# IE Redirect in Google



## Vivsky (Sep 5, 2007)

Hi. I hope someone can help me. I'm having an issue for the past 2 days. Whenever I google something and click on one of the results, I get redirected to advertising sites of some sort. In the status bar, I can momentarily see something about cybertroll. I have run AdAware, Spybot, and tried running Hijack This, but the running of HT took 5 hours and was barely half way done, so I stopped the run.

Any ideas? Thanks!


----------



## sjpritch25 (Sep 8, 2005)

Welcome to TSG 

Please download *HJTInstaller.exee* Here
Let it Place Hijackthis in C:\Program Files\Trend Micro\Hijackthis
Let it create a Desktop Icon
Open *Hijackthis.exe*
Click on *Do a System Scan and Save log file*
*Don't Fix any Items!!!*
Just copy and paste the contents of the log file to your reply.

*Please print these instructions for reference, as you will have to restart your computer during the fix.*

Please download FixWareout from *Here* or *Here*.

*Note: You will need to run this tool while having an Internet Connection. The tool will download other files while running.*


Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts.

If your firewall gives an alert, (because this tool will download an additional files from the internet), please don't let your firewall block it, but allow it instead.

You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text file will open (report.txt).

Please post the C:\fixwareout\*report.txt* ), along with a new HijackThis log into this topic.


----------



## Vivsky (Sep 5, 2007)

First log from HT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:58:39 PM, on 9/5/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\kgvymi.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINNT\System32\HPZipm12.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {212CC212-DC60-43F8-B877-114B71949415} - c:\winnt\system32\umtacudx.dll
O2 - BHO: (no name) - {2E62C6B8-D531-4661-B5DC-8248844D7A8A} - c:\winnt\system32\d3dimr.dll
O2 - BHO: (no name) - {7BA59E75-432C-41E2-A1AC-7C55FB42A2F4} - C:\WINNT\System32\comresu.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [ijrbbpd] C:\WINNT\ptcore.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [kgvymi] C:\WINNT\system32\kgvymi.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [kgvymi] C:\WINNT\system32\kgvymi.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak Picture Easy 3.1 Batch Transfer.lnk = C:\Program Files\Kodak\Picture Easy Software\Program\PezDownload.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://quickplace.pmllp.com/qp2.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://we.pmllp.com/ANAR-LNMail1/iNotes.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://we.pmllp.com/ANAR-LNMAIL1/iNotes6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/20120b8e43bf2d8ea622/netzip/RdxIE601.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.4.0.0) Control) - http://bowwow4.serveftp.com/cab/Live.cab
O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinner.com/games/shared/uninstall.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O20 - Winlogon Notify: hmbdkint - C:\WINNT\SYSTEM32\d3dimr.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11203 bytes


----------



## Vivsky (Sep 5, 2007)

From report.txt:

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

~~~~~ Postrun check 
HKLM\SOFTWARE\~\Winlogon\ "System"="" 
....
....
~~~~~ Misc files. 
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"GWMDMMSG"="GWMDMMSG.exe"
"Keyboard Preload Check"="C:\\OEMDRVRS\\KEYB\\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:\"Keyboard Preload Check\""
"GWMDMpi"="C:\\WINNT\\GWMDMpi.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"MoneyStartUp10.0"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\""
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"CXMon"="\"C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\Photo Imaging\\Hpi_Monitor.exe\""
"HPDJ Taskbar Utility"="C:\\WINNT\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"AdaptecDirectCD"="C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
"RoxioEngineUtility"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"RoxioAudioCentral"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\AudioCentral\\RxMon.exe\""
"mmtask"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"AcctMgr"="C:\\Program Files\\Norton Password Manager\\AcctMgr.exe /startup"
"ijrbbpd"="C:\\WINNT\\ptcore.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"ccApp"="-"
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"kgvymi"="C:\\WINNT\\system32\\kgvymi.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"ctfmon.exe"="C:\\WINNT\\System32\\ctfmon.exe"
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Comcast\\COMCAS~1\\data\\Xtras\\mssysmgr.exe"
"kgvymi"="C:\\WINNT\\system32\\kgvymi.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

New HT logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:29 PM, on 9/5/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\kgvymi.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINNT\System32\ctfmon.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {212CC212-DC60-43F8-B877-114B71949415} - c:\winnt\system32\umtacudx.dll
O2 - BHO: (no name) - {2E62C6B8-D531-4661-B5DC-8248844D7A8A} - c:\winnt\system32\d3dimr.dll
O2 - BHO: (no name) - {7BA59E75-432C-41E2-A1AC-7C55FB42A2F4} - C:\WINNT\System32\comresu.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [ijrbbpd] C:\WINNT\ptcore.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [kgvymi] C:\WINNT\system32\kgvymi.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [kgvymi] C:\WINNT\system32\kgvymi.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak Picture Easy 3.1 Batch Transfer.lnk = C:\Program Files\Kodak\Picture Easy Software\Program\PezDownload.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://quickplace.pmllp.com/qp2.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://we.pmllp.com/ANAR-LNMail1/iNotes.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://we.pmllp.com/ANAR-LNMAIL1/iNotes6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/20120b8e43bf2d8ea622/netzip/RdxIE601.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.4.0.0) Control) - http://bowwow4.serveftp.com/cab/Live.cab
O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinner.com/games/shared/uninstall.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O20 - Winlogon Notify: hmbdkint - C:\WINNT\SYSTEM32\d3dimr.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11355 bytes


----------



## sjpritch25 (Sep 8, 2005)

Run HijackThis, and press "Do a System Scan Only". 
1. When the scan is complete place a check mark next to the following entries:
*
O2 - BHO: (no name) - {212CC212-DC60-43F8-B877-114B71949415} - c:\winnt\system32\umtacudx.dll
O2 - BHO: (no name) - {2E62C6B8-D531-4661-B5DC-8248844D7A8A} - c:\winnt\system32\d3dimr.dll
O2 - BHO: (no name) - {7BA59E75-432C-41E2-A1AC-7C55FB42A2F4} - C:\WINNT\System32\comresu.dll
O4 - HKLM\..\Run: [ijrbbpd] C:\WINNT\ptcore.exe
O4 - HKLM\..\Run: [kgvymi] C:\WINNT\system32\kgvymi.exe
O4 - HKCU\..\Run: [kgvymi] C:\WINNT\system32\kgvymi.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minib...ansporter.cab?
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v5.cab
O20 - Winlogon Notify: hmbdkint - C:\WINNT\SYSTEM32\d3dimr.dll
*
2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked."

========================================

Download *OTMoveIt* by OldTimer and save to your Desktop.
Double-click on *OTMoveIt.exe* to launch the program.
Please copy the file(s)/folder(s) paths listed below - _highlight everything in red and press CTRL+C or right-click and choose *Copy*_.

*c:\winnt\system32\umtacudx.dll
c:\winnt\system32\d3dimr.dll
C:\WINNT\System32\comresu.dll
C:\WINNT\ptcore.exe
C:\WINNT\system32\kgvymi.exe*

Then in OTMoveIt, _right-click in the open text box labeled_ "*Paste List of Files/Folders to be Moved*" _and choose *Paste*_.
Click the red *MoveIt!* button.
The list will be processed and the results for each line will be displayed in the right-hand pane.
Highlight everything in the *Results* window, _press CTRL+C or right-click, choose *Copy*, right-click again_ and *Paste* it in your next reply.
Close the program when done.
_*Important!*_ _If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose *Yes*._

================================

Please reboot your machine, unless prompted too.

================================

Please download *ATF Cleaner* by Atribune.

*This program is for XP and Windows 2000 only*


Save it to your desktop

Double-click *ATF-Cleaner.exe* to run the program.

Under *Main* choose: *Select All*

Click the *Empty Selected* button.

If you use Firefox browser
Click *Firefox* at the top and choose: *Select All*

Click the *Empty Selected* button.

*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.

If you use Opera browser
Click *Opera* at the top and choose: *Select All*

Click the *Empty Selected* button.

*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.

Click *Exit* on the Main menu to close the program.

For *Technical Support*, double-click the e-mail address located at the bottom of each menu.

*Notes for Windows Vista users:*

On Windows Vista that "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator"
Prefetch has been disabled on Windows Vista. As I'm not sure the effects that emptying prefetch on Windows Vista will have for the time being it I won't enable that function.

======================================

*Panda Activescan*
http://www.pandasoftware.com/products/activescan.htm

 Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *Local Disks* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location.

In your next reply, please post a fresh hijackthis log, OTmoveit log and panda Activescan log. Thanks.


----------



## Vivsky (Sep 5, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:12 PM, on 9/6/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\System32\ctfmon.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\System32\HPZipm12.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {212CC212-DC60-43F8-B877-114B71949415} - c:\winnt\system32\umtacudx.dll
O2 - BHO: (no name) - {2E62C6B8-D531-4661-B5DC-8248844D7A8A} - c:\winnt\system32\d3dimr.dll
O2 - BHO: (no name) - {7BA59E75-432C-41E2-A1AC-7C55FB42A2F4} - C:\WINNT\System32\comresu.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak Picture Easy 3.1 Batch Transfer.lnk = C:\Program Files\Kodak\Picture Easy Software\Program\PezDownload.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://quickplace.pmllp.com/qp2.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://we.pmllp.com/ANAR-LNMail1/iNotes.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://we.pmllp.com/ANAR-LNMAIL1/iNotes6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/20120b8e43bf2d8ea622/netzip/RdxIE601.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.4.0.0) Control) - http://bowwow4.serveftp.com/cab/Live.cab
O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinner.com/games/shared/uninstall.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O20 - Winlogon Notify: hmbdkint - C:\WINNT\SYSTEM32\d3dimr.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10899 bytes

OTMoveIt Results:

c:\winnt\system32\umtacudx.dll NOT unregistered.
c:\winnt\system32\umtacudx.dll moved successfully.
c:\winnt\system32\d3dimr.dll NOT unregistered.
File move failed. c:\winnt\system32\d3dimr.dll scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\WINNT\System32\comresu.dll
C:\WINNT\System32\comresu.dll NOT unregistered.
File move failed. C:\WINNT\System32\comresu.dll scheduled to be moved on reboot.
File/Folder C:\WINNT\ptcore.exe not found.
C:\WINNT\system32\kgvymi.exe moved successfully.

Created on 09/05/2007 20:28:33

Active Scan:

Incident Status Location

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Vivian Brososky\Cookies\vivian [email protected][1].txt 
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Vivian Brososky\Cookies\vivian [email protected][2].txt 
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Vivian Brososky\Cookies\vivian [email protected][2].txt 
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Vivian Brososky\Cookies\vivian [email protected][1].txt 
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Vivian Brososky\Cookies\vivian [email protected][1].txt 
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Vivian Brososky\Cookies\vivian [email protected][2].txt 
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Vivian Brososky\Cookies\vivian [email protected][1].txt 
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Vivian Brososky\Cookies\vivian [email protected][2].txt 
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Vivian Brososky\Cookies\vivian [email protected][1].txt 
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Vivian Brososky\Cookies\vivian [email protected][1].txt 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Zachary Brososky\Cookies\zachary [email protected][1].txt 
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Zachary Brososky\Cookies\zachary [email protected][2].txt 
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Zachary Brososky\Cookies\zachary [email protected][2].txt 
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Zachary Brososky\Cookies\zachary [email protected][1].txt 
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Zachary Brososky\Cookies\zachary [email protected][1].txt 
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Zachary Brososky\Local Settings\Temp\Cookies\zachary [email protected][1].txt 
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Zachary Brososky\Local Settings\Temp\Cookies\zachary [email protected]mt[2].txt 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Zachary Brososky\Local Settings\Temp\Cookies\zachary [email protected][1].txt 
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Zachary Brososky\Local Settings\Temp\Cookies\zachary [email protected][1].txt 
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\Documents and Settings\Zachary Brososky\Local Settings\Temp\p2psetup.exe 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\fixwareout\FindT\nircmd.exe 
Adware:Adware/NavHelper Not disinfected C:\Program Files\ares\areslite181.exe 
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\Program Files\Kazaa\bdcore.dll.updpnd 
Adware:Adware/NetPals Not disinfected C:\WINNT\Downloaded Program Files\ATPartners.inf 
Adware:Adware/MSView Not disinfected C:\WINNT\inf\MSView.inf 
Virus:Trj/Spammer.ZX Disinfected C:\WINNT\system32\koos.exe 
Hacktool:Rootkit/Spammer.ZX Not disinfected C:\WINNT\system32\kprof 
Potentially unwanted tool:Application/P2PNetworking Not disinfected  C:\WINNT\system32\P2P Networking v1256.cpl 
Hacktool:Rootkit/Spammer.ZX Not disinfected C:\WINNT\system32\poof


----------



## sjpritch25 (Sep 8, 2005)

You are still infected

Download Combofix and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Note: It is important that it is saved directly to your desktop

Close any open browsers.

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt and a fresh Hijackthis log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


----------



## Vivsky (Sep 5, 2007)

ComboFix 07-08-30.3 - "Vivsky" 2007-09-07 6:00:14.1 - NTFSx86 
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.152 [GMT -4:00]
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\VIVIAN~1\Desktop\internet explorer.lnk
C:\WINNT\system32\koos.exe
C:\WINNT\system32\kprof
C:\WINNT\system32\poof
C:\WINNT\system32\system
C:\WINNT\system32\system\msxml4.dll
C:\WINNT\system32\system\msxml4r.dll

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_POOF

((((((((((((((((((((((((( Files Created from 2007-08-07 to 2007-09-07 )))))))))))))))))))))))))))))))

2007-09-07 05:58	51,200	--a------	C:\WINNT\nircmd.exe
2007-09-06 17:12	68,608	--a------	C:\WINNT\system32\umtacudx.dll
2007-09-05 20:41 d--------	C:\WINNT\system32\ActiveScan
2007-09-05 16:58 d--------	C:\Program Files\Trend Micro
2007-09-05 10:40 d--------	C:\Program Files\Browser Hijack Recover
2007-09-04 10:15	756,736	--a------	C:\WINNT\system32\ciztyfxy.dll
2007-09-04 10:15	684,567	--a------	C:\WINNT\system32\libeay32.dll
2007-09-04 10:15	48,128	--a------	C:\WINNT\system32\pyuznkpk.dll
2007-09-04 10:15	47,616	--a------	C:\WINNT\system32\wsumxgvj.dll
2007-09-04 10:15	147,729	--a------	C:\WINNT\system32\libssl32.dll
2007-09-04 10:15	129,536	--a------	C:\WINNT\system32\lymtafmu.dll
2007-09-04 10:15	103,936	--a------	C:\WINNT\system32\bedazsad.dll
2007-09-04 09:29	80,896	--a------	C:\WINNT\system32\d3dimr.dll
2007-09-04 09:28	102,037	--a------	C:\WINNT\system32\comresu.dll
2007-09-04 09:26	58,368	--a------	C:\WINNT\system32\dpvac.dll
2007-09-04 09:26	17,280 C:\WINNT\system32\drivers\evgmqxuy.sys
2007-08-17 21:53 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-08-08 17:55 d--------	C:\DDCMyDocs
2007-08-08 17:54 d--------	C:\Program Files\DDC Training

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-07 05:45	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-09-06 19:13	---------	d--------	C:\Program Files\Norton Password Manager
2007-09-06 19:13	---------	d--------	C:\Program Files\Norton Internet Security
2007-09-06 19:07	---------	d--------	C:\Program Files\Microsoft IntelliType Pro
2007-09-06 19:07	---------	d--------	C:\Program Files\Microsoft IntelliPoint
2007-09-06 18:57	---------	d--------	C:\Program Files\Common Files\Symantec Shared
2007-08-26 08:03	---------	d--------	C:\Program Files\Yahoo!
2007-08-17 22:21	---------	d--------	C:\DOCUME~1\VIVIAN~1\APPLIC~1\Yahoo!
2007-07-30 19:19	92504	--a------	C:\WINNT\system32\dllcache\cdm.dll
2007-07-30 19:19	92504	--a------	C:\WINNT\system32\cdm.dll
2007-07-30 19:19	549720	--a------	C:\WINNT\system32\wuapi.dll
2007-07-30 19:19	53080	--a------	C:\WINNT\system32\wuauclt.exe
2007-07-30 19:19	53080	--a------	C:\WINNT\system32\dllcache\wuauclt.exe
2007-07-30 19:19	43352	--a------	C:\WINNT\system32\wups2.dll
2007-07-30 19:19	325976	--a------	C:\WINNT\system32\wucltui.dll
2007-07-30 19:19	203096	--a------	C:\WINNT\system32\wuweb.dll
2007-07-30 19:19	1712984	--a------	C:\WINNT\system32\wuaueng.dll
2007-07-30 19:19	1712984	--a------	C:\WINNT\system32\dllcache\wuaueng.dll
2007-07-30 19:18	33624	--a------	C:\WINNT\system32\wups.dll
2007-07-30 18:32	---------	d--------	C:\Program Files\quickenw
2003-01-06 17:26	152336	--a------	C:\Program Files\kmd.exe
2002-05-14 18:24	497802	--a------	C:\Program Files\Recover Norton AntiVirus 2002 Pro.exe
2001-08-18 18:00:00	94,784	--sh--w	C:\WINNT\twain.dll
2001-08-18 18:00:00	46,592	--sh--w	C:\WINNT\twain_32.dll
2001-08-18 18:00:00	9,728	--sh--w	C:\WINNT\system32\regsvr32.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{212CC212-DC60-43F8-B877-114B71949415}]
2007-09-06 17:12	68608	--a------	c:\winnt\system32\umtacudx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E62C6B8-D531-4661-B5DC-8248844D7A8A}]
2007-09-06 17:12	80896	--a------	c:\winnt\system32\d3dimr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BA59E75-432C-41E2-A1AC-7C55FB42A2F4}]
2001-08-18 14:00	102037	--a------	C:\WINNT\System32\comresu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"GWMDMMSG"="GWMDMMSG.exe" [2001-08-15 22:25 C:\WINNT\GWMDMMSG.exe]
"Keyboard Preload Check"="C:\OEMDRVRS\KEYB\Preload.exe" []
"GWMDMpi"="C:\WINNT\GWMDMpi.exe" [2001-08-15 22:25]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2001-08-23 18:52]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 12:00]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2001-10-05 21:34]
"CXMon"="C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2000-08-14 17:48]
"HPDJ Taskbar Utility"="C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-23 04:05]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-10-02 20:00]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 19:44]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-07-17 01:19]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 13:36]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-03-30 23:12]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 04:51]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 04:50]
"AcctMgr"="C:\Program Files\Norton Password Manager\AcctMgr.exe" [2004-08-18 12:41]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"ccApp"="-" []
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-02-07 18:39]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [2001-07-25 12:00]
"ctfmon.exe"="C:\WINNT\System32\ctfmon.exe" [2001-08-18 14:00]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe" [2005-05-09 19:16]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hmbdkint] 
d3dimr.dll 2007-09-06 17:12 80896 C:\WINNT\system32\d3dimr.dll

