be quite difficult to repair computers remotely. As you can see, I've been a member TSG fir a number of years, albeit a non subscribing member. Thanks to your efforts, I'll be subscribing as a paying member in the next couple of days.

Thanks again CookieGal. Brilliant.

Regards,

Byn


----------



## Cookiegal (Aug 27, 2003)

It's my pleasure. Thank you for the kind words and your donation is much appreciated as well.


----------



## Cookiegal (Aug 27, 2003)

I went back over the thread and I'd like you to run a couple of more programs just to be thorough. I thought we had already done these. They may pick up some leftovers.

*Download and scan with* *SUPERAntiSpyware* Free for Home Users
Double-click *SUPERAntiSpyware.exe* and use the default settings for installation. 
An icon will be created on your desktop. Double-click that icon to launch the program. 
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._) 
Under "*Configuration and Preferences*", click the *Preferences* button. 
Click the *Scanning Control* tab. 
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._ 
_Scan for tracking cookies._ 
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen. 
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*. 
On the left, make sure you check *C:\Fixed Drive*. 
On the right, under "*Complete Scan*", choose *Perform Complete Scan*. 
Click "*Next*" to start the scan. Please be patient while it scans your computer. 
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*". 
Make sure everything has a checkmark next to it and click "*Next*". 
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu. 
If asked if you want to reboot, click "*Yes*". 
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._ 
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._ 
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._ 
*Please copy and paste the Scan Log results in your next reply.*

Click *Close* to exit the program.

Please run Kaspersky online virus scan *Kaspersky Online Scanner*.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the *"Extended database" *for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

*Note:* You have to use Internet Explorer to do the online scan.

*Post a new HiJackThis log along with the results from the SuperAntiSpyware and Kaspersky scans.*


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,

Logs as requested.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, June 15, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, June 14, 2008 08:07:05
Records in database: 863215
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
Z:\

Scan statistics:
Files scanned: 207060
Threat name: 12
Infected objects: 14
Suspicious objects: 0
Duration of the scan: 06:02:51

File name / Threat name / Threats count
IEXPLORE.EXE\fdcatch.dll/IEXPLORE.EXE\fdcatch.dll	Infected: Backdoor.Win32.Hupigon.tsy	1
D:\Download\--- Satellite Tv For Pc 2006 53.rar	Infected: not-a-virus:AdWare.Win32.AdvertMen.a	1
D:\Download\Acoustica Mixcraft 2.5 Full Multilanguage.zip	Infected: Backdoor.Win32.Agent.aap	1
D:\Download\Adobe Illustrator CS3 Crack.zip	Infected: Trojan-Downloader.Win32.IstBar.is	1
D:\Download\MIRC.v6.21.Incl.KeyMaker-DVT.rar	Infected: not-a-virus:Client-IRC.Win32.mIRC.621	1
D:\Download\PowerISO 3.6 + Patch + Key [Works]-l0bo.rar	Infected: Backdoor.Win32.Rbot.bqa	1
D:\Download uTorrent\AdobePhotoshopLightroom-v1.1.zip	Infected: not-a-virus:AdWare.Win32.BHO.uw	1
D:\Download uTorrent\AnyDVD 6.1.1.4 Final - Cracked.rar	Infected: Backdoor.Win32.Bifrose.la	1
D:\Download uTorrent\BitDefender Antivirus 2008 + BitDefender Antivirus 2008 Working Keygen (REA-cRaCkErTeAm)\bitdefender_antivirus\Keymaker.exe	Infected: Trojan.Win32.Zapchast.gb	1
D:\Download uTorrent\WinZip.Professional.v11.1.7466.Incl.Keymaker.zip	Infected: Trojan-Downloader.Win32.Small.eqn	1
D:\mIRC\BACKUP\mirc.exe	Infected: not-a-virus:Client-IRC.Win32.mIRC.61	1
D:\mIRC\BACKUP\MIRC32.EXE	Infected: not-a-virus:Client-IRC.Win32.mIRC.551	1
D:\mIRC\mirc.exe	Infected: not-a-virus:Client-IRC.Win32.mIRC.621	1
D:\RECYCLER\S-1-5-21-515967899-1004336348-725345543-500\Dd1.rar	Infected: not-a-virus:AdWare.Win32.AdvertMen.a	1

The selected area was scanned.

******************************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:41 AM, on 15/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Clipboard Pile\Clipboard Pile.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PowerISO 3.7\PWRISOVM.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp Pro 5.5\winampa.exe
C:\WINDOWS\PowerS.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox 2.0.0.6\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/resetpw.srf?lc=3081
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Clipboard Pile] D:\Clipboard Pile\Clipboard Pile.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO 3.7\PWRISOVM.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp Pro 5.5\winampa.exe"
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
O4 - Global Startup: Suitcase Startup.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\\DownloadPDF.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - 
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1211766713296
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - 
O17 - HKLM\System\CCS\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O17 - HKLM\System\CS1\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O17 - HKLM\System\CS2\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O17 - HKLM\System\CS3\Services\Tcpip\..\{6690B823-4DE9-46DF-AD5A-FBEF2E6CBCA6}: NameServer = 210.80.58.34,210.80.58.42
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 11303 bytes

Thnaks.

Byn


----------



## Cookiegal (Aug 27, 2003)

Well we can see where your infection came from with all those cracks. I hope there was a lesson learned in all of this. 

Delete these files:

D:\Download\*--- Satellite Tv For Pc 2006 53.rar*
D:\Download\*Acoustica Mixcraft 2.5 Full Multilanguage.zip*
D:\Download\*Adobe Illustrator CS3 Crack.zip*
D:\Download\*MIRC.v6.21.Incl.KeyMaker-DVT.rar*
D:\Download\*PowerISO 3.6 + Patch + Key [Works]-l0bo.rar*
D:\Download uTorrent\*AdobePhotoshopLightroom-v1.1.zip*
D:\Download uTorrent\*AnyDVD 6.1.1.4 Final - Cracked.rar*
D:\Download uTorrent\BitDefender Antivirus 2008 + BitDefender Antivirus 2008 Working Keygen (REA-cRaCkErTeAm)\bitdefender_antivirus\*Keymaker.exe*
D:\Download uTorrent\*WinZip.Professional.v11.1.7466.Incl.Keymaker.zip*

Empty the recycle bin on your D drive.

Be sure to create a new restore point afterwards.


----------



## byanoseau (Jun 3, 2002)

Hi CookieGal,

I thought I might have got a slap for that. Lesson learned. ))))

Thanks for your help.

Regards,

Byn


----------



## Cookiegal (Aug 27, 2003)

Consider yourself slapped.


----------