R0 lffycjtc;lffycjtc;C:\WINNT\System32\drivers\evgmqxuy.sys
R0 ppa;Iomega Parallel Port Filter Driver;C:\WINNT\System32\DRIVERS\ppa.sys
R1 ATMhelpr;ATMhelpr;C:\WINNT\System32\drivers\ATMhelpr.sys
R1 cdudf_xp;cdudf_xp;C:\WINNT\System32\drivers\cdudf_xp.sys
R1 DCCAM;Kodak Camera Proxy;C:\WINNT\System32\DRIVERS\DcCam.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINNT\System32\drivers\DVDVRRdr_xp.sys
R1 pwd_2k;pwd_2k;C:\WINNT\System32\drivers\pwd_2k.sys
R1 Sk9920nt;PS/2 Keyboard Filter Driver for NT 4.0;C:\WINNT\System32\DRIVERS\Sk9920nt.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINNT\System32\drivers\UdfReadr_xp.sys
R2 ceagovhn;Microsoft IntelliPoint Filter Monitor;C:\WINNT\System32\svchost.exe -k netsvcs
R2 DCFS2K;Kodak DCFS2K Driver;C:\WINNT\System32\drivers\dcfs2k.sys
R2 mrtRate;mrtRate;C:\WINNT\System32\drivers\mrtRate.sys
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINNT\System32\DRIVERS\AN983.sys
R3 GTWModem;GTW V.92 Modem;C:\WINNT\System32\DRIVERS\GWMDM.sys
R3 mmc_2K;mmc_2K;C:\WINNT\System32\drivers\mmc_2K.sys
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINNT\System32\DRIVERS\point32.sys
S1 Exportit;Exportit;C:\WINNT\System32\DRIVERS\exportit.sys
S3 ati2mpaa;ati2mpaa;C:\WINNT\System32\DRIVERS\ati2mpaa.sys
S3 BCMModem;BCM V.90 56K Modem;C:\WINNT\System32\DRIVERS\BCMDM.sys
S3 DCamUSBConexant;Ezonics Ezcam II;C:\WINNT\System32\DRIVERS\Usbcone.sys
S3 DcFpoint;DcFpoint;C:\WINNT\System32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINNT\System32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINNT\System32\DRIVERS\DcPTP.sys
S3 dvd_2K;dvd_2K;C:\WINNT\System32\drivers\dvd_2K.sys
S3 iscFlash;iscFlash;\??\C:\WINNT\SYSTEM32\DRIVERS\iscflash.sys
S3 PCDRDRV;Pcdr Helper Driver;\??\C:\Atf\Qctest\PCDoc\PCDRDRV.sys
S3 Sk99202k;PS/2 Keyboard Filter Driver for Win2000;C:\WINNT\System32\DRIVERS\Sk99202k.sys
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINNT\System32\DRIVERS\netusbxp.sys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ceagovhn

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-09-04 02:01:51 C:\WINNT\Tasks\Norton Internet Security - Run Full System Scan - Vivian Brososky.job 
2007-09-01 02:21:11 C:\WINNT\Tasks\Norton Internet Security - Weekly Scan - Vivian Brososky.job - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe
2007-06-30 04:00:02 C:\WINNT\Tasks\Symantec Drmc.job

**************************************************************************

disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

**************************************************************************

Completion time: 2007-09-07 6:21:24 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-07 06:20

--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:24:26 AM, on 9/7/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\wuauclt.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINNT\System32\ctfmon.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {212CC212-DC60-43F8-B877-114B71949415} - c:\winnt\system32\umtacudx.dll
O2 - BHO: (no name) - {2E62C6B8-D531-4661-B5DC-8248844D7A8A} - c:\winnt\system32\d3dimr.dll
O2 - BHO: (no name) - {7BA59E75-432C-41E2-A1AC-7C55FB42A2F4} - C:\WINNT\System32\comresu.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak Picture Easy 3.1 Batch Transfer.lnk = C:\Program Files\Kodak\Picture Easy Software\Program\PezDownload.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://quickplace.pmllp.com/qp2.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://we.pmllp.com/ANAR-LNMail1/iNotes.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://we.pmllp.com/ANAR-LNMAIL1/iNotes6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/20120b8e43bf2d8ea622/netzip/RdxIE601.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.4.0.0) Control) - http://bowwow4.serveftp.com/cab/Live.cab
O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinner.com/games/shared/uninstall.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O20 - Winlogon Notify: hmbdkint - C:\WINNT\SYSTEM32\d3dimr.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10941 bytes


----------



## sjpritch25 (Sep 8, 2005)

Before i continue, i need you to do a virus scan on the following file.

You have a file i would like you to get anaylzed. Please go to VirusTotal. On the very top of the Website, you will see a Browse button. Use that to search for this file *C:\WINNT\System32\drivers\evgmqxuy.sys*. Then Click on Send. This could take between 30 Second-a couple of minutes. When you get the Results, Open Notepad, please highlight the results, copy them to Notepad and save it as "Scan.txt". Save the text file "Scan.txt" to your desktop. Please include the file in your next post.

Note: You may need to unhide hidden files and folders.
*Configure Windows XP to show hide hidden files:*
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select* "Show hidden files and folders". *
Uncheck the *"Hide protected operating system files (recommended)*" option.
Uncheck the *"Hide file extensions for known file types"* option.
Click *Yes* to confirm. Click *OK.*

In your next reply, please include the scan log. Also, why do you not have any of the latest windows updates??????


----------



## Vivsky (Sep 5, 2007)

I unhid files and folders before I started. I ran the file through as you stated, and the only thing that came up in the log was this:

0 bytes size received / Se ha recibido un archivo vacio


Now what??

As far as Windows updates -  . I've always been afraid of them. Long ago I was told that Windows updates are not all they're cracked up to be and can sometimes cause more problems than they are worth. So for a while, I did security updates only, but haven't done even those lately.


----------



## sjpritch25 (Sep 8, 2005)

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.
In the *Files Created Within* group click *30 days*
In the *Files Modified Within* group select *30 days*
In the *File String Search* group select *Non-Microsoft*
In the *Drivers Services* group select *Non-Microsoft*
In the *Additional Scans* group select *Desktop Comonents*

Now click the *Run Scan* button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the *Add Reply* button and Copy/Paste the information back here. I will review it when it comes in

*If it freezes you may want to run it in Safe Mode*!!!!!


----------



## Vivsky (Sep 5, 2007)

WinPFind3 logfile created on: 9/7/2007 6:40:59 PM
WinPFind3U by OldTimer - Version 1.0.42	Folder = C:\Documents and Settings\Vivian Brososky\Desktop\WinPFind3u\
Microsoft Windows XP (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2600.0000)

511.30 Mb Total Physical Memory | 136.54 Mb Available Physical Memory | 26.70% Memory free
1.22 Gb Paging File | 0.87 Gb Available in Paging File | 71.46% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 45.14 Gb Free Space | 60.56% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 93.34 Gb Total Space | 89.34 Gb Free Space | 95.71% Space Free

Computer Name: MAIN
Current User Name: Vivian Brososky
Logged in as Administrator.
Current Boot Mode: Normal

[Processes - Non-Microsoft Only]
acctmgr.exe -> %ProgramFiles%\Norton Password Manager\AcctMgr.exe -> Symantec Corporation [Ver = 2004.1.406 | Size = 586896 bytes | Modified Date = 8/18/2004 12:41:34 PM | Attr = ]
aluschedulersvc.exe -> %ProgramFiles%\Symantec\LiveUpdate\ALUSchedulerSvc.exe -> Symantec Corporation [Ver = 3.2.0.43 | Size = 554616 bytes | Modified Date = 1/31/2007 4:11:42 PM | Attr = ]
appsvc32.exe -> %CommonProgramFiles%\Symantec Shared\AppCore\AppSvc32.exe -> Symantec Corporation [Ver = 1.1.1.3 | Size = 47712 bytes | Modified Date = 1/5/2007 8:37:56 PM | Attr = ]
ccsvchst.exe -> %CommonProgramFiles%\Symantec Shared\ccSvcHst.exe -> Symantec Corporation [Ver = 106.2.0.21 | Size = 108648 bytes | Modified Date = 1/10/2007 12:59:32 AM | Attr = ]
ctsvccda.exe -> %System32%\CTsvcCDA.exe -> Creative Technology Ltd [Ver = 1.0.1.0 | Size = 44032 bytes | Modified Date = 12/13/1999 3:01:00 AM | Attr = ]
devldr32.exe -> %System32%\devldr32.exe -> Creative Technology Ltd. [Ver = 1, 0, 0, 22 | Size = 25600 bytes | Modified Date = 8/31/2001 2:44:30 PM | Attr = ]
directcd.exe -> %ProgramFiles%\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe -> Roxio [Ver = 5.3.5.10 | Size = 684032 bytes | Modified Date = 10/2/2003 8:00:50 PM | Attr = ]
drgtodsc.exe -> %ProgramFiles%\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe -> Roxio [Ver = 6.1.1.17 | Size = 868352 bytes | Modified Date = 7/17/2003 1:19:54 AM | Attr = ]
gwmdmmsg.exe -> %SystemRoot%\GWMDMMSG.exe -> GTW [Ver = 3.3.13.1 08/07/2001 18:57:35 | Size = 100913 bytes | Modified Date = 8/15/2001 10:25:02 PM | Attr = ]
hpcmpmgr.exe -> %ProgramFiles%\HP\hpcoretech\hpcmpmgr.exe -> Hewlett-Packard Company [Ver = 2.1.1.0 | Size = 241664 bytes | Modified Date = 5/12/2004 3:18:56 PM | Attr = ]
hpi_monitor.exe -> %ProgramFiles%\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe -> Hewlett-Packard Company [Ver = 2.4.0.2 | Size = 32768 bytes | Modified Date = 8/14/2000 5:48:06 PM | Attr = ]
hpqgalry.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqgalry.exe -> Hewlett-Packard Co. [Ver = 043.001.005.000 | Size = 520192 bytes | Modified Date = 5/28/2004 11:08:52 PM | Attr = ]
hpqtra08.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Co. [Ver = 43.1.5.000 | Size = 241664 bytes | Modified Date = 5/28/2004 10:31:38 PM | Attr = ]
hpwuschd2.exe -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Co. [Ver = 50.0.146.000 | Size = 49152 bytes | Modified Date = 2/16/2005 11:11:42 PM | Attr = ]
hpzipm12.exe -> %System32%\HPZipm12.exe -> HP [Ver = 8, 0, 0, 0 | Size = 65536 bytes | Modified Date = 3/18/2004 4:55:48 PM | Attr = ]
hpztsb10.exe -> %System32%\spool\drivers\w32x86\3\hpztsb10.exe -> HP [Ver = 2.323.0.0 | Size = 172032 bytes | Modified Date = 3/23/2004 4:05:42 AM | Attr = ]
kodakccs.exe -> %System32%\drivers\KodakCCS.exe -> Eastman Kodak Company [Ver = 1.1.5100.4 | Size = 322104 bytes | Modified Date = 5/24/2004 1:35:52 PM | Attr = ]
mmtask.exe -> %ProgramFiles%\MusicMatch\MusicMatch Jukebox\mmtask.exe -> TODO: <Company name> [Ver = 1.0.0.1 | Size = 53248 bytes | Modified Date = 3/30/2004 11:12:56 PM | Attr = ]
mssysmgr.exe -> %ProgramFiles%\Comcast\Comcast PhotoShow 4\data\Xtras\mssysmgr.exe -> Simple Star, Inc. [Ver = 4.0.0.0 | Size = 192512 bytes | Modified Date = 5/9/2005 7:16:16 PM | Attr = ]
nvsvc32.exe -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 5.13.01.1520 | Size = 57344 bytes | Modified Date = 8/31/2001 1:56:00 AM | Attr = ]
pezdownload.exe -> %ProgramFiles%\Kodak\Picture Easy Software\Program\PezDownload.exe -> Eastman Kodak Company [Ver = 1, 0, 1, 0 | Size = 39424 bytes | Modified Date = 9/9/1998 4:26:28 PM | Attr = ]
playlist.exe -> %ProgramFiles%\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe -> Roxio, Inc. [Ver = 1.1.277 | Size = 118784 bytes | Modified Date = 7/15/2003 1:36:50 PM | Attr = ]
rxmon.exe -> %ProgramFiles%\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe -> Roxio, Inc. [Ver = 1.1.277 | Size = 319488 bytes | Modified Date = 7/15/2003 1:36:50 PM | Attr = ]
symlcsvc.exe -> %CommonProgramFiles%\Symantec Shared\CCPD-LC\symlcsvc.exe -> [Ver = | Size = 1247600 bytes | Modified Date = 9/6/2007 9:21:18 PM | Attr = ]
viewmgr.exe -> %ProgramFiles%\Viewpoint\Viewpoint Manager\ViewMgr.exe -> Viewpoint Corporation [Ver = 2, 0, 0, 54 | Size = 112336 bytes | Modified Date = 1/4/2007 5:38:20 PM | Attr = ]
viewpointservice.exe -> %ProgramFiles%\Viewpoint\Common\ViewpointService.exe -> Viewpoint Corporation [Ver = 2, 0, 0, 54 | Size = 24652 bytes | Modified Date = 1/4/2007 5:38:10 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 9/4/2007 10:47:26 AM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(Automatic LiveUpdate Scheduler) Automatic LiveUpdate Scheduler [Win32_Own | Auto | Running] -> %ProgramFiles%\Symantec\LiveUpdate\ALUSchedulerSvc.exe -> Symantec Corporation [Ver = 3.2.0.43 | Size = 554616 bytes | Modified Date = 1/31/2007 4:11:42 PM | Attr = ]
(ccEvtMgr) Symantec Event Manager [Win32_Shared | Disabled | Stopped] -> -> File not found
(ccSetMgr) Symantec Settings Manager [Win32_Shared | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\ccSvcHst.exe -> Symantec Corporation [Ver = 106.2.0.21 | Size = 108648 bytes | Modified Date = 1/10/2007 12:59:32 AM | Attr = ]
(CLTNetCnService) Symantec Lic NetConnect service [Win32_Shared | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\ccSvcHst.exe -> Symantec Corporation [Ver = 106.2.0.21 | Size = 108648 bytes | Modified Date = 1/10/2007 12:59:32 AM | Attr = ]
(comHost) COM Host [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\VAScanner\comHost.exe -> Symantec Corporation [Ver = 1.2.0.28 | Size = 49248 bytes | Modified Date = 1/12/2007 10:40:58 PM | Attr = ]
(Creative Service for CDROM Access) Creative Service for CDROM Access [Win32_Own | Auto | Running] -> %System32%\CTsvcCDA.exe -> Creative Technology Ltd [Ver = 1.0.1.0 | Size = 44032 bytes | Modified Date = 12/13/1999 3:01:00 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.0.503.0 | Size = 204800 bytes | Modified Date = 8/18/2001 2:00:00 PM | Attr = ]
(ISPwdSvc) Symantec IS Password Validation [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Norton Internet Security\isPwdSvc.exe -> Symantec Corporation [Ver = 10.3.0.3 | Size = 80504 bytes | Modified Date = 2/7/2007 6:39:06 PM | Attr = ]
(KodakCCS) Kodak Camera Connection Software [Win32_Own | Auto | Running] -> %System32%\drivers\KodakCCS.exe -> Eastman Kodak Company [Ver = 1.1.5100.4 | Size = 322104 bytes | Modified Date = 5/24/2004 1:35:52 PM | Attr = ]
(LiveUpdate) LiveUpdate [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Symantec\LiveUpdate\LuComServer_3_2.EXE -> Symantec Corporation [Ver = 3.2.0.43 | Size = 2975352 bytes | Modified Date = 1/31/2007 4:11:42 PM | Attr = ]
(NVSvc) NVIDIA Driver Helper Service [Win32_Own | Auto | Running] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 5.13.01.1520 | Size = 57344 bytes | Modified Date = 8/31/2001 1:56:00 AM | Attr = ]
(PictureTaker) PictureTaker [Win32_Own | On_Demand | Stopped] -> %SystemDrive%\fixit\pt\PCTKRNT.SYS -> File not found
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | On_Demand | Running] -> %System32%\HPZipm12.exe -> HP [Ver = 8, 0, 0, 0 | Size = 65536 bytes | Modified Date = 3/18/2004 4:55:48 PM | Attr = ]
(Symantec Core LC) Symantec Core LC [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\CCPD-LC\symlcsvc.exe -> [Ver = | Size = 1247600 bytes | Modified Date = 9/6/2007 9:21:18 PM | Attr = ]
(SymAppCore) Symantec AppCore Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\AppCore\AppSvc32.exe -> Symantec Corporation [Ver = 1.1.1.3 | Size = 47712 bytes | Modified Date = 1/5/2007 8:37:56 PM | Attr = ]
(Viewpoint Manager Service) Viewpoint Manager Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Viewpoint\Common\ViewpointService.exe -> Viewpoint Corporation [Ver = 2, 0, 0, 54 | Size = 24652 bytes | Modified Date = 1/4/2007 5:38:10 PM | Attr = ]

[Driver Services - Non-Microsoft Only]
(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] -> -> File not found
(abp480n5) abp480n5 [Kernel | Disabled | Stopped] -> -> File not found
(ac97intc) Intel(r) 82801 Audio Driver Install Service (WDM) [Kernel | On_Demand | Stopped] -> %System32%\drivers\ac97intc.sys -> Intel Corporation [Ver = 5.10.3523 built by: WinDDK | Size = 96256 bytes | Modified Date = 8/17/2001 2:20:04 PM | Attr = ]
(AFS2K) AFS2K [Kernel | System | Running] -> %System32%\drivers\AFS2K.SYS -> Oak Technology Inc. [Ver = 3.1.20.1064 | Size = 43672 bytes | Modified Date = 7/3/2004 8:54:34 AM | Attr = ]
(Aha154x) Aha154x [Kernel | Disabled | Stopped] -> -> File not found
(aic78xx) aic78xx [Kernel | Disabled | Stopped] -> -> File not found
(AliIde) AliIde [Kernel | Disabled | Stopped] -> -> File not found
(amsint) amsint [Kernel | Disabled | Stopped] -> -> File not found
(AN983) ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter [Kernel | On_Demand | Running] -> %System32%\drivers\an983.sys -> ADMtek Incorporated. [Ver = 2.12.0507.2001 built by: WinDDK | Size = 34112 bytes | Modified Date = 8/17/2001 2:11:16 PM | Attr = ]
(asc) asc [Kernel | Disabled | Stopped] -> -> File not found
(asc3350p) asc3350p [Kernel | Disabled | Stopped] -> -> File not found
(asc3550) asc3550 [Kernel | Disabled | Stopped] -> -> File not found
(Atdisk) Atdisk [Kernel | Disabled | Stopped] -> -> File not found
(ati2mpaa) ati2mpaa [Kernel | On_Demand | Stopped] -> %System32%\drivers\ati2mpaa.sys -> ATI Technologies Inc. [Ver = 5.10.108 (ReleasedBinaries.010715-1631) | Size = 281856 bytes | Modified Date = 8/17/2001 2:48:52 PM | Attr = ]
(ATMhelpr) ATMhelpr [Kernel | System | Running] -> %System32%\drivers\ATMHELPR.SYS -> Adobe Systems Incorporated [Ver = 4.0 Build 85 | Size = 4064 bytes | Modified Date = 6/17/1997 4:00:00 AM | Attr = ]
(BCMModem) BCM V.90 56K Modem [Kernel | On_Demand | Stopped] -> %System32%\drivers\BCMDM.sys -> BCM [Ver = 3.2.12.9 07/17/2001 14:21:30 | Size = 871388 bytes | Modified Date = 8/17/2001 3:28:00 PM | Attr = ]
(catchme) catchme [Kernel | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\VIVIAN~1\LOCALS~1\Temp\catchme.sys -> File not found
(cd20xrnt) cd20xrnt [Kernel | Disabled | Stopped] -> -> File not found
(Cdr4_xp) Cdr4_xp [Kernel | System | Running] -> %System32%\drivers\cdr4_xp.sys -> Roxio [Ver = 6.1.1.17 | Size = 66992 bytes | Modified Date = 7/17/2003 1:19:56 AM | Attr = ]
(Cdralw2k) Cdralw2k [Kernel | System | Running] -> %System32%\drivers\cdralw2k.sys -> Roxio [Ver = 6.1.1.17 | Size = 24698 bytes | Modified Date = 7/17/2003 1:19:56 AM | Attr = ]
(cdudf_xp) cdudf_xp [File_System | System | Running] -> %System32%\drivers\Cdudf_xp.sys -> Roxio [Ver = 6.1.1.17 built by: WinDDK | Size = 259328 bytes | Modified Date = 7/17/2003 1:19:56 AM | Attr = ]
(Changer) Changer [Kernel | System | Stopped] -> -> File not found
(CmdIde) CmdIde [Kernel | Disabled | Stopped] -> -> File not found
(Cpqarray) Cpqarray [Kernel | Disabled | Stopped] -> -> File not found
(ctljystk) Creative SBLive! Gameport [Kernel | On_Demand | Running] -> %System32%\drivers\ctljystk.sys -> Creative Technology Ltd. [Ver = 5.1.2501.0 built by: WinDDK | Size = 3712 bytes | Modified Date = 8/17/2001 2:19:20 PM | Attr = ]
(dac960nt) dac960nt [Kernel | Disabled | Stopped] -> -> File not found
(DCamUSBConexant) Ezonics Ezcam II [Kernel | On_Demand | Stopped] -> %System32%\drivers\usbcone.sys -> Conexant Systems, Inc. [Ver = 2, 1, 21, 0 | Size = 82560 bytes | Modified Date = 7/14/2000 2:32:10 PM | Attr = ]
(DCamUSBSQTECH) Dual-Mode DSC(2770) [Kernel | On_Demand | Stopped] -> %System32%\drivers\SQCaptur.sys -> Service & Quality Technology. [Ver = 1.89.108.2 | Size = 30921 bytes | Modified Date = 1/10/2003 11:56:34 AM | Attr = ]
(DCCAM) Kodak Camera Proxy [Kernel | System | Running] -> %System32%\drivers\DcCam.sys -> Eastman Kodak Company [Ver = 1.5.0502.0 | Size = 36918 bytes | Modified Date = 5/20/2004 9:21:10 AM | Attr = ]
(DcFpoint) DcFpoint [Kernel | On_Demand | Stopped] -> %System32%\drivers\DcFpoint.sys -> Eastman Kodak Company [Ver = 1.5.0502.0 | Size = 61564 bytes | Modified Date = 5/20/2004 9:41:54 AM | Attr = ]
(DCFS2K) Kodak DCFS2K Driver [Kernel | Auto | Running] -> %System32%\drivers\DCFS2k.sys -> Eastman Kodak Company [Ver = 1.0.4100.7 | Size = 38705 bytes | Modified Date = 6/2/2004 2:19:00 PM | Attr = ]
(DcLps) Legacy Polling Service [Kernel | On_Demand | Stopped] -> %System32%\drivers\DcLps.sys -> Eastman Kodak Company [Ver = 1.5.0502.0 | Size = 8022 bytes | Modified Date = 5/20/2004 9:39:42 AM | Attr = ]
(DcPTP) DcPTP [Kernel | On_Demand | Stopped] -> %System32%\drivers\DcPtp.sys -> Eastman Kodak Company [Ver = 1.5.0502.0 | Size = 68950 bytes | Modified Date = 5/20/2004 9:45:20 AM | Attr = ]
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %System32%\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.0.503.0 | Size = 780928 bytes | Modified Date = 8/18/2001 2:00:00 PM | Attr = ]
(dmio) dmio [Kernel | Disabled | Stopped] -> %System32%\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.0.503.0 | Size = 146304 bytes | Modified Date = 8/18/2001 2:00:00 PM | Attr = ]
(dmload) dmload [Kernel | Disabled | Stopped] -> %System32%\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 8/18/2001 2:00:00 PM | Attr = ]
(dpti2o) dpti2o [Kernel | Disabled | Stopped] -> -> File not found
(DVDVRRdr_xp) DVDVRRdr_xp [File_System | System | Running] -> %System32%\drivers\DVDVRRdr_xp.sys -> Roxio [Ver = 6.1.1.17 built by: WinDDK | Size = 146560 bytes | Modified Date = 7/17/2003 1:19:56 AM | Attr = ]
(dvd_2K) dvd_2K [Kernel | On_Demand | Stopped] -> %System32%\drivers\Dvd_2k.sys -> Roxio [Ver = 6.1.1.17 | Size = 21993 bytes | Modified Date = 7/17/2003 1:19:56 AM | Attr = ]
(eeCtrl) Symantec Eraser Control driver [Kernel | System | Running] -> %CommonProgramFiles%\Symantec Shared\EENGINE\eeCtrl.sys -> Symantec Corporation [Ver = 107.3.3.4 | Size = 395312 bytes | Modified Date = 8/30/2007 4:00:00 AM | Attr = ]
(EL90XBC) 3Com EtherLink XL 90XB/C Adapter Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\el90xbc5.sys -> 3Com Corporation [Ver = 4.05.00.0000 | Size = 66591 bytes | Modified Date = 8/17/2001 2:11:06 PM | Attr = ]
(emu10k) Creative SB Live! Value (WDM) [Kernel | On_Demand | Running] -> %System32%\drivers\emu10k1f.sys -> Creative Technology Ltd. [Ver = 5.12.01.3511 | Size = 777088 bytes | Modified Date = 9/13/2001 7:09:48 PM | Attr = ]
(emu10k1) Creative Interface Manager Driver (WDM) [Kernel | On_Demand | Running] -> %System32%\drivers\ctlface.sys -> Creative Technology Ltd. [Ver = 5.12.01.2110 | Size = 6912 bytes | Modified Date = 7/11/2001 12:34:52 PM | Attr = ]
(EraserUtilRebootDrv) EraserUtilRebootDrv [Kernel | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -> Symantec Corporation [Ver = 107.3.3.4 | Size = 112688 bytes | Modified Date = 8/30/2007 4:00:00 AM | Attr = ]
(Exportit) Exportit [Kernel | System | Stopped] -> %System32%\drivers\ExportIt.sys -> Eastman Kodak Company [Ver = 1.0.8900.7 | Size = 151985 bytes | Modified Date = 6/2/2004 2:17:56 PM | Attr = ]
(GTWModem) GTW V.92 Modem [Kernel | On_Demand | Running] -> %System32%\drivers\GWMDM.sys -> GTW [Ver = 3.3.13.1 08/03/2001 21:03:12 | Size = 1141888 bytes | Modified Date = 8/15/2001 10:25:06 PM | Attr = ]
(hpn) hpn [Kernel | Disabled | Stopped] -> -> File not found
(hpt3xx) hpt3xx [Kernel | Disabled | Stopped] -> -> File not found
(HPZid412) IEEE-1284.4 Driver HPZid412 [Kernel | On_Demand | Running] -> %System32%\drivers\HPZid412.sys -> HP [Ver = 8, 0, 0, 0 | Size = 51088 bytes | Modified Date = 3/21/2004 9:35:48 AM | Attr = ]
(HPZipr12) Print Class Driver for IEEE-1284.4 HPZipr12 [Kernel | On_Demand | Running] -> %System32%\drivers\HPZipr12.sys -> HP [Ver = 8, 0, 0, 0 | Size = 16496 bytes | Modified Date = 3/21/2004 9:35:52 AM | Attr = ]
(HPZius12) USB to IEEE-1284.4 Translation Driver HPZius12 [Kernel | On_Demand | Running] -> %System32%\drivers\HPZius12.sys -> HP [Ver = 8, 0, 0, 0 | Size = 21744 bytes | Modified Date = 3/21/2004 9:35:58 AM | Attr = ]
(i2omgmt) i2omgmt [Kernel | System | Stopped] -> -> File not found
(i2omp) i2omp [Kernel | Disabled | Stopped] -> -> File not found
(ini910u) ini910u [Kernel | Disabled | Stopped] -> -> File not found
(iscFlash) iscFlash [Kernel | On_Demand | Stopped] -> %System32%\DRIVERS\iscflash.sys -> File not found
(lbrtfdc) lbrtfdc [Kernel | System | Stopped] -> -> File not found
(lffycjtc) lffycjtc [Kernel | Boot | Running] -> %System32%\drivers\evgmqxuy.sys -> [Ver = | Size = 17280 bytes | Modified Date = 9/4/2007 9:26:58 AM | Attr = ]
(LMouKE) Logitech SetPoint Mouse Filter Driver [Kernel | On_Demand | Stopped] -> System32\DRIVERS\LMouKE.Sys -> File not found
(MCSTRM) MCSTRM [Kernel | Auto | Running] -> %System32%\drivers\mcstrm.sys -> RealNetworks, Inc. [Ver = 5.0.2195.8 | Size = 8413 bytes | Modified Date = 5/15/2005 9:13:46 AM | Attr = ]
(mmc_2K) mmc_2K [Kernel | On_Demand | Running] -> %System32%\drivers\Mmc_2k.sys -> Roxio [Ver = 6.1.1.17 | Size = 22745 bytes | Modified Date = 7/17/2003 1:19:56 AM | Attr = ]
(mraid35x) mraid35x [Kernel | Disabled | Stopped] -> -> File not found
(mrtRate) mrtRate [Kernel | Auto | Running] -> %System32%\drivers\MrtRate.sys -> Marimba, Inc. [Ver = 2.01 | Size = 34916 bytes | Modified Date = 8/10/1999 2:51:58 PM | Attr = ]
(MxlW2k) MxlW2k [Kernel | On_Demand | Running] -> %System32%\drivers\MxlW2k.sys -> MusicMatch, Inc. [Ver = 1.1.0.121 | Size = 28352 bytes | Modified Date = 12/25/2004 4:31:48 PM | Attr = ]
(NAVENG) NAVENG [Kernel | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\VirusDefs\20070903.017\NAVENG.SYS -> Symantec Corporation [Ver = 20071.3.0.24 | Size = 81232 bytes | Modified Date = 7/17/2007 4:00:00 AM | Attr = ]
(NAVEX15) NAVEX15 [Kernel | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\VirusDefs\20070903.017\NAVEX15.SYS -> Symantec Corporation [Ver = 20071.3.0.24 | Size = 865904 bytes | Modified Date = 7/17/2007 4:00:00 AM | Attr = ]
(nv4) nv4 [Kernel | On_Demand | Running] -> %System32%\drivers\nv4_mini.sys -> NVIDIA Corporation [Ver = 5.13.01.1520 | Size = 829305 bytes | Modified Date = 8/31/2001 1:56:00 AM | Attr = ]
(PalmUSBD) PalmUSBD [Kernel | On_Demand | Stopped] -> system32\drivers\PalmUSBD.sys -> File not found
(PCDRDRV) Pcdr Helper Driver [Kernel | On_Demand | Stopped] -> %SystemDrive%\Atf\Qctest\PCDoc\PCDRDRV.sys -> File not found
(PcdrNt) PcdrNt [Kernel | On_Demand | Stopped] -> %System32%\drivers\PCDrNT.sys -> PC-Doctor Inc. [Ver = 4.0.7 | Size = 44192 bytes | Modified Date = 11/19/2001 1:44:54 PM | Attr = ]
(PCIDump) PCIDump [Kernel | System | Stopped] -> -> File not found
(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped] -> -> File not found
(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped] -> -> File not found
(PDRELI) PDRELI [Kernel | On_Demand | Stopped] -> -> File not found
(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped] -> -> File not found
(perc2) perc2 [Kernel | Disabled | Stopped] -> -> File not found
(perc2hib) perc2hib [Kernel | Disabled | Stopped] -> -> File not found
(PfModNT) PfModNT [Kernel | Auto | Running] -> %System32%\PfModNT.sys -> Creative Technology Ltd. [Ver = 2.0.0.0 | Size = 6752 bytes | Modified Date = 12/17/1999 3:00:00 AM | Attr = ]
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %System32%\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 8/18/2001 2:00:00 PM | Attr = ]
(pwd_2k) pwd_2k [Kernel | System | Running] -> %System32%\drivers\pwd_2K.sys -> Roxio [Ver = 6.1.1.17 | Size = 118409 bytes | Modified Date = 7/17/2003 1:19:56 AM | Attr = ]
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %System32%\drivers\pxhelp20.sys -> Sonic Solutions [Ver = 2.02.62a | Size = 20016 bytes | Modified Date = 5/19/2004 1:33:44 PM | Attr = ]
(ql1080) ql1080 [Kernel | Disabled | Stopped] -> -> File not found
(Ql10wnt) Ql10wnt [Kernel | Disabled | Stopped] -> -> File not found
(ql12160) ql12160 [Kernel | Disabled | Stopped] -> -> File not found
(ql1240) ql1240 [Kernel | Disabled | Stopped] -> -> File not found
(ql1280) ql1280 [Kernel | Disabled | Stopped] -> -> File not found
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %System32%\drivers\secdrv.sys -> [Ver = | Size = 27440 bytes | Modified Date = 8/18/2001 2:00:00 PM | Attr = ]
(sfman) Creative SoundFont Manager Driver (WDM) [Kernel | On_Demand | Running] -> %System32%\drivers\sfman.sys -> Creative Technology Ltd. [Ver = 4.10.3302 | Size = 36992 bytes | Modified Date = 8/31/2001 2:37:58 PM | Attr = ]
(Simbad) Simbad [Kernel | Disabled | Stopped] -> -> File not found
(Sk99202k) PS/2 Keyboard Filter Driver for Win2000 [Kernel | On_Demand | Stopped] -> %System32%\drivers\sk99202k.sys -> Silitek Corp. [Ver = 1.0.1.0 | Size = 7552 bytes | Modified Date = 9/11/2000 8:32:28 PM | Attr = ]
(Sk9920nt) PS/2 Keyboard Filter Driver for NT 4.0 [Kernel | System | Running] -> %System32%\drivers\Sk9920nt.sys -> Silitek Corp. [Ver = 1.0.1.0 | Size = 6208 bytes | Modified Date = 9/12/2000 2:39:10 AM | Attr = ]
(Sparrow) Sparrow [Kernel | Disabled | Stopped] -> -> File not found
(SPBBCDrv) SPBBCDrv [Kernel | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\SPBBC\SPBBCDrv.sys -> Symantec Corporation [Ver = 3.2.0.15 | Size = 417592 bytes | Modified Date = 1/3/2007 11:05:02 AM | Attr = ]
(SRTSP) SRTSP [File_System | On_Demand | Stopped] -> %System32%\drivers\srtsp.sys -> Symantec Corporation [Ver = 10.1.4.1 | Size = 247608 bytes | Modified Date = 1/11/2007 9:22:14 PM | Attr = ]
(SRTSPL) SRTSPL [Kernel | On_Demand | Running] -> %System32%\drivers\srtspl.sys -> Symantec Corporation [Ver = 10.1.4.1 | Size = 276792 bytes | Modified Date = 1/11/2007 9:22:20 PM | Attr = ]
(SRTSPX) SRTSPX [Kernel | System | Running] -> %System32%\drivers\srtspx.sys -> Symantec Corporation [Ver = 10.1.4.1 | Size = 25400 bytes | Modified Date = 1/11/2007 9:22:18 PM | Attr = ]
(symc810) symc810 [Kernel | Disabled | Stopped] -> -> File not found
(symc8xx) symc8xx [Kernel | Disabled | Stopped] -> -> File not found
(SYMDNS) SYMDNS [Kernel | On_Demand | Running] -> %System32%\drivers\symdns.sys -> Symantec Corporation [Ver = 7.2.0.14 | Size = 12984 bytes | Modified Date = 1/9/2007 5:32:14 PM | Attr = ]
(SymEvent) SymEvent [Kernel | On_Demand | Running] -> %System32%\drivers\SYMEVENT.SYS -> Symantec Corporation [Ver = 12.3.0.14 | Size = 115000 bytes | Modified Date = 5/19/2007 10:41:44 PM | Attr = ]
(SYMFW) SYMFW [Kernel | On_Demand | Running] -> %System32%\drivers\symfw.sys -> Symantec Corporation [Ver = 7.2.0.14 | Size = 145976 bytes | Modified Date = 1/9/2007 5:32:14 PM | Attr = ]
(SYMIDS) SYMIDS [Kernel | On_Demand | Running] -> %System32%\drivers\symids.sys -> Symantec Corporation [Ver = 7.2.0.14 | Size = 40120 bytes | Modified Date = 1/9/2007 5:32:14 PM | Attr = ]
(SYMIDSCO) SYMIDSCO [Kernel | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\SymcData\idsdefs\20070906.002\SymIDSCo.sys -> Symantec Corporation [Ver = 8.0.1.4 | Size = 158064 bytes | Modified Date = 9/5/2007 4:27:06 PM | Attr = ]
(symlcbrd) symlcbrd [Kernel | Auto | Running] -> %System32%\drivers\symlcbrd.sys -> Symantec Corporation [Ver = 1, 8, 54, 478 | Size = 4608 bytes | Modified Date = 5/17/2005 9:24:46 PM | Attr = ]
(SYMNDIS) SYMNDIS [Kernel | On_Demand | Running] -> %System32%\drivers\symndis.sys -> Symantec Corporation [Ver = 7.2.0.14 | Size = 35256 bytes | Modified Date = 1/9/2007 5:32:14 PM | Attr = ]
(SYMREDRV) SYMREDRV [Kernel | On_Demand | Running] -> %System32%\drivers\symredrv.sys -> Symantec Corporation [Ver = 7.2.0.14 | Size = 27576 bytes | Modified Date = 1/9/2007 5:32:14 PM | Attr = ]
(SYMTDI) SYMTDI [Kernel | Disabled | Running] -> %System32%\drivers\symtdi.sys -> Symantec Corporation [Ver = 7.2.0.14 | Size = 191544 bytes | Modified Date = 1/9/2007 5:32:14 PM | Attr = ]
(sym_hi) sym_hi [Kernel | Disabled | Stopped] -> -> File not found
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] -> -> File not found
(TosIde) TosIde [Kernel | Disabled | Stopped] -> -> File not found
(UdfReadr_xp) UdfReadr_xp [File_System | System | Running] -> %System32%\drivers\UdfReadr_xp.sys -> Roxio [Ver = 6.1.1.17 built by: WinDDK | Size = 213120 bytes | Modified Date = 7/17/2003 1:19:56 AM | Attr = ]
(ultra) ultra [Kernel | Boot | Running] -> %System32%\drivers\ultra.sys -> Promise Technology, Inc. [Ver = 1.43 (Build 0603) | Size = 36736 bytes | Modified Date = 8/17/2001 3:52:22 PM | Attr = ]
(UPATC) USBAT Controller Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\upatc.sys -> SCM Microsystems Inc. [Ver = 4.2.3.3 | Size = 87136 bytes | Modified Date = 5/30/2000 11:54:52 AM | Attr = ]
(USBNET_XP) Instant Wireless XP USB Network Adapter ver.2.6 Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\netusbxp.sys -> The LinkSys Group, Inc. [Ver = 1.02.02.0066 built by: WinDDK | Size = 72576 bytes | Modified Date = 2/20/2002 5:34:18 PM | Attr = ]
(wandrv) WAN Network Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\wandrv.sys -> America Online, Inc. [Ver = 6.0.0.8 | Size = 22608 bytes | Modified Date = 8/9/2001 6:25:22 PM | Attr = ]
(WDICA) WDICA [Kernel | On_Demand | Stopped] -> -> File not found

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
AcctMgr -> %ProgramFiles%\Norton Password Manager\AcctMgr.exe -> Symantec Corporation [Ver = 2004.1.406 | Size = 586896 bytes | Modified Date = 8/18/2004 12:41:34 PM | Attr = ]
AdaptecDirectCD -> %ProgramFiles%\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe -> Roxio [Ver = 5.3.5.10 | Size = 684032 bytes | Modified Date = 10/2/2003 8:00:50 PM | Attr = ]
ccApp -> -> File not found

Too much for one post. The rest follows in the next reply.


----------



## Vivsky (Sep 5, 2007)

CXMon -> %ProgramFiles%\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe -> Hewlett-Packard Company [Ver = 2.4.0.2 | Size = 32768 bytes | Modified Date = 8/14/2000 5:48:06 PM | Attr = ]
GWMDMMSG -> %SystemRoot%\GWMDMMSG.exe -> GTW [Ver = 3.3.13.1 08/07/2001 18:57:35 | Size = 100913 bytes | Modified Date = 8/15/2001 10:25:02 PM | Attr = ]
GWMDMpi -> %SystemRoot%\GWMDMpi.exe -> [Ver = | Size = 40960 bytes | Modified Date = 8/15/2001 10:25:04 PM | Attr = ]
HP Component Manager -> %ProgramFiles%\HP\hpcoretech\hpcmpmgr.exe -> Hewlett-Packard Company [Ver = 2.1.1.0 | Size = 241664 bytes | Modified Date = 5/12/2004 3:18:56 PM | Attr = ]
HP Software Update -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Co. [Ver = 50.0.146.000 | Size = 49152 bytes | Modified Date = 2/16/2005 11:11:42 PM | Attr = ]
HPDJ Taskbar Utility -> %System32%\spool\drivers\w32x86\3\hpztsb10.exe -> HP [Ver = 2.323.0.0 | Size = 172032 bytes | Modified Date = 3/23/2004 4:05:42 AM | Attr = ]
Keyboard Preload Check -> %SystemDrive%\OEMDRVRS\KEYB\Preload.exe -> File not found
Microsoft Works Portfolio -> %ProgramFiles%\Microsoft Works\wkssb.exe -> Microsoft® Corporation [Ver = 6.00.3221.2 | Size = 331830 bytes | Modified Date = 8/23/2001 6:52:52 PM | Attr = ]
mmtask -> %ProgramFiles%\MusicMatch\MusicMatch Jukebox\mmtask.exe -> TODO: <Company name> [Ver = 1.0.0.1 | Size = 53248 bytes | Modified Date = 3/30/2004 11:12:56 PM | Attr = ]
osCheck -> %ProgramFiles%\Norton Internet Security\osCheck.exe -> Symantec Corporation [Ver = 10.3.0.3 | Size = 771704 bytes | Modified Date = 2/7/2007 6:39:10 PM | Attr = ]
RoxioAudioCentral -> %ProgramFiles%\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe -> Roxio, Inc. [Ver = 1.1.277 | Size = 319488 bytes | Modified Date = 7/15/2003 1:36:50 PM | Attr = ]
RoxioDragToDisc -> %ProgramFiles%\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe -> Roxio [Ver = 6.1.1.17 | Size = 868352 bytes | Modified Date = 7/17/2003 1:19:54 AM | Attr = ]
RoxioEngineUtility -> %CommonProgramFiles%\Roxio Shared\System\EngUtil.exe -> Roxio [Ver = 6.1.0.7 | Size = 65536 bytes | Modified Date = 5/1/2003 7:44:50 PM | Attr = ]
WorksFUD -> %ProgramFiles%\Microsoft Works\wkfud.exe -> Microsoft® Corporation [Ver = 6.00.3221.3 | Size = 24576 bytes | Modified Date = 10/5/2001 9:34:52 PM | Attr = ]
< RunOnceEx [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx -> 
-> -> File not found
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ -> 
IMAIL -> Installed = 1 -> 
MAPI -> Installed = 1 -> 
MSFS -> Installed = 1 -> 
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
Microsoft Works Update Detection -> %ProgramFiles%\Microsoft Works\WkDetect.exe -> File not found
PhotoShow Deluxe Media Manager -> %ProgramFiles%\Comcast\Comcast PhotoShow 4\data\Xtras\mssysmgr.exe -> Simple Star, Inc. [Ver = 4.0.0.0 | Size = 192512 bytes | Modified Date = 5/9/2005 7:16:16 PM | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
%AllUsersStartup%\Adobe Gamma Loader.exe.lnk -> %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe -> Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Modified Date = 7/17/2002 3:15:12 AM | Attr = ]
%AllUsersStartup%\Adobe Gamma Loader.lnk -> %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe -> Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Modified Date = 7/17/2002 3:15:12 AM | Attr = ]
%AllUsersStartup%\HP Digital Imaging Monitor.lnk -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Co. [Ver = 43.1.5.000 | Size = 241664 bytes | Modified Date = 5/28/2004 10:31:38 PM | Attr = ]
%AllUsersStartup%\HP Image Zone Fast Start.lnk -> %ProgramFiles%\HP\Digital Imaging\bin\hpqthb08.exe -> Hewlett-Packard Co. [Ver = 043.001.005.000 | Size = 53248 bytes | Modified Date = 5/28/2004 11:06:36 PM | Attr = ]
%AllUsersStartup%\Kodak Picture Easy 3.1 Batch Transfer.lnk -> %ProgramFiles%\Kodak\Picture Easy Software\Program\PezDownload.exe -> Eastman Kodak Company [Ver = 1, 0, 1, 0 | Size = 39424 bytes | Modified Date = 9/9/1998 4:26:28 PM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
hmbdkint -> %System32%\d3dimr.dll -> [Ver = | Size = 82944 bytes | Modified Date = 9/7/2007 5:46:08 PM | Attr = ]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoDriveAutoRun -> 67108863 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoDriveTypeAutoRun -> 255 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> -> 
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> -> 
< HOSTS File > (27 bytes) -> C:\WINNT\System32\drivers\etc\Hosts -> 
127.0.0.1 localhost -> -> 
< Internet Explorer Settings > -> -> 
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome -> 
HKLM: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKLM: Local Page -> %SystemRoot%\system32\blank.htm -> 
HKLM: Search Bar -> -> 
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKLM: Start Page -> http://www.msn.com/ -> 
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
HKCU: Local Page -> C:\WINNT\System32\blank.htm -> 
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKCU: Start Page -> http://www.comcast.net/ -> 
HKCU: ProxyEnable -> 0 -> 
< Trusted Sites > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
aol.com [ - ] -> -> 
free_aol.com [ - ] -> -> 
free_aol.com [http] -> -> 
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [AcroIEHlprObj Class] -> [Ver = 1, 0, 0, 1 | Size = 37808 bytes | Modified Date = 3/2/2001 2:02:04 PM | Attr = ]
{1E8A6170-7264-4D0F-BEAE-D42A53123C75} [HKLM] -> %CommonProgramFiles%\Symantec Shared\coShared\Browser\1.5\NppBHO.dll [Reg Data - Value does not exist] -> Symantec Corporation [Ver = 2007.1.5.29 | Size = 96936 bytes | Modified Date = 1/12/2007 3:04:50 AM | Attr = R ]
{212CC212-DC60-43F8-B877-114B71949415} [HKLM] -> %System32%\umtacudx.dll [Reg Data - Value does not exist] -> [Ver = | Size = 67584 bytes | Modified Date = 9/7/2007 5:46:14 PM | Attr = ]
{2E62C6B8-D531-4661-B5DC-8248844D7A8A} [HKLM] -> %System32%\d3dimr.dll [Reg Data - Value does not exist] -> [Ver = | Size = 82944 bytes | Modified Date = 9/7/2007 5:46:08 PM | Attr = ]
{7BA59E75-432C-41E2-A1AC-7C55FB42A2F4} [HKLM] -> %System32%\comresu.dll [Reg Data - Value does not exist] -> [Ver = | Size = 102037 bytes | Modified Date = 8/18/2001 2:00:00 PM | Attr = ]
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ -> 
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ -> 
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
{8E718888-423F-11D2-876E-00A0C9082467} [HKLM] -> %System32%\msdxm.ocx [&Radio] -> [Ver = | Size = 844048 bytes | Modified Date = 9/17/2003 12:01:28 PM | Attr = ]
{90222687-F593-4738-B738-FBEE9C7B26DF} [HKLM] -> %CommonProgramFiles%\Symantec Shared\coShared\Browser\1.5\UIBHO.dll [Show Norton Toolbar] -> Symantec Corporation [Ver = 2007.1.5.29 | Size = 607888 bytes | Modified Date = 1/12/2007 3:05:00 AM | Attr = R ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [&Google] -> Google Inc. [Ver = 3, 0, 131, 0 | Size = 1158656 bytes | Modified Date = 2/14/2006 9:05:22 PM | Attr = R ]
WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{5AA06644-BC46-4220-A460-47A6EB47C96D} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -> Reg Data - Value does not exist [ButtonText: Yahoo! Services] -> File not found
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Research] -> File not found
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} [HKLM] -> Reg Data - Key not found [MenuText: Reg Data - Value does not exist] -> File not found
{E023F504-0C5A-4750-A1E7-A9046DEA8A21} -> Reg Data - Value does not exist [ButtonText: MoneySide] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ -> 
&Google Search -> %ProgramFiles%\google\GoogleToolbar1.dll\cmsearch.htm -> File not found
&Translate English Word -> %ProgramFiles%\google\GoogleToolbar1.dll\cmwordtrans.htm -> File not found
Backward Links -> %ProgramFiles%\google\GoogleToolbar1.dll\cmbacklinks.htm -> File not found
Cached Snapshot of Page -> %ProgramFiles%\google\GoogleToolbar1.dll\cmcache.htm -> File not found
E&xport to Microsoft Excel -> -> File not found
Similar Pages -> %ProgramFiles%\google\GoogleToolbar1.dll\cmsimilar.htm -> File not found
Translate Page into English -> %ProgramFiles%\google\GoogleToolbar1.dll\cmtrans.htm -> File not found
< Internet Explorer Plugins [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\ -> 
.spop -> %ProgramFiles%\Internet Explorer\PLUGINS\NPDocBox.dll [Reg Data - Value does not exist] -> InterTrust Technologies Corporation, Inc. [Ver = 1.0.30.95 | Size = 225280 bytes | Modified Date = 1/30/2001 3:56:24 PM | Attr = ]
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{196A04ED-7B35-42E7-9648-6FE37EAA9C3D} -> (Instant Wireless USB Network Adapter ver.2.6) -> 
{AF02FCB5-F6CC-4C5F-8461-B1E423668D75} -> () -> 
{DB5A76D3-E1D4-47BE-9B21-15CD0E2C3A26} -> (1394 Net Adapter) -> 
< Default Protocols [HKLM] - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults -> 
shell -> shell protocol not assigned -> 
< Default Protocols [HKCU] - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults -> 
shell -> shell protocol not assigned -> 
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 
cetihpz -> %ProgramFiles%\HP\hpcoretech\comp\hpuiprot.dll -> Hewlett-Packard Company [Ver = 2.1.5 | Size = 81920 bytes | Modified Date = 5/12/2004 3:18:56 PM | Attr = ]
ic32pp -> %SystemRoot%\wc98pp.dll -> [Ver = | Size = 51712 bytes | Modified Date = 1/12/2003 11:30:18 AM | Attr = ]
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
vnd.ms.radio -> %System32%\msdxm.ocx -> [Ver = | Size = 844048 bytes | Modified Date = 9/17/2003 12:01:28 PM | Attr = ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{0000000A-9980-0010-8000-00AA00389B71} -> - CodeBase = http://codecs.microsoft.com/codecs/i386/wmsp9dmo.cab -> 
{00000075-9980-0010-8000-00AA00389B71} -> - CodeBase = http://codecs.microsoft.com/codecs/i386/voxacm.CAB -> 
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -> QuickTime Object - CodeBase = http://www.apple.com/qtactivex/qtplugin.cab -> 
{05D96F71-87C6-11D3-9BE4-00902742D6E0} -> QuickPlace Class - CodeBase = https://quickplace.pmllp.com/qp2.cab -> 
{0E5F0222-96B9-11D3-8997-00104BD12D94} -> PCPitstop Utility - CodeBase = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB -> 
{166B1BCA-3F9C-11CF-8075-444553540000} -> Shockwave ActiveX Control - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab -> 
{1E2941E3-8E63-11D4-9D5A-00902742D6E0} -> iNotes Class - CodeBase = https://we.pmllp.com/ANAR-LNMail1/iNotes.cab -> 
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -> Installation Support - CodeBase = C:\Program Files\Yahoo!\Common\Yinsthelper.dll -> 
{33363249-0000-0010-8000-00AA00389B71} -> - CodeBase = http://codecs.microsoft.com/codecs/i386/i263_32.cab -> 
{33564D57-9980-0010-8000-00AA00389B71} -> - CodeBase = http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab -> 
{3BFFE033-BF43-11D5-A271-00A024A51325} -> iNotes6 Class - CodeBase = https://we.pmllp.com/ANAR-LNMAIL1/iNotes6.cab -> 
{41F17733-B041-4099-A042-B518BB6A408C} -> - CodeBase = http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe -> 
{56336BCB-3D8A-11D6-A00B-0050DA18DE71} -> - CodeBase = http://software-dl.real.com/20120b8e43bf2d8ea622/netzip/RdxIE601.cab -> 
{6A344D34-5231-452A-8A57-D064AC9B7862} -> Symantec Download Manager - CodeBase = https://webdl.symantec.com/activex/symdlmgr.cab -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.4.0 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-1_4_0-win.cab -> 
{9A57B18E-2F5D-11D5-8997-00104BD12D94} -> compid Class - CodeBase = http://support.gateway.com/support/serialharvest/gwCID.CAB -> 
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -> ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab -> 
{9F1C11AA-197B-4942-BA54-47A8489BB47F} -> - CodeBase = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37246.6713425926 -> 
{BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} -> LiveX(5.4.0.0) Control - CodeBase = http://bowwow4.serveftp.com/cab/Live.cab -> 
{CA797B15-445F-4AA9-9828-8A88502F560F} -> Uninstall Control - CodeBase = http://www.worldwinner.com/games/shared/uninstall.cab -> 
{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} -> Java Plug-in 1.4.0 - CodeBase = http://java.sun.com/products/plugin/1.4/jinstall-14-win.cab -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab -> 
{D719897A-B07A-4C0C-AEA9-9B663A28DFCB} -> iTunesDetector Class - CodeBase = http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab -> 
Microsoft XML Parser for Java -> - CodeBase = file://C:\WINNT\Java\classes\xmldso.cab ->

[Registry - Additional Scans - Non-Microsoft Only]
< Desktop Components > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\ -> 
0 -> [Key] -> 
0 -> FriendlyName = My Current Home Page -> 
0 -> Source = About:Home -> 
0 -> SubscribedURL = About:Home ->

[Files/Folders - Created Within 30 days]
fixwareout -> %SystemDrive%\fixwareout -> [Folder | Created Date = 9/5/2007 4:04:15 PM | Attr = ]
qoobox -> %SystemDrive%\qoobox -> [Folder | Created Date = 9/7/2007 4:59:26 AM | Attr = ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [Folder | Created Date = 9/5/2007 7:28:29 PM | Attr = ]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 109056 bytes | Created Date = 9/7/2007 4:58:59 AM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Created Date = 9/7/2007 5:00:04 AM | Attr = ]
nircmd.exe -> %SystemRoot%\nircmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 9/7/2007 4:58:59 AM | Attr = ]
TEMP -> %SystemRoot%\TEMP -> [Folder | Created Date = 9/7/2007 5:22:26 AM | Attr = ]
8104297.jun -> %System32%\8104297.jun -> [Ver = | Size = 0 bytes | Created Date = 9/5/2007 9:40:18 AM | Attr = ]
ActiveScan -> %System32%\ActiveScan -> [Folder | Created Date = 9/5/2007 7:41:04 PM | Attr = ]
asuninst.exe -> %System32%\asuninst.exe -> Panda Software [Ver = 1, 0, 0, 2 | Size = 73728 bytes | Created Date = 9/5/2007 7:41:38 PM | Attr = ]
bedazsad.dll -> %System32%\bedazsad.dll -> [Ver = | Size = 102912 bytes | Created Date = 9/4/2007 9:15:16 AM | Attr = ]
bedazsad.dll.bak -> %System32%\bedazsad.dll.bak -> [Ver = | Size = 103936 bytes | Created Date = 9/4/2007 9:15:16 AM | Attr = ]
ciztyfxy.dll -> %System32%\ciztyfxy.dll -> [Ver = | Size = 756224 bytes | Created Date = 9/4/2007 9:15:21 AM | Attr = ]
ciztyfxy.dll.bak -> %System32%\ciztyfxy.dll.bak -> [Ver = | Size = 756736 bytes | Created Date = 9/4/2007 9:15:21 AM | Attr = ]
comresu.1 -> %System32%\comresu.1 -> [Ver = | Size = 88064 bytes | Created Date = 9/4/2007 8:28:38 AM | Attr = ]
comresu.dll -> %System32%\comresu.dll -> [Ver = | Size = 102037 bytes | Created Date = 9/4/2007 8:28:38 AM | Attr = ]
d3dimr.dll -> %System32%\d3dimr.dll -> [Ver = | Size = 82944 bytes | Created Date = 9/4/2007 8:29:01 AM | Attr = ]
d3dimr.dll.bak -> %System32%\d3dimr.dll.bak -> [Ver = | Size = 80896 bytes | Created Date = 9/4/2007 8:29:01 AM | Attr = ]
dpvac.dll -> %System32%\dpvac.dll -> [Ver = | Size = 58368 bytes | Created Date = 9/4/2007 8:26:50 AM | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Created Date = 9/5/2007 7:41:08 PM | Attr = ]
libeay32.dll -> %System32%\libeay32.dll -> OpenSSL <www.openssl.org> [Ver = 0.9.7c | Size = 684567 bytes | Created Date = 9/4/2007 9:15:24 AM | Attr = ]
libssl32.dll -> %System32%\libssl32.dll -> OpenSSL <www.openssl.org> [Ver = 0.9.7c | Size = 147729 bytes | Created Date = 9/4/2007 9:15:23 AM | Attr = ]
lymtafmu.dll -> %System32%\lymtafmu.dll -> [Ver = | Size = 128512 bytes | Created Date = 9/4/2007 9:15:13 AM | Attr = ]
lymtafmu.dll.bak -> %System32%\lymtafmu.dll.bak -> [Ver = | Size = 129536 bytes | Created Date = 9/4/2007 9:15:13 AM | Attr = ]
moveex.exe -> %System32%\moveex.exe -> [Ver = | Size = 38400 bytes | Created Date = 9/7/2007 4:58:59 AM | Attr = ]
pavas.ico -> %System32%\pavas.ico -> [Ver = | Size = 30590 bytes | Created Date = 9/5/2007 7:41:07 PM | Attr = ]
pyuznkpk.dll -> %System32%\pyuznkpk.dll -> [Ver = | Size = 46592 bytes | Created Date = 9/4/2007 9:15:14 AM | Attr = ]
pyuznkpk.dll.bak -> %System32%\pyuznkpk.dll.bak -> [Ver = | Size = 48128 bytes | Created Date = 9/4/2007 9:15:14 AM | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Created Date = 9/7/2007 4:58:59 AM | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 9/7/2007 4:58:59 AM | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 9/7/2007 4:58:59 AM | Attr = ]
umtacudx.dll -> %System32%\umtacudx.dll -> [Ver = | Size = 67584 bytes | Created Date = 9/6/2007 4:12:33 PM | Attr = ]
umtacudx.dll.bak -> %System32%\umtacudx.dll.bak -> [Ver = | Size = 68608 bytes | Created Date = 9/6/2007 4:12:33 PM | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Created Date = 9/5/2007 7:41:08 PM | Attr = ]
vfind.exe -> %System32%\vfind.exe -> [Ver = | Size = 49152 bytes | Created Date = 9/7/2007 4:58:59 AM | Attr = ]
wsumxgvj.dll -> %System32%\wsumxgvj.dll -> [Ver = | Size = 48640 bytes | Created Date = 9/4/2007 9:15:26 AM | Attr = ]
wsumxgvj.dll.bak -> %System32%\wsumxgvj.dll.bak -> [Ver = | Size = 47616 bytes | Created Date = 9/4/2007 9:15:26 AM | Attr = ]
ZPORT4AS.dll -> %System32%\ZPORT4AS.dll -> [Ver = | Size = 11776 bytes | Created Date = 9/5/2007 7:41:38 PM | Attr = ]
evgmqxuy.sys -> %System32%\drivers\evgmqxuy.sys -> [Ver = | Size = 17280 bytes | Created Date = 1/1/1601 5:00:00 AM | Attr = ]

More to follow


----------



## Vivsky (Sep 5, 2007)

[Files/Folders - Modified Within 30 days]
fixwareout -> %SystemDrive%\fixwareout -> [Folder | Modified Date = 9/5/2007 5:10:50 PM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 536203264 bytes | Modified Date = 9/7/2007 5:35:28 PM | Attr = HS]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 9/5/2007 4:58:16 PM | Attr = ]
qoobox -> %SystemDrive%\qoobox -> [Folder | Modified Date = 9/7/2007 6:20:30 AM | Attr = ]
System Volume Information -> %SystemDrive%\System Volume Information -> [Folder | Modified Date = 9/4/2007 9:47:10 AM | Attr = HS]
WINNT -> %SystemRoot% -> [Folder | Modified Date = 9/7/2007 5:38:18 PM | Attr = ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [Folder | Modified Date = 9/5/2007 8:28:30 PM | Attr = ]
$NtUninstallQ321856$ -> %SystemRoot%\$NtUninstallQ321856$ -> [Folder | Modified Date = 9/6/2007 7:18:48 PM | Attr = H ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 9/7/2007 5:35:34 PM | Attr = S]
Debug -> %SystemRoot%\Debug -> [Folder | Modified Date = 9/7/2007 5:35:50 PM | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 9/6/2007 7:20:28 PM | Attr = S]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 9/7/2007 6:05:24 AM | Attr = ]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 8/24/2007 5:44:52 AM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 9/5/2007 8:41:54 PM | Attr = H ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 9/7/2007 6:29:58 PM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Modified Date = 9/5/2007 9:50:10 AM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 9/5/2007 9:50:10 AM | Attr = H ]
QUICKEN.INI -> %SystemRoot%\QUICKEN.INI -> [Ver = | Size = 793 bytes | Modified Date = 9/1/2007 1:14:24 PM | Attr = ]
SoftwareDistribution -> %SystemRoot%\SoftwareDistribution -> [Folder | Modified Date = 9/6/2007 7:26:30 PM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 9/7/2007 5:46:14 PM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 9/7/2007 6:05:20 AM | Attr = S]
TEMP -> %SystemRoot%\TEMP -> [Folder | Modified Date = 9/7/2007 6:38:48 PM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 971 bytes | Modified Date = 9/5/2007 8:47:56 PM | Attr = ]
Norton Internet Security - Run Full System Scan - Vivian Brososky.job -> %SystemRoot%\tasks\Norton Internet Security - Run Full System Scan - Vivian Brososky.job -> [Ver = | Size = 642 bytes | Modified Date = 9/3/2007 10:01:52 PM | Attr = ]
Norton Internet Security - Weekly Scan - Vivian Brososky.job -> %SystemRoot%\tasks\Norton Internet Security - Weekly Scan - Vivian Brososky.job -> [Ver = | Size = 658 bytes | Modified Date = 8/31/2007 10:21:12 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 9/7/2007 5:35:42 PM | Attr = H ]
8104297.jun -> %System32%\8104297.jun -> [Ver = | Size = 0 bytes | Modified Date = 9/5/2007 10:40:20 AM | Attr = ]
ActiveScan -> %System32%\ActiveScan -> [Folder | Modified Date = 9/6/2007 7:26:34 PM | Attr = ]
bedazsad.dll -> %System32%\bedazsad.dll -> [Ver = | Size = 102912 bytes | Modified Date = 9/7/2007 5:46:10 PM | Attr = ]
bedazsad.dll.bak -> %System32%\bedazsad.dll.bak -> [Ver = | Size = 103936 bytes | Modified Date = 9/6/2007 5:12:34 PM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 9/5/2007 8:43:04 PM | Attr = ]
ciztyfxy.dll -> %System32%\ciztyfxy.dll -> [Ver = | Size = 756224 bytes | Modified Date = 9/7/2007 5:46:12 PM | Attr = ]
ciztyfxy.dll.bak -> %System32%\ciztyfxy.dll.bak -> [Ver = | Size = 756736 bytes | Modified Date = 9/5/2007 10:24:56 AM | Attr = ]
config -> %System32%\config -> [Folder | Modified Date = 9/7/2007 6:05:42 AM | Attr = ]
d3dimr.dll -> %System32%\d3dimr.dll -> [Ver = | Size = 82944 bytes | Modified Date = 9/7/2007 5:46:08 PM | Attr = ]
d3dimr.dll.bak -> %System32%\d3dimr.dll.bak -> [Ver = | Size = 80896 bytes | Modified Date = 9/6/2007 5:12:32 PM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 8/24/2007 5:44:50 AM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 9/7/2007 6:18:24 AM | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Modified Date = 9/6/2007 6:06:06 PM | Attr = ]
libeay32.dll -> %System32%\libeay32.dll -> OpenSSL <www.openssl.org> [Ver = 0.9.7c | Size = 684567 bytes | Modified Date = 9/4/2007 10:15:26 AM | Attr = ]
libssl32.dll -> %System32%\libssl32.dll -> OpenSSL <www.openssl.org> [Ver = 0.9.7c | Size = 147729 bytes | Modified Date = 9/4/2007 10:15:24 AM | Attr = ]
lymtafmu.dll -> %System32%\lymtafmu.dll -> [Ver = | Size = 128512 bytes | Modified Date = 9/7/2007 5:46:08 PM | Attr = ]
lymtafmu.dll.bak -> %System32%\lymtafmu.dll.bak -> [Ver = | Size = 129536 bytes | Modified Date = 9/6/2007 5:12:32 PM | Attr = ]
pavas.ico -> %System32%\pavas.ico -> [Ver = | Size = 30590 bytes | Modified Date = 9/6/2007 6:06:06 PM | Attr = ]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 50532 bytes | Modified Date = 9/7/2007 6:12:14 AM | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 374064 bytes | Modified Date = 9/7/2007 6:12:14 AM | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 430524 bytes | Modified Date = 9/7/2007 6:12:14 AM | Attr = ]
pyuznkpk.dll -> %System32%\pyuznkpk.dll -> [Ver = | Size = 46592 bytes | Modified Date = 9/7/2007 5:46:10 PM | Attr = ]
pyuznkpk.dll.bak -> %System32%\pyuznkpk.dll.bak -> [Ver = | Size = 48128 bytes | Modified Date = 9/5/2007 10:24:52 AM | Attr = ]
Restore -> %System32%\Restore -> [Folder | Modified Date = 9/4/2007 9:47:10 AM | Attr = ]
umtacudx.dll -> %System32%\umtacudx.dll -> [Ver = | Size = 67584 bytes | Modified Date = 9/7/2007 5:46:14 PM | Attr = ]
umtacudx.dll.bak -> %System32%\umtacudx.dll.bak -> [Ver = | Size = 68608 bytes | Modified Date = 9/6/2007 5:12:34 PM | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Modified Date = 9/6/2007 6:06:08 PM | Attr = ]
wbem -> %System32%\wbem -> [Folder | Modified Date = 9/6/2007 7:34:26 PM | Attr = ]
wsumxgvj.dll -> %System32%\wsumxgvj.dll -> [Ver = | Size = 48640 bytes | Modified Date = 9/7/2007 5:46:14 PM | Attr = ]
wsumxgvj.dll.bak -> %System32%\wsumxgvj.dll.bak -> [Ver = | Size = 47616 bytes | Modified Date = 9/5/2007 10:25:00 AM | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 9/7/2007 6:18:24 AM | Attr = ]
evgmqxuy.sys -> %System32%\drivers\evgmqxuy.sys -> [Ver = | Size = 17280 bytes | Modified Date = 9/4/2007 9:26:58 AM | Attr = ]

[File String Scan - Non-Microsoft Only]
UPX! , UPX0 , -> %SystemRoot%\Unwash5.exe -> [Ver = | Size = 45056 bytes | Modified Date = 12/2/2003 6:00:10 AM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/18/2001 2:00:00 PM | Attr = ]
UPX! , UPX0 , -> %System32%\libeay32.dll -> OpenSSL <www.openssl.org> [Ver = 0.9.7c | Size = 684567 bytes | Modified Date = 9/4/2007 10:15:26 AM | Attr = ]
UPX! , UPX0 , -> %System32%\libssl32.dll -> OpenSSL <www.openssl.org> [Ver = 0.9.7c | Size = 147729 bytes | Modified Date = 9/4/2007 10:15:24 AM | Attr = ]
UPX! , UPX0 , -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 7/22/2007 6:39:28 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/18/2001 2:00:00 PM | Attr = ]

< End of report >


----------



## sjpritch25 (Sep 8, 2005)

Please boot into Safe mode to run this fix. 
*Reboot your computer in "SAFE MODE" using the F8 *method so Windows will start with minimal drivers and running processes. To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". See How to Boot in "SAFE MODE" tutorial if needed.

Please close all open programs because this could affect the fix. Thanks.

Start *WinPFind3U*. Copy/Paste the information in the Quotebox below into the pane where it says *"Paste fix here"* and then click the Run Fix button.


```
[Kill Explorer]
[Unregister Dlls]
[Driver Services - Non-Microsoft Only]
YY -> (lffycjtc) lffycjtc [Kernel | Boot | Running] -> %System32%\drivers\evgmqxuy.sys
[Registry - Non-Microsoft Only]
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> hmbdkint -> %System32%\d3dimr.dll
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\
YY -> {212CC212-DC60-43F8-B877-114B71949415} [HKLM] -> %System32%\umtacudx.dll [Reg Data - Value does not exist]
YY -> {2E62C6B8-D531-4661-B5DC-8248844D7A8A} [HKLM] -> %System32%\d3dimr.dll [Reg Data - Value does not exist]
YY -> {7BA59E75-432C-41E2-A1AC-7C55FB42A2F4} [HKLM] -> %System32%\comresu.dll [Reg Data - Value does not exist]
[Files/Folders - Created Within 30 days]
NY -> fixwareout -> %SystemDrive%\fixwareout
NY -> qoobox -> %SystemDrive%\qoobox
NY -> _OTMoveIt -> %SystemDrive%\_OTMoveIt
NY -> bedazsad.dll -> %System32%\bedazsad.dll
NY -> bedazsad.dll.bak -> %System32%\bedazsad.dll.bak
NY -> ciztyfxy.dll -> %System32%\ciztyfxy.dll
NY -> ciztyfxy.dll.bak -> %System32%\ciztyfxy.dll.bak
NY -> comresu.1 -> %System32%\comresu.1
NY -> comresu.dll -> %System32%\comresu.dll
NY -> d3dimr.dll -> %System32%\d3dimr.dll
NY -> d3dimr.dll.bak -> %System32%\d3dimr.dll.bak
NY -> dpvac.dll -> %System32%\dpvac.dll
NY -> lymtafmu.dll -> %System32%\lymtafmu.dll
NY -> lymtafmu.dll.bak -> %System32%\lymtafmu.dll.bak
NY -> moveex.exe -> %System32%\moveex.exe
NY -> pavas.ico -> %System32%\pavas.ico
NY -> pyuznkpk.dll -> %System32%\pyuznkpk.dll
NY -> pyuznkpk.dll.bak -> %System32%\pyuznkpk.dll.bak
NY -> umtacudx.dll -> %System32%\umtacudx.dll
NY -> umtacudx.dll.bak -> %System32%\umtacudx.dll.bak
NY -> vfind.exe -> %System32%\vfind.exe
NY -> wsumxgvj.dll -> %System32%\wsumxgvj.dll
NY -> wsumxgvj.dll.bak -> %System32%\wsumxgvj.dll.bak
NY -> evgmqxuy.sys -> %System32%\drivers\evgmqxuy.sys
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```
To run it in safe mode you need to save it to a txt file. Open notepad, copy (Ctrl+C) and paste (Ctrl + V) into notepad. Save as RunFix.txt and save to your Desktop. Then you can follow the rest of my instructions. If you have trouble coping and pasting i attached it too.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. *Post that information back here along with a new WinPFind3u scan and a Hijackthis log, separately *(the Hijackthis can be pasted on the reply).

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.


----------



## sjpritch25 (Sep 8, 2005)

You will be asked to reboot, so please allow it. In your next reply, please post the results and a fresh Hijackthis log.


----------



## Vivsky (Sep 5, 2007)

Should I run HijackThis while still in safe mode, or should I do a reboot before running it (after performing the WinPFind3U)?


----------



## sjpritch25 (Sep 8, 2005)

Hijackthis in normal mode. Thanks.


----------



## Vivsky (Sep 5, 2007)

I've rebooted three times now, and F8 does not get me into safe mode. I have done this many times on my work laptop, and a few times here on my home PC, but it's not working right now. There is no sound when my computer is booting, either, so I hit F8 from the beginning, until my login screen appeared. Nothing. Is there a different way to get in Safe Mode? I checked Task Manager, and it's not an option in there. I'm lost now.


----------



## sjpritch25 (Sep 8, 2005)

What comes up before the windows logo?? Do get a display of your type of computer (for instance, dell compaq). When you see that, that is when you need to press F8 a couple times. Let me know, if you still can't get into Safe Mode. Then run the fix in normal mode. Please disable all active protection (Anti-Virus and Anti-Spyware programs), before running it.


----------



## Vivsky (Sep 5, 2007)

I have a Gateway, so that is the first visual I see on reboot. I have pressed the F8 key repeatedly to no avail. After the Gateway screen disappears, the screen goes black for a bit, then I get my Windows login screen (2 users set up). I will try it again, but if it won't go, I'll run the fix in normal mode as you said, with Norton turned off.

Thanks!


----------



## sjpritch25 (Sep 8, 2005)

Okay, i will be here for awhile.


----------



## Vivsky (Sep 5, 2007)

Notepad did not open after the fix in safe mode.

After reboot, I re-ran and here are the results:

WinPFind3 logfile created on: 9/7/2007 10:47:39 PM
WinPFind3U by OldTimer - Version 1.0.42	Folder = C:\Documents and Settings\Vivsky\Desktop\WinPFind3u\
Microsoft Windows XP (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2600.0000)

511.30 Mb Total Physical Memory | 198.63 Mb Available Physical Memory | 38.85% Memory free
1.22 Gb Paging File | 0.95 Gb Available in Paging File | 77.75% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 45.19 Gb Free Space | 60.63% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 93.34 Gb Total Space | 89.34 Gb Free Space | 95.71% Space Free

Computer Name: MAIN
Current User Name: Vivian Brososky
Logged in as Administrator.
Current Boot Mode: Normal

[Processes - Non-Microsoft Only]
acctmgr.exe -> %ProgramFiles%\Norton Password Manager\AcctMgr.exe -> Symantec Corporation [Ver = 2004.1.406 | Size = 586896 bytes | Modified Date = 8/18/2004 12:41:34 PM | Attr = ]
aluschedulersvc.exe -> %ProgramFiles%\Symantec\LiveUpdate\ALUSchedulerSvc.exe -> Symantec Corporation [Ver = 3.2.0.43 | Size = 554616 bytes | Modified Date = 1/31/2007 4:11:42 PM | Attr = ]
appsvc32.exe -> %CommonProgramFiles%\Symantec Shared\AppCore\AppSvc32.exe -> Symantec Corporation [Ver = 1.1.1.3 | Size = 47712 bytes | Modified Date = 1/5/2007 8:37:56 PM | Attr = ]
ccsvchst.exe -> %CommonProgramFiles%\Symantec Shared\ccSvcHst.exe -> Symantec Corporation [Ver = 106.2.0.21 | Size = 108648 bytes | Modified Date = 1/10/2007 12:59:32 AM | Attr = ]
ctsvccda.exe -> %System32%\CTsvcCDA.exe -> Creative Technology Ltd [Ver = 1.0.1.0 | Size = 44032 bytes | Modified Date = 12/13/1999 3:01:00 AM | Attr = ]
devldr32.exe -> %System32%\devldr32.exe -> Creative Technology Ltd. [Ver = 1, 0, 0, 22 | Size = 25600 bytes | Modified Date = 8/31/2001 2:44:30 PM | Attr = ]
directcd.exe -> %ProgramFiles%\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe -> Roxio [Ver = 5.3.5.10 | Size = 684032 bytes | Modified Date = 10/2/2003 8:00:50 PM | Attr = ]
drgtodsc.exe -> %ProgramFiles%\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe -> Roxio [Ver = 6.1.1.17 | Size = 868352 bytes | Modified Date = 7/17/2003 1:19:54 AM | Attr = ]
gwmdmmsg.exe -> %SystemRoot%\GWMDMMSG.exe -> GTW [Ver = 3.3.13.1 08/07/2001 18:57:35 | Size = 100913 bytes | Modified Date = 8/15/2001 10:25:02 PM | Attr = ]
hpcmpmgr.exe -> %ProgramFiles%\HP\hpcoretech\hpcmpmgr.exe -> Hewlett-Packard Company [Ver = 2.1.1.0 | Size = 241664 bytes | Modified Date = 5/12/2004 3:18:56 PM | Attr = ]
hpi_monitor.exe -> %ProgramFiles%\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe -> Hewlett-Packard Company [Ver = 2.4.0.2 | Size = 32768 bytes | Modified Date = 8/14/2000 5:48:06 PM | Attr = ]
hpqgalry.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqgalry.exe -> Hewlett-Packard Co. [Ver = 043.001.005.000 | Size = 520192 bytes | Modified Date = 5/28/2004 11:08:52 PM | Attr = ]
hpqtra08.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Co. [Ver = 43.1.5.000 | Size = 241664 bytes | Modified Date = 5/28/2004 10:31:38 PM | Attr = ]
hpwuschd2.exe -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Co. [Ver = 50.0.146.000 | Size = 49152 bytes | Modified Date = 2/16/2005 11:11:42 PM | Attr = ]
hpzipm12.exe -> %System32%\HPZipm12.exe -> HP [Ver = 8, 0, 0, 0 | Size = 65536 bytes | Modified Date = 3/18/2004 4:55:48 PM | Attr = ]
hpztsb10.exe -> %System32%\spool\drivers\w32x86\3\hpztsb10.exe -> HP [Ver = 2.323.0.0 | Size = 172032 bytes | Modified Date = 3/23/2004 4:05:42 AM | Attr = ]
kodakccs.exe -> %System32%\drivers\KodakCCS.exe -> Eastman Kodak Company [Ver = 1.1.5100.4 | Size = 322104 bytes | Modified Date = 5/24/2004 1:35:52 PM | Attr = ]
mmtask.exe -> %ProgramFiles%\MusicMatch\MusicMatch Jukebox\mmtask.exe -> TODO: <Company name> [Ver = 1.0.0.1 | Size = 53248 bytes | Modified Date = 3/30/2004 11:12:56 PM | Attr = ]
mssysmgr.exe -> %ProgramFiles%\Comcast\Comcast PhotoShow 4\data\Xtras\mssysmgr.exe -> Simple Star, Inc. [Ver = 4.0.0.0 | Size = 192512 bytes | Modified Date = 5/9/2005 7:16:16 PM | Attr = ]
nvsvc32.exe -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 5.13.01.1520 | Size = 57344 bytes | Modified Date = 8/31/2001 1:56:00 AM | Attr = ]
pezdownload.exe -> %ProgramFiles%\Kodak\Picture Easy Software\Program\PezDownload.exe -> Eastman Kodak Company [Ver = 1, 0, 1, 0 | Size = 39424 bytes | Modified Date = 9/9/1998 4:26:28 PM | Attr = ]
playlist.exe -> %ProgramFiles%\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe -> Roxio, Inc. [Ver = 1.1.277 | Size = 118784 bytes | Modified Date = 7/15/2003 1:36:50 PM | Attr = ]
rxmon.exe -> %ProgramFiles%\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe -> Roxio, Inc. [Ver = 1.1.277 | Size = 319488 bytes | Modified Date = 7/15/2003 1:36:50 PM | Attr = ]
symlcsvc.exe -> %CommonProgramFiles%\Symantec Shared\CCPD-LC\symlcsvc.exe -> [Ver = | Size = 1247600 bytes | Modified Date = 9/6/2007 9:21:18 PM | Attr = ]
viewmgr.exe -> %ProgramFiles%\Viewpoint\Viewpoint Manager\ViewMgr.exe -> Viewpoint Corporation [Ver = 2, 0, 0, 54 | Size = 112336 bytes | Modified Date = 1/4/2007 5:38:20 PM | Attr = ]
viewpointservice.exe -> %ProgramFiles%\Viewpoint\Common\ViewpointService.exe -> Viewpoint Corporation [Ver = 2, 0, 0, 54 | Size = 24652 bytes | Modified Date = 1/4/2007 5:38:10 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 9/4/2007 10:47:26 AM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(Automatic LiveUpdate Scheduler) Automatic LiveUpdate Scheduler [Win32_Own | Auto | Running] -> %ProgramFiles%\Symantec\LiveUpdate\ALUSchedulerSvc.exe -> Symantec Corporation [Ver = 3.2.0.43 | Size = 554616 bytes | Modified Date = 1/31/2007 4:11:42 PM | Attr = ]
(ccEvtMgr) Symantec Event Manager [Win32_Shared | Disabled | Stopped] -> -> File not found
(ccSetMgr) Symantec Settings Manager [Win32_Shared | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\ccSvcHst.exe -> Symantec Corporation [Ver = 106.2.0.21 | Size = 108648 bytes | Modified Date = 1/10/2007 12:59:32 AM | Attr = ]
(CLTNetCnService) Symantec Lic NetConnect service [Win32_Shared | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\ccSvcHst.exe -> Symantec Corporation [Ver = 106.2.0.21 | Size = 108648 bytes | Modified Date = 1/10/2007 12:59:32 AM | Attr = ]
(comHost) COM Host [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\VAScanner\comHost.exe -> Symantec Corporation [Ver = 1.2.0.28 | Size = 49248 bytes | Modified Date = 1/12/2007 10:40:58 PM | Attr = ]
(Creative Service for CDROM Access) Creative Service for CDROM Access [Win32_Own | Auto | Running] -> %System32%\CTsvcCDA.exe -> Creative Technology Ltd [Ver = 1.0.1.0 | Size = 44032 bytes | Modified Date = 12/13/1999 3:01:00 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.0.503.0 | Size = 204800 bytes | Modified Date = 8/18/2001 2:00:00 PM | Attr = ]
(ISPwdSvc) Symantec IS Password Validation [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Norton Internet Security\isPwdSvc.exe -> Symantec Corporation [Ver = 10.3.0.3 | Size = 80504 bytes | Modified Date = 2/7/2007 6:39:06 PM | Attr = ]
(KodakCCS) Kodak Camera Connection Software [Win32_Own | Auto | Running] -> %System32%\drivers\KodakCCS.exe -> Eastman Kodak Company [Ver = 1.1.5100.4 | Size = 322104 bytes | Modified Date = 5/24/2004 1:35:52 PM | Attr = ]
(LiveUpdate) LiveUpdate [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Symantec\LiveUpdate\LuComServer_3_2.EXE -> Symantec Corporation [Ver = 3.2.0.43 | Size = 2975352 bytes | Modified Date = 1/31/2007 4:11:42 PM | Attr = ]
(NVSvc) NVIDIA Driver Helper Service [Win32_Own | Auto | Running] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 5.13.01.1520 | Size = 57344 bytes | Modified Date = 8/31/2001 1:56:00 AM | Attr = ]
(PictureTaker) PictureTaker [Win32_Own | On_Demand | Stopped] -> %SystemDrive%\fixit\pt\PCTKRNT.SYS -> File not found
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | On_Demand | Running] -> %System32%\HPZipm12.exe -> HP [Ver = 8, 0, 0, 0 | Size = 65536 bytes | Modified Date = 3/18/2004 4:55:48 PM | Attr = ]
(Symantec Core LC) Symantec Core LC [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\CCPD-LC\symlcsvc.exe -> [Ver = | Size = 1247600 bytes | Modified Date = 9/6/2007 9:21:18 PM | Attr = ]
(SymAppCore) Symantec AppCore Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\AppCore\AppSvc32.exe -> Symantec Corporation [Ver = 1.1.1.3 | Size = 47712 bytes | Modified Date = 1/5/2007 8:37:56 PM | Attr = ]
(Viewpoint Manager Service) Viewpoint Manager Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Viewpoint\Common\ViewpointService.exe -> Viewpoint Corporation [Ver = 2, 0, 0, 54 | Size = 24652 bytes | Modified Date = 1/4/2007 5:38:10 PM | Attr = ]

[Driver Services - Non-Microsoft Only]
(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] -> -> File not found
(abp480n5) abp480n5 [Kernel | Disabled | Stopped] -> -> File not found
(ac97intc) Intel(r) 82801 Audio Driver Install Service (WDM) [Kernel | On_Demand | Stopped] -> %System32%\drivers\ac97intc.sys -> Intel Corporation [Ver = 5.10.3523 built by: WinDDK | Size = 96256 bytes | Modified Date = 8/17/2001 2:20:04 PM | Attr = ]
(AFS2K) AFS2K [Kernel | System | Running] -> %System32%\drivers\AFS2K.SYS -> Oak Technology Inc. [Ver = 3.1.20.1064 | Size = 43672 bytes | Modified Date = 7/3/2004 8:54:34 AM | Attr = ]
(Aha154x) Aha154x [Kernel | Disabled | Stopped] -> -> File not found
(aic78xx) aic78xx [Kernel | Disabled | Stopped] -> -> File not found
(AliIde) AliIde [Kernel | Disabled | Stopped] -> -> File not found
(amsint) amsint [Kernel | Disabled | Stopped] -> -> File not found
(AN983) ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter [Kernel | On_Demand | Running] -> %System32%\drivers\an983.sys -> ADMtek Incorporated. [Ver = 2.12.0507.2001 built by: WinDDK | Size = 34112 bytes | Modified Date = 8/17/2001 2:11:16 PM | Attr = ]
(asc) asc [Kernel | Disabled | Stopped] -> -> File not found
(asc3350p) asc3350p [Kernel | Disabled | Stopped] -> -> File not found
(asc3550) asc3550 [Kernel | Disabled | Stopped] -> -> File not found
(Atdisk) Atdisk [Kernel | Disabled | Stopped] -> -> File not found
(ati2mpaa) ati2mpaa [Kernel | On_Demand | Stopped] -> %System32%\drivers\ati2mpaa.sys -> ATI Technologies Inc. [Ver = 5.10.108 (ReleasedBinaries.010715-1631) | Size = 281856 bytes | Modified Date = 8/17/2001 2:48:52 PM | Attr = ]
(ATMhelpr) ATMhelpr [Kernel | System | Running] -> %System32%\drivers\ATMHELPR.SYS -> Adobe Systems Incorporated [Ver = 4.0 Build 85 | Size = 4064 bytes | Modified Date = 6/17/1997 4:00:00 AM | Attr = ]
(BCMModem) BCM V.90 56K Modem [Kernel | On_Demand | Stopped] -> %System32%\drivers\BCMDM.sys -> BCM [Ver = 3.2.12.9 07/17/2001 14:21:30 | Size = 871388 bytes | Modified Date = 8/17/2001 3:28:00 PM | Attr = ]
(catchme) catchme [Kernel | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\VIVIAN~1\LOCALS~1\Temp\catchme.sys -> File not found
(cd20xrnt) cd20xrnt [Kernel | Disabled | Stopped] -> -> File not found
(Cdr4_xp) Cdr4_xp [Kernel | System | Running] -> %System32%\drivers\cdr4_xp.sys -> Roxio [Ver = 6.1.1.17 | Size = 66992 bytes | Modified Date = 7/17/2003 1:19:56 AM | Attr = ]
(Cdralw2k) Cdralw2k [Kernel | System | Running] -> %System32%\drivers\cdralw2k.sys -> Roxio [Ver = 6.1.1.17 | Size = 24698 bytes | Modified Date = 7/17/2003 1:19:56 AM | Attr = ]
(cdudf_xp) cdudf_xp [File_System | System | Running] -> %System32%\drivers\Cdudf_xp.sys -> Roxio [Ver = 6.1.1.17 built by: WinDDK | Size = 259328 bytes | Modified Date = 7/17/2003 1:19:56 AM | Attr = ]
(Changer) Changer [Kernel | System | Stopped] -> -> File not found
(CmdIde) CmdIde [Kernel | Disabled | Stopped] -> -> File not found
(Cpqarray) Cpqarray [Kernel | Disabled | Stopped] -> -> File not found
(ctljystk) Creative SBLive! Gameport [Kernel | On_Demand | Running] -> %System32%\drivers\ctljystk.sys -> Creative Technology Ltd. [Ver = 5.1.2501.0 built by: WinDDK | Size = 3712 bytes | Modified Date = 8/17/2001 2:19:20 PM | Attr = ]
(dac960nt) dac960nt [Kernel | Disabled | Stopped] -> -> File not found
(DCamUSBConexant) Ezonics Ezcam II [Kernel | On_Demand | Stopped] -> %System32%\drivers\usbcone.sys -> Conexant Systems, Inc. [Ver = 2, 1, 21, 0 | Size = 82560 bytes | Modified Date = 7/14/2000 2:32:10 PM | Attr = ]
(DCamUSBSQTECH) Dual-Mode DSC(2770) [Kernel | On_Demand | Stopped] -> %System32%\drivers\SQCaptur.sys -> Service & Quality Technology. [Ver = 1.89.108.2 | Size = 30921 bytes | Modified Date = 1/10/2003 11:56:34 AM | Attr = ]
(DCCAM) Kodak Camera Proxy [Kernel | System | Running] -> %System32%\drivers\DcCam.sys -> Eastman Kodak Company [Ver = 1.5.0502.0 | Size = 36918 bytes | Modified Date = 5/20/2004 9:21:10 AM | Attr = ]
(DcFpoint) DcFpoint [Kernel | On_Demand | Stopped] -> %System32%\drivers\DcFpoint.sys -> Eastman Kodak Company [Ver = 1.5.0502.0 | Size = 61564 bytes | Modified Date = 5/20/2004 9:41:54 AM | Attr = ]
(DCFS2K) Kodak DCFS2K Driver [Kernel | Auto | Running] -> %System32%\drivers\DCFS2k.sys -> Eastman Kodak Company [Ver = 1.0.4100.7 | Size = 38705 bytes | Modified Date = 6/2/2004 2:19:00 PM | Attr = ]
(DcLps) Legacy Polling Service [Kernel | On_Demand | Stopped] -> %System32%\drivers\DcLps.sys -> Eastman Kodak Company [Ver = 1.5.0502.0 | Size = 8022 bytes | Modified Date = 5/20/2004 9:39:42 AM | Attr = ]
(DcPTP) DcPTP [Kernel | On_Demand | Stopped] -> %System32%\drivers\DcPtp.sys -> Eastman Kodak Company [Ver = 1.5.0502.0 | Size = 68950 bytes | Modified Date = 5/20/2004 9:45:20 AM | Attr = ]
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %System32%\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.0.503.0 | Size = 780928 bytes | Modified Date = 8/18/2001 2:00:00 PM | Attr = ]
(dmio) dmio [Kernel | Disabled | Stopped] -> %System32%\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.0.503.0 | Size = 146304 bytes | Modified Date = 8/18/2001 2:00:00 PM | Attr = ]
(dmload) dmload [Kernel | Disabled | Stopped] -> %System32%\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 8/18/2001 2:00:00 PM | Attr = ]
(dpti2o) dpti2o [Kernel | Disabled | Stopped] -> -> File not found
(DVDVRRdr_xp) DVDVRRdr_xp [File_System | System | Running] -> %System32%\drivers\DVDVRRdr_xp.sys -> Roxio [Ver = 6.1.1.17 built by: WinDDK | Size = 146560 bytes | Modified Date = 7/17/2003 1:19:56 AM | Attr = ]
(dvd_2K) dvd_2K [Kernel | On_Demand | Stopped] -> %System32%\drivers\Dvd_2k.sys -> Roxio [Ver = 6.1.1.17 | Size = 21993 bytes | Modified Date = 7/17/2003 1:19:56 AM | Attr = ]
(eeCtrl) Symantec Eraser Control driver [Kernel | System | Running] -> %CommonProgramFiles%\Symantec Shared\EENGINE\eeCtrl.sys -> Symantec Corporation [Ver = 107.3.3.4 | Size = 395312 bytes | Modified Date = 8/30/2007 4:00:00 AM | Attr = ]
(EL90XBC) 3Com EtherLink XL 90XB/C Adapter Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\el90xbc5.sys -> 3Com Corporation [Ver = 4.05.00.0000 | Size = 66591 bytes | Modified Date = 8/17/2001 2:11:06 PM | Attr = ]
(emu10k) Creative SB Live! Value (WDM) [Kernel | On_Demand | Running] -> %System32%\drivers\emu10k1f.sys -> Creative Technology Ltd. [Ver = 5.12.01.3511 | Size = 777088 bytes | Modified Date = 9/13/2001 7:09:48 PM | Attr = ]
(emu10k1) Creative Interface Manager Driver (WDM) [Kernel | On_Demand | Running] -> %System32%\drivers\ctlface.sys -> Creative Technology Ltd. [Ver = 5.12.01.2110 | Size = 6912 bytes | Modified Date = 7/11/2001 12:34:52 PM | Attr = ]
(EraserUtilRebootDrv) EraserUtilRebootDrv [Kernel | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -> Symantec Corporation [Ver = 107.3.3.4 | Size = 112688 bytes | Modified Date = 8/30/2007 4:00:00 AM | Attr = ]
(Exportit) Exportit [Kernel | System | Stopped] -> %System32%\drivers\ExportIt.sys -> Eastman Kodak Company [Ver = 1.0.8900.7 | Size = 151985 bytes | Modified Date = 6/2/2004 2:17:56 PM | Attr = ]
(GTWModem) GTW V.92 Modem [Kernel | On_Demand | Running] -> %System32%\drivers\GWMDM.sys -> GTW [Ver = 3.3.13.1 08/03/2001 21:03:12 | Size = 1141888 bytes | Modified Date = 8/15/2001 10:25:06 PM | Attr = ]
(hpn) hpn [Kernel | Disabled | Stopped] -> -> File not found
(hpt3xx) hpt3xx [Kernel | Disabled | Stopped] -> -> File not found
(HPZid412) IEEE-1284.4 Driver HPZid412 [Kernel | On_Demand | Running] -> %System32%\drivers\HPZid412.sys -> HP [Ver = 8, 0, 0, 0 | Size = 51088 bytes | Modified Date = 3/21/2004 9:35:48 AM | Attr = ]
(HPZipr12) Print Class Driver for IEEE-1284.4 HPZipr12 [Kernel | On_Demand | Running] -> %System32%\drivers\HPZipr12.sys -> HP [Ver = 8, 0, 0, 0 | Size = 16496 bytes | Modified Date = 3/21/2004 9:35:52 AM | Attr = ]
(HPZius12) USB to IEEE-1284.4 Translation Driver HPZius12 [Kernel | On_Demand | Running] -> %System32%\drivers\HPZius12.sys -> HP [Ver = 8, 0, 0, 0 | Size = 21744 bytes | Modified Date = 3/21/2004 9:35:58 AM | Attr = ]
(i2omgmt) i2omgmt [Kernel | System | Stopped] -> -> File not found
(i2omp) i2omp [Kernel | Disabled | Stopped] -> -> File not found
(ini910u) ini910u [Kernel | Disabled | Stopped] -> -> File not found
(iscFlash) iscFlash [Kernel | On_Demand | Stopped] -> %System32%\DRIVERS\iscflash.sys -> File not found
(lbrtfdc) lbrtfdc [Kernel | System | Stopped] -> -> File not found
(lffycjtc) lffycjtc [Kernel | Boot | Running] -> %System32%\drivers\evgmqxuy.sys -> [Ver = | Size = 17280 bytes | Modified Date = 9/4/2007 9:26:58 AM | Attr = ]
(LMouKE) Logitech SetPoint Mouse Filter Driver [Kernel | On_Demand | Stopped] -> System32\DRIVERS\LMouKE.Sys -> File not found
(MCSTRM) MCSTRM [Kernel | Auto | Running] -> %System32%\drivers\mcstrm.sys -> RealNetworks, Inc. [Ver = 5.0.2195.8 | Size = 8413 bytes | Modified Date = 5/15/2005 9:13:46 AM | Attr = ]
(mmc_2K) mmc_2K [Kernel | On_Demand | Running] -> %System32%\drivers\Mmc_2k.sys -> Roxio [Ver = 6.1.1.17 | Size = 22745 bytes | Modified Date = 7/17/2003 1:19:56 AM | Attr = ]
(mraid35x) mraid35x [Kernel | Disabled | Stopped] -> -> File not found
(mrtRate) mrtRate [Kernel | Auto | Running] -> %System32%\drivers\MrtRate.sys -> Marimba, Inc. [Ver = 2.01 | Size = 34916 bytes | Modified Date = 8/10/1999 2:51:58 PM | Attr = ]
(MxlW2k) MxlW2k [Kernel | On_Demand | Running] -> %System32%\drivers\MxlW2k.sys -> MusicMatch, Inc. [Ver = 1.1.0.121 | Size = 28352 bytes | Modified Date = 12/25/2004 4:31:48 PM | Attr = ]
(NAVENG) NAVENG [Kernel | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\VirusDefs\20070903.017\NAVENG.SYS -> Symantec Corporation [Ver = 20071.3.0.24 | Size = 81232 bytes | Modified Date = 7/17/2007 4:00:00 AM | Attr = ]
(NAVEX15) NAVEX15 [Kernel | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\VirusDefs\20070903.017\NAVEX15.SYS -> Symantec Corporation [Ver = 20071.3.0.24 | Size = 865904 bytes | Modified Date = 7/17/2007 4:00:00 AM | Attr = ]
(nv4) nv4 [Kernel | On_Demand | Running] -> %System32%\drivers\nv4_mini.sys -> NVIDIA Corporation [Ver = 5.13.01.1520 | Size = 829305 bytes | Modified Date = 8/31/2001 1:56:00 AM | Attr = ]
(PalmUSBD) PalmUSBD [Kernel | On_Demand | Stopped] -> system32\drivers\PalmUSBD.sys -> File not found
(PCDRDRV) Pcdr Helper Driver [Kernel | On_Demand | Stopped] -> %SystemDrive%\Atf\Qctest\PCDoc\PCDRDRV.sys -> File not found
(PcdrNt) PcdrNt [Kernel | On_Demand | Stopped] -> %System32%\drivers\PCDrNT.sys -> PC-Doctor Inc. [Ver = 4.0.7 | Size = 44192 bytes | Modified Date = 11/19/2001 1:44:54 PM | Attr = ]
(PCIDump) PCIDump [Kernel | System | Stopped] -> -> File not found
(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped] -> -> File not found
(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped] -> -> File not found
(PDRELI) PDRELI [Kernel | On_Demand | Stopped] -> -> File not found
(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped] -> -> File not found
(perc2) perc2 [Kernel | Disabled | Stopped] -> -> File not found
(perc2hib) perc2hib [Kernel | Disabled | Stopped] -> -> File not found
(PfModNT) PfModNT [Kernel | Auto | Running] -> %System32%\PfModNT.sys -> Creative Technology Ltd. [Ver = 2.0.0.0 | Size = 6752 bytes | Modified Date = 12/17/1999 3:00:00 AM | Attr = ]
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %System32%\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 8/18/2001 2:00:00 PM | Attr = ]
(pwd_2k) pwd_2k [Kernel | System | Running] -> %System32%\drivers\pwd_2K.sys -> Roxio [Ver = 6.1.1.17 | Size = 118409 bytes | Modified Date = 7/17/2003 1:19:56 AM | Attr = ]
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %System32%\drivers\pxhelp20.sys -> Sonic Solutions [Ver = 2.02.62a | Size = 20016 bytes | Modified Date = 5/19/2004 1:33:44 PM | Attr = ]
(ql1080) ql1080 [Kernel | Disabled | Stopped] -> -> File not found
(Ql10wnt) Ql10wnt [Kernel | Disabled | Stopped] -> -> File not found
(ql12160) ql12160 [Kernel | Disabled | Stopped] -> -> File not found
(ql1240) ql1240 [Kernel | Disabled | Stopped] -> -> File not found
(ql1280) ql1280 [Kernel | Disabled | Stopped] -> -> File not found
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %System32%\drivers\secdrv.sys -> [Ver = | Size = 27440 bytes | Modified Date = 8/18/2001 2:00:00 PM | Attr = ]
(sfman) Creative SoundFont Manager Driver (WDM) [Kernel | On_Demand | Running] -> %System32%\drivers\sfman.sys -> Creative Technology Ltd. [Ver = 4.10.3302 | Size = 36992 bytes | Modified Date = 8/31/2001 2:37:58 PM | Attr = ]
(Simbad) Simbad [Kernel | Disabled | Stopped] -> -> File not found
(Sk99202k) PS/2 Keyboard Filter Driver for Win2000 [Kernel | On_Demand | Stopped] -> %System32%\drivers\sk99202k.sys -> Silitek Corp. [Ver = 1.0.1.0 | Size = 7552 bytes | Modified Date = 9/11/2000 8:32:28 PM | Attr = ]
(Sk9920nt) PS/2 Keyboard Filter Driver for NT 4.0 [Kernel | System | Running] -> %System32%\drivers\Sk9920nt.sys -> Silitek Corp. [Ver = 1.0.1.0 | Size = 6208 bytes | Modified Date = 9/12/2000 2:39:10 AM | Attr = ]
(Sparrow) Sparrow [Kernel | Disabled | Stopped] -> -> File not found
(SPBBCDrv) SPBBCDrv [Kernel | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\SPBBC\SPBBCDrv.sys -> Symantec Corporation [Ver = 3.2.0.15 | Size = 417592 bytes | Modified Date = 1/3/2007 11:05:02 AM | Attr = ]
(SRTSP) SRTSP [File_System | On_Demand | Stopped] -> %System32%\drivers\srtsp.sys -> Symantec Corporation [Ver = 10.1.4.1 | Size = 247608 bytes | Modified Date = 1/11/2007 9:22:14 PM | Attr = ]
(SRTSPL) SRTSPL [Kernel | On_Demand | Running] -> %System32%\drivers\srtspl.sys -> Symantec Corporation [Ver = 10.1.4.1 | Size = 276792 bytes | Modified Date = 1/11/2007 9:22:20 PM | Attr = ]
(SRTSPX) SRTSPX [Kernel | System | Running] -> %System32%\drivers\srtspx.sys -> Symantec Corporation [Ver = 10.1.4.1 | Size = 25400 bytes | Modified Date = 1/11/2007 9:22:18 PM | Attr = ]
(symc810) symc810 [Kernel | Disabled | Stopped] -> -> File not found
(symc8xx) symc8xx [Kernel | Disabled | Stopped] -> -> File not found
(SYMDNS) SYMDNS [Kernel | On_Demand | Running] -> %System32%\drivers\symdns.sys -> Symantec Corporation [Ver = 7.2.0.14 | Size = 12984 bytes | Modified Date = 1/9/2007 5:32:14 PM | Attr = ]
(SymEvent) SymEvent [Kernel | On_Demand | Running] -> %System32%\drivers\SYMEVENT.SYS -> Symantec Corporation [Ver = 12.3.0.14 | Size = 115000 bytes | Modified Date = 5/19/2007 10:41:44 PM | Attr = ]
(SYMFW) SYMFW [Kernel | On_Demand | Running] -> %System32%\drivers\symfw.sys -> Symantec Corporation [Ver = 7.2.0.14 | Size = 145976 bytes | Modified Date = 1/9/2007 5:32:14 PM | Attr = ]
(SYMIDS) SYMIDS [Kernel | On_Demand | Running] -> %System32%\drivers\symids.sys -> Symantec Corporation [Ver = 7.2.0.14 | Size = 40120 bytes | Modified Date = 1/9/2007 5:32:14 PM | Attr = ]
(SYMIDSCO) SYMIDSCO [Kernel | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\SymcData\idsdefs\20070906.002\SymIDSCo.sys -> Symantec Corporation [Ver = 8.0.1.4 | Size = 158064 bytes | Modified Date = 9/5/2007 4:27:06 PM | Attr = ]
(symlcbrd) symlcbrd [Kernel | Auto | Running] -> %System32%\drivers\symlcbrd.sys -> Symantec Corporation [Ver = 1, 8, 54, 478 | Size = 4608 bytes | Modified Date = 5/17/2005 9:24:46 PM | Attr = ]
(SYMNDIS) SYMNDIS [Kernel | On_Demand | Running] -> %System32%\drivers\symndis.sys -> Symantec Corporation [Ver = 7.2.0.14 | Size = 35256 bytes | Modified Date = 1/9/2007 5:32:14 PM | Attr = ]
(SYMREDRV) SYMREDRV [Kernel | On_Demand | Running] -> %System32%\drivers\symredrv.sys -> Symantec Corporation [Ver = 7.2.0.14 | Size = 27576 bytes | Modified Date = 1/9/2007 5:32:14 PM | Attr = ]
(SYMTDI) SYMTDI [Kernel | Disabled | Running] -> %System32%\drivers\symtdi.sys -> Symantec Corporation [Ver = 7.2.0.14 | Size = 191544 bytes | Modified Date = 1/9/2007 5:32:14 PM | Attr = ]
(sym_hi) sym_hi [Kernel | Disabled | Stopped] -> -> File not found
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] -> -> File not found
(TosIde) TosIde [Kernel | Disabled | Stopped] -> -> File not found
(UdfReadr_xp) UdfReadr_xp [File_System | System | Running] -> %System32%\drivers\UdfReadr_xp.sys -> Roxio [Ver = 6.1.1.17 built by: WinDDK | Size = 213120 bytes | Modified Date = 7/17/2003 1:19:56 AM | Attr = ]
(ultra) ultra [Kernel | Boot | Running] -> %System32%\drivers\ultra.sys -> Promise Technology, Inc. [Ver = 1.43 (Build 0603) | Size = 36736 bytes | Modified Date = 8/17/2001 3:52:22 PM | Attr = ]
(UPATC) USBAT Controller Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\upatc.sys -> SCM Microsystems Inc. [Ver = 4.2.3.3 | Size = 87136 bytes | Modified Date = 5/30/2000 11:54:52 AM | Attr = ]
(USBNET_XP) Instant Wireless XP USB Network Adapter ver.2.6 Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\netusbxp.sys -> The LinkSys Group, Inc. [Ver = 1.02.02.0066 built by: WinDDK | Size = 72576 bytes | Modified Date = 2/20/2002 5:34:18 PM | Attr = ]
(wandrv) WAN Network Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\wandrv.sys -> America Online, Inc. [Ver = 6.0.0.8 | Size = 22608 bytes | Modified Date = 8/9/2001 6:25:22 PM | Attr = ]
(WDICA) WDICA [Kernel | On_Demand | Stopped] -> -> File not found

continued...


----------



## Vivsky (Sep 5, 2007)

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
AcctMgr -> %ProgramFiles%\Norton Password Manager\AcctMgr.exe -> Symantec Corporation [Ver = 2004.1.406 | Size = 586896 bytes | Modified Date = 8/18/2004 12:41:34 PM | Attr = ]
AdaptecDirectCD -> %ProgramFiles%\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe -> Roxio [Ver = 5.3.5.10 | Size = 684032 bytes | Modified Date = 10/2/2003 8:00:50 PM | Attr = ]
ccApp -> -> File not found
CXMon -> %ProgramFiles%\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe -> Hewlett-Packard Company [Ver = 2.4.0.2 | Size = 32768 bytes | Modified Date = 8/14/2000 5:48:06 PM | Attr = ]
GWMDMMSG -> %SystemRoot%\GWMDMMSG.exe -> GTW [Ver = 3.3.13.1 08/07/2001 18:57:35 | Size = 100913 bytes | Modified Date = 8/15/2001 10:25:02 PM | Attr = ]
GWMDMpi -> %SystemRoot%\GWMDMpi.exe -> [Ver = | Size = 40960 bytes | Modified Date = 8/15/2001 10:25:04 PM | Attr = ]
HP Component Manager -> %ProgramFiles%\HP\hpcoretech\hpcmpmgr.exe -> Hewlett-Packard Company [Ver = 2.1.1.0 | Size = 241664 bytes | Modified Date = 5/12/2004 3:18:56 PM | Attr = ]
HP Software Update -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Co. [Ver = 50.0.146.000 | Size = 49152 bytes | Modified Date = 2/16/2005 11:11:42 PM | Attr = ]
HPDJ Taskbar Utility -> %System32%\spool\drivers\w32x86\3\hpztsb10.exe -> HP [Ver = 2.323.0.0 | Size = 172032 bytes | Modified Date = 3/23/2004 4:05:42 AM | Attr = ]
Keyboard Preload Check -> %SystemDrive%\OEMDRVRS\KEYB\Preload.exe -> File not found
Microsoft Works Portfolio -> %ProgramFiles%\Microsoft Works\wkssb.exe -> Microsoft® Corporation [Ver = 6.00.3221.2 | Size = 331830 bytes | Modified Date = 8/23/2001 6:52:52 PM | Attr = ]
mmtask -> %ProgramFiles%\MusicMatch\MusicMatch Jukebox\mmtask.exe -> TODO: <Company name> [Ver = 1.0.0.1 | Size = 53248 bytes | Modified Date = 3/30/2004 11:12:56 PM | Attr = ]
osCheck -> %ProgramFiles%\Norton Internet Security\osCheck.exe -> Symantec Corporation [Ver = 10.3.0.3 | Size = 771704 bytes | Modified Date = 2/7/2007 6:39:10 PM | Attr = ]
RoxioAudioCentral -> %ProgramFiles%\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe -> Roxio, Inc. [Ver = 1.1.277 | Size = 319488 bytes | Modified Date = 7/15/2003 1:36:50 PM | Attr = ]
RoxioDragToDisc -> %ProgramFiles%\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe -> Roxio [Ver = 6.1.1.17 | Size = 868352 bytes | Modified Date = 7/17/2003 1:19:54 AM | Attr = ]
RoxioEngineUtility -> %CommonProgramFiles%\Roxio Shared\System\EngUtil.exe -> Roxio [Ver = 6.1.0.7 | Size = 65536 bytes | Modified Date = 5/1/2003 7:44:50 PM | Attr = ]
WorksFUD -> %ProgramFiles%\Microsoft Works\wkfud.exe -> Microsoft® Corporation [Ver = 6.00.3221.3 | Size = 24576 bytes | Modified Date = 10/5/2001 9:34:52 PM | Attr = ]
< RunOnceEx [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx -> 
-> -> File not found
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ -> 
IMAIL -> Installed = 1 -> 
MAPI -> Installed = 1 -> 
MSFS -> Installed = 1 -> 
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
Microsoft Works Update Detection -> %ProgramFiles%\Microsoft Works\WkDetect.exe -> File not found
PhotoShow Deluxe Media Manager -> %ProgramFiles%\Comcast\Comcast PhotoShow 4\data\Xtras\mssysmgr.exe -> Simple Star, Inc. [Ver = 4.0.0.0 | Size = 192512 bytes | Modified Date = 5/9/2005 7:16:16 PM | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
%AllUsersStartup%\Adobe Gamma Loader.exe.lnk -> %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe -> Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Modified Date = 7/17/2002 3:15:12 AM | Attr = ]
%AllUsersStartup%\Adobe Gamma Loader.lnk -> %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe -> Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Modified Date = 7/17/2002 3:15:12 AM | Attr = ]
%AllUsersStartup%\HP Digital Imaging Monitor.lnk -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Co. [Ver = 43.1.5.000 | Size = 241664 bytes | Modified Date = 5/28/2004 10:31:38 PM | Attr = ]
%AllUsersStartup%\HP Image Zone Fast Start.lnk -> %ProgramFiles%\HP\Digital Imaging\bin\hpqthb08.exe -> Hewlett-Packard Co. [Ver = 043.001.005.000 | Size = 53248 bytes | Modified Date = 5/28/2004 11:06:36 PM | Attr = ]
%AllUsersStartup%\Kodak Picture Easy 3.1 Batch Transfer.lnk -> %ProgramFiles%\Kodak\Picture Easy Software\Program\PezDownload.exe -> Eastman Kodak Company [Ver = 1, 0, 1, 0 | Size = 39424 bytes | Modified Date = 9/9/1998 4:26:28 PM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
hmbdkint -> %System32%\d3dimr.dll -> [Ver = | Size = 82944 bytes | Modified Date = 9/7/2007 5:46:08 PM | Attr = ]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoDriveAutoRun -> 67108863 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoDriveTypeAutoRun -> 255 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> -> 
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> -> 
< HOSTS File > (27 bytes) -> C:\WINNT\System32\drivers\etc\Hosts -> 
127.0.0.1 localhost -> -> 
< Internet Explorer Settings > -> -> 
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome -> 
HKLM: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKLM: Local Page -> %SystemRoot%\system32\blank.htm -> 
HKLM: Search Bar -> -> 
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKLM: Start Page -> http://www.msn.com/ -> 
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
HKCU: Local Page -> C:\WINNT\System32\blank.htm -> 
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKCU: Start Page -> http://www.comcast.net/ -> 
HKCU: ProxyEnable -> 0 -> 
< Trusted Sites > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
aol.com [ - ] -> -> 
free_aol.com [ - ] -> -> 
free_aol.com [http] -> -> 
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [AcroIEHlprObj Class] -> [Ver = 1, 0, 0, 1 | Size = 37808 bytes | Modified Date = 3/2/2001 2:02:04 PM | Attr = ]
{1E8A6170-7264-4D0F-BEAE-D42A53123C75} [HKLM] -> %CommonProgramFiles%\Symantec Shared\coShared\Browser\1.5\NppBHO.dll [Reg Data - Value does not exist] -> Symantec Corporation [Ver = 2007.1.5.29 | Size = 96936 bytes | Modified Date = 1/12/2007 3:04:50 AM | Attr = R ]
{212CC212-DC60-43F8-B877-114B71949415} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
{2E62C6B8-D531-4661-B5DC-8248844D7A8A} [HKLM] -> %System32%\d3dimr.dll [Reg Data - Value does not exist] -> [Ver = | Size = 82944 bytes | Modified Date = 9/7/2007 5:46:08 PM | Attr = ]
{7BA59E75-432C-41E2-A1AC-7C55FB42A2F4} [HKLM] -> %System32%\comresu.dll [Reg Data - Value does not exist] -> [Ver = | Size = 102037 bytes | Modified Date = 8/18/2001 2:00:00 PM | Attr = ]
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ -> 
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ -> 
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
{8E718888-423F-11D2-876E-00A0C9082467} [HKLM] -> %System32%\msdxm.ocx [&Radio] -> [Ver = | Size = 844048 bytes | Modified Date = 9/17/2003 12:01:28 PM | Attr = ]
{90222687-F593-4738-B738-FBEE9C7B26DF} [HKLM] -> %CommonProgramFiles%\Symantec Shared\coShared\Browser\1.5\UIBHO.dll [Show Norton Toolbar] -> Symantec Corporation [Ver = 2007.1.5.29 | Size = 607888 bytes | Modified Date = 1/12/2007 3:05:00 AM | Attr = R ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [&Google] -> Google Inc. [Ver = 3, 0, 131, 0 | Size = 1158656 bytes | Modified Date = 2/14/2006 9:05:22 PM | Attr = R ]
WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{5AA06644-BC46-4220-A460-47A6EB47C96D} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -> Reg Data - Value does not exist [ButtonText: Yahoo! Services] -> File not found
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Research] -> File not found
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} [HKLM] -> Reg Data - Key not found [MenuText: Reg Data - Value does not exist] -> File not found
{E023F504-0C5A-4750-A1E7-A9046DEA8A21} -> Reg Data - Value does not exist [ButtonText: MoneySide] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ -> 
&Google Search -> %ProgramFiles%\google\GoogleToolbar1.dll\cmsearch.htm -> File not found
&Translate English Word -> %ProgramFiles%\google\GoogleToolbar1.dll\cmwordtrans.htm -> File not found
Backward Links -> %ProgramFiles%\google\GoogleToolbar1.dll\cmbacklinks.htm -> File not found
Cached Snapshot of Page -> %ProgramFiles%\google\GoogleToolbar1.dll\cmcache.htm -> File not found
E&xport to Microsoft Excel -> -> File not found
Similar Pages -> %ProgramFiles%\google\GoogleToolbar1.dll\cmsimilar.htm -> File not found
Translate Page into English -> %ProgramFiles%\google\GoogleToolbar1.dll\cmtrans.htm -> File not found
< Internet Explorer Plugins [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\ -> 
.spop -> %ProgramFiles%\Internet Explorer\PLUGINS\NPDocBox.dll [Reg Data - Value does not exist] -> InterTrust Technologies Corporation, Inc. [Ver = 1.0.30.95 | Size = 225280 bytes | Modified Date = 1/30/2001 3:56:24 PM | Attr = ]
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{196A04ED-7B35-42E7-9648-6FE37EAA9C3D} -> (Instant Wireless USB Network Adapter ver.2.6) -> 
{AF02FCB5-F6CC-4C5F-8461-B1E423668D75} -> () -> 
{DB5A76D3-E1D4-47BE-9B21-15CD0E2C3A26} -> (1394 Net Adapter) -> 
< Default Protocols [HKLM] - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults -> 
shell -> shell protocol not assigned -> 
< Default Protocols [HKCU] - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults -> 
shell -> shell protocol not assigned -> 
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 
cetihpz -> %ProgramFiles%\HP\hpcoretech\comp\hpuiprot.dll -> Hewlett-Packard Company [Ver = 2.1.5 | Size = 81920 bytes | Modified Date = 5/12/2004 3:18:56 PM | Attr = ]
ic32pp -> %SystemRoot%\wc98pp.dll -> [Ver = | Size = 51712 bytes | Modified Date = 1/12/2003 11:30:18 AM | Attr = ]
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
vnd.ms.radio -> %System32%\msdxm.ocx -> [Ver = | Size = 844048 bytes | Modified Date = 9/17/2003 12:01:28 PM | Attr = ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{0000000A-9980-0010-8000-00AA00389B71} -> - CodeBase = http://codecs.microsoft.com/codecs/i386/wmsp9dmo.cab -> 
{00000075-9980-0010-8000-00AA00389B71} -> - CodeBase = http://codecs.microsoft.com/codecs/i386/voxacm.CAB -> 
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -> QuickTime Object - CodeBase = http://www.apple.com/qtactivex/qtplugin.cab -> 
{05D96F71-87C6-11D3-9BE4-00902742D6E0} -> QuickPlace Class - CodeBase = https://quickplace.pmllp.com/qp2.cab -> 
{0E5F0222-96B9-11D3-8997-00104BD12D94} -> PCPitstop Utility - CodeBase = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB -> 
{166B1BCA-3F9C-11CF-8075-444553540000} -> Shockwave ActiveX Control - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab -> 
{1E2941E3-8E63-11D4-9D5A-00902742D6E0} -> iNotes Class - CodeBase = https://we.pmllp.com/ANAR-LNMail1/iNotes.cab -> 
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -> Installation Support - CodeBase = C:\Program Files\Yahoo!\Common\Yinsthelper.dll -> 
{33363249-0000-0010-8000-00AA00389B71} -> - CodeBase = http://codecs.microsoft.com/codecs/i386/i263_32.cab -> 
{33564D57-9980-0010-8000-00AA00389B71} -> - CodeBase = http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab -> 
{3BFFE033-BF43-11D5-A271-00A024A51325} -> iNotes6 Class - CodeBase = https://we.pmllp.com/ANAR-LNMAIL1/iNotes6.cab -> 
{41F17733-B041-4099-A042-B518BB6A408C} -> - CodeBase = http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe -> 
{56336BCB-3D8A-11D6-A00B-0050DA18DE71} -> - CodeBase = http://software-dl.real.com/20120b8e43bf2d8ea622/netzip/RdxIE601.cab -> 
{6A344D34-5231-452A-8A57-D064AC9B7862} -> Symantec Download Manager - CodeBase = https://webdl.symantec.com/activex/symdlmgr.cab -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.4.0 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-1_4_0-win.cab -> 
{9A57B18E-2F5D-11D5-8997-00104BD12D94} -> compid Class - CodeBase = http://support.gateway.com/support/serialharvest/gwCID.CAB -> 
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -> ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab -> 
{9F1C11AA-197B-4942-BA54-47A8489BB47F} -> - CodeBase = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37246.6713425926 -> 
{BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} -> LiveX(5.4.0.0) Control - CodeBase = http://bowwow4.serveftp.com/cab/Live.cab -> 
{CA797B15-445F-4AA9-9828-8A88502F560F} -> Uninstall Control - CodeBase = http://www.worldwinner.com/games/shared/uninstall.cab -> 
{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} -> Java Plug-in 1.4.0 - CodeBase = http://java.sun.com/products/plugin/1.4/jinstall-14-win.cab -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab -> 
{D719897A-B07A-4C0C-AEA9-9B663A28DFCB} -> iTunesDetector Class - CodeBase = http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab -> 
Microsoft XML Parser for Java -> - CodeBase = file://C:\WINNT\Java\classes\xmldso.cab ->

[Registry - Additional Scans - Non-Microsoft Only]
< Desktop Components > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\ -> 
0 -> [Key] -> 
0 -> FriendlyName = My Current Home Page -> 
0 -> Source = About:Home -> 
0 -> SubscribedURL = About:Home ->

[Files/Folders - Created Within 30 days]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 536203264 bytes | Created Date = 1/1/1601 5:00:00 AM | Attr = HS]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 109056 bytes | Created Date = 9/7/2007 4:58:59 AM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Created Date = 9/7/2007 5:00:04 AM | Attr = ]
nircmd.exe -> %SystemRoot%\nircmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 9/7/2007 4:58:59 AM | Attr = ]
TEMP -> %SystemRoot%\TEMP -> [Folder | Created Date = 9/7/2007 5:22:26 AM | Attr = ]
8104297.jun -> %System32%\8104297.jun -> [Ver = | Size = 0 bytes | Created Date = 9/5/2007 9:40:18 AM | Attr = ]
ActiveScan -> %System32%\ActiveScan -> [Folder | Created Date = 9/5/2007 7:41:04 PM | Attr = ]
asuninst.exe -> %System32%\asuninst.exe -> Panda Software [Ver = 1, 0, 0, 2 | Size = 73728 bytes | Created Date = 9/5/2007 7:41:38 PM | Attr = ]
comresu.dll -> %System32%\comresu.dll -> [Ver = | Size = 102037 bytes | Created Date = 9/4/2007 8:28:38 AM | Attr = ]
d3dimr.dll -> %System32%\d3dimr.dll -> [Ver = | Size = 82944 bytes | Created Date = 9/4/2007 8:29:01 AM | Attr = ]
d3dimr.dll.bak -> %System32%\d3dimr.dll.bak -> [Ver = | Size = 80896 bytes | Created Date = 9/4/2007 8:29:01 AM | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Created Date = 9/5/2007 7:41:08 PM | Attr = ]
libeay32.dll -> %System32%\libeay32.dll -> OpenSSL <www.openssl.org> [Ver = 0.9.7c | Size = 684567 bytes | Created Date = 9/4/2007 9:15:24 AM | Attr = ]
libssl32.dll -> %System32%\libssl32.dll -> OpenSSL <www.openssl.org> [Ver = 0.9.7c | Size = 147729 bytes | Created Date = 9/4/2007 9:15:23 AM | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Created Date = 9/7/2007 4:58:59 AM | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 9/7/2007 4:58:59 AM | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 9/7/2007 4:58:59 AM | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Created Date = 9/5/2007 7:41:08 PM | Attr = ]
ZPORT4AS.dll -> %System32%\ZPORT4AS.dll -> [Ver = | Size = 11776 bytes | Created Date = 9/5/2007 7:41:38 PM | Attr = ]
evgmqxuy.sys -> %System32%\drivers\evgmqxuy.sys -> [Ver = | Size = 17280 bytes | Created Date = 1/1/1601 5:00:00 AM | Attr = ]

[Files/Folders - Modified Within 30 days]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 536203264 bytes | Modified Date = 9/7/2007 10:38:06 PM | Attr = HS]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 9/5/2007 4:58:16 PM | Attr = ]
System Volume Information -> %SystemDrive%\System Volume Information -> [Folder | Modified Date = 9/4/2007 9:47:10 AM | Attr = HS]
WINNT -> %SystemRoot% -> [Folder | Modified Date = 9/7/2007 10:39:48 PM | Attr = ]
$NtUninstallQ321856$ -> %SystemRoot%\$NtUninstallQ321856$ -> [Folder | Modified Date = 9/6/2007 7:18:48 PM | Attr = H ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 9/7/2007 10:38:12 PM | Attr = S]
Debug -> %SystemRoot%\Debug -> [Folder | Modified Date = 9/7/2007 10:38:30 PM | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 9/6/2007 7:20:28 PM | Attr = S]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 9/7/2007 6:05:24 AM | Attr = ]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 8/24/2007 5:44:52 AM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 9/5/2007 8:41:54 PM | Attr = H ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 9/7/2007 10:10:26 PM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Modified Date = 9/5/2007 9:50:10 AM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 9/5/2007 9:50:10 AM | Attr = H ]
QUICKEN.INI -> %SystemRoot%\QUICKEN.INI -> [Ver = | Size = 793 bytes | Modified Date = 9/1/2007 1:14:24 PM | Attr = ]
SoftwareDistribution -> %SystemRoot%\SoftwareDistribution -> [Folder | Modified Date = 9/6/2007 7:26:30 PM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 9/7/2007 10:35:34 PM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 9/7/2007 6:05:20 AM | Attr = S]
TEMP -> %SystemRoot%\TEMP -> [Folder | Modified Date = 9/7/2007 10:44:42 PM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 971 bytes | Modified Date = 9/5/2007 8:47:56 PM | Attr = ]
Norton Internet Security - Run Full System Scan - Vivian Brososky.job -> %SystemRoot%\tasks\Norton Internet Security - Run Full System Scan - Vivian Brososky.job -> [Ver = | Size = 642 bytes | Modified Date = 9/3/2007 10:01:52 PM | Attr = ]
Norton Internet Security - Weekly Scan - Vivian Brososky.job -> %SystemRoot%\tasks\Norton Internet Security - Weekly Scan - Vivian Brososky.job -> [Ver = | Size = 658 bytes | Modified Date = 9/7/2007 9:07:42 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 9/7/2007 10:38:20 PM | Attr = H ]
8104297.jun -> %System32%\8104297.jun -> [Ver = | Size = 0 bytes | Modified Date = 9/5/2007 10:40:20 AM | Attr = ]
ActiveScan -> %System32%\ActiveScan -> [Folder | Modified Date = 9/6/2007 7:26:34 PM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 9/5/2007 8:43:04 PM | Attr = ]
config -> %System32%\config -> [Folder | Modified Date = 9/7/2007 6:05:42 AM | Attr = ]
d3dimr.dll -> %System32%\d3dimr.dll -> [Ver = | Size = 82944 bytes | Modified Date = 9/7/2007 5:46:08 PM | Attr = ]
d3dimr.dll.bak -> %System32%\d3dimr.dll.bak -> [Ver = | Size = 80896 bytes | Modified Date = 9/6/2007 5:12:32 PM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 8/24/2007 5:44:50 AM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 9/7/2007 6:18:24 AM | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Modified Date = 9/6/2007 6:06:06 PM | Attr = ]
libeay32.dll -> %System32%\libeay32.dll -> OpenSSL <www.openssl.org> [Ver = 0.9.7c | Size = 684567 bytes | Modified Date = 9/4/2007 10:15:26 AM | Attr = ]
libssl32.dll -> %System32%\libssl32.dll -> OpenSSL <www.openssl.org> [Ver = 0.9.7c | Size = 147729 bytes | Modified Date = 9/4/2007 10:15:24 AM | Attr = ]
perfc009.dat -> %System32%\perfc009.dat ->  [Ver = | Size = 50532 bytes | Modified Date = 9/7/2007 6:12:14 AM | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 374064 bytes | Modified Date = 9/7/2007 6:12:14 AM | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 430524 bytes | Modified Date = 9/7/2007 6:12:14 AM | Attr = ]
Restore -> %System32%\Restore -> [Folder | Modified Date = 9/4/2007 9:47:10 AM | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Modified Date = 9/6/2007 6:06:08 PM | Attr = ]
wbem -> %System32%\wbem -> [Folder | Modified Date = 9/6/2007 7:34:26 PM | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 9/7/2007 6:18:24 AM | Attr = ]
evgmqxuy.sys -> %System32%\drivers\evgmqxuy.sys -> [Ver = | Size = 17280 bytes | Modified Date = 9/4/2007 9:26:58 AM | Attr = ]

[File String Scan - Non-Microsoft Only]
UPX! , UPX0 , -> %SystemRoot%\Unwash5.exe -> [Ver = | Size = 45056 bytes | Modified Date = 12/2/2003 6:00:10 AM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/18/2001 2:00:00 PM | Attr = ]
UPX! , UPX0 , -> %System32%\libeay32.dll -> OpenSSL <www.openssl.org> [Ver = 0.9.7c | Size = 684567 bytes | Modified Date = 9/4/2007 10:15:26 AM | Attr = ]
UPX! , UPX0 , -> %System32%\libssl32.dll -> OpenSSL <www.openssl.org> [Ver = 0.9.7c | Size = 147729 bytes | Modified Date = 9/4/2007 10:15:24 AM | Attr = ]
UPX! , UPX0 , -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 7/22/2007 6:39:28 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/18/2001 2:00:00 PM | Attr = ]

< End of report >

HijackThis log follows.


----------



## Vivsky (Sep 5, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:31 PM, on 9/7/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\System32\ctfmon.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\System32\HPZipm12.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {212CC212-DC60-43F8-B877-114B71949415} - (no file)
O2 - BHO: (no name) - {2E62C6B8-D531-4661-B5DC-8248844D7A8A} - c:\winnt\system32\d3dimr.dll
O2 - BHO: (no name) - {7BA59E75-432C-41E2-A1AC-7C55FB42A2F4} - C:\WINNT\System32\comresu.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak Picture Easy 3.1 Batch Transfer.lnk = C:\Program Files\Kodak\Picture Easy Software\Program\PezDownload.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://quickplace.pmllp.com/qp2.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://we.pmllp.com/ANAR-LNMail1/iNotes.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://we.pmllp.com/ANAR-LNMAIL1/iNotes6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/20120b8e43bf2d8ea622/netzip/RdxIE601.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.4.0.0) Control) - http://bowwow4.serveftp.com/cab/Live.cab
O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinner.com/games/shared/uninstall.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O20 - Winlogon Notify: hmbdkint - C:\WINNT\SYSTEM32\d3dimr.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10921 bytes


----------



## Vivsky (Sep 5, 2007)

Should I try to redo the WPFind3U scan in safe mode to see if notepad will open with the fixes, or is it too late now since it already ran?


----------



## sjpritch25 (Sep 8, 2005)

Looks like there is some keeping the files from deleting. Most likely a rootkit. I will post back with a fix in minute.


----------



## Vivsky (Sep 5, 2007)

Now Norton won't run. It says I need to restart the computer. This is getting frustrating! I'm glad you like a challenge!


----------



## sjpritch25 (Sep 8, 2005)

Go ahead and see what happens. If you have any important data, i would back it up. Just incase.


----------



## sjpritch25 (Sep 8, 2005)

For some reason your win.ini file has been modified. Please type the following in the run command
*%systemdrive%* and press enter.

Note: You may need to unhide hidden files and folders.
*Configure Windows XP to show hide hidden files:*
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select* "Show hidden files and folders". *
Uncheck the *"Hide protected operating system files (recommended)*" option.
Uncheck the *"Hide file extensions for known file types"* option.
Click *Yes* to confirm. Click *OK.*

Open win.ini with Notepad and post the results. Please don't delete or modify the file.


----------



## Vivsky (Sep 5, 2007)

Hmmm...I made sure the folder options settings were as you said, and they were. I ran the %systemdrive% in the run bar, and there was no win.ini file showing. Would it be in a folder?


----------



## Vivsky (Sep 5, 2007)

I found it. It was in the WinNT folder. Here are the contents:

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
CMC=1
CMCDLLNAME32=mapi32.dll
CMCDLLNAME=mapi.dll
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo2
asx=MPEGVideo2
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo2
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo2
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo2
wm=MPEGVideo2
wma=MPEGVideo2
wmp=MPEGVideo2
wmv=MPEGVideo2
wmx=MPEGVideo2
wvx=MPEGVideo2
wpl=MPEGVideo
[PCDRWIN]
szCurrentCustomTest=C:\Atf\Qctest\Scripts\AutoTest.PCB
iShowStartupScreen=1
iVerticalButtonBar=1
iSaveWindowLayout=0
CurrentLanguage=0
DWX=110
DWY=145
DWSZX=648
DWSZY=579
[Readiris]
Scanner32=Twaino38,23
[DPE]
Toolbar=1
SN75=43011702
[fontopts]
alignparam=GMJGEHGLE
[IRIS_IPE]
menu=1
[ActiveScan]
ID = {A4231A61-5C81-485B-976C-BCE49CB812AB}


----------



## sjpritch25 (Sep 8, 2005)

Okay lets try this and see if works.

Please download the attached file named CFScript.txt and Save it to your Desktop.










Refering to the picture above, drag CFScript.txt into ComboFix.exe

In your next reply, please post a fresh Combofix log and a fresh Hijackthis log.

*Do not run on any other computer!!!! The Attached file CFScript.txt is created for this specfic computer. Running it on another system could cause it to crash or worse. *


----------



## Vivsky (Sep 5, 2007)

This is the log.txt file as a result of dropping your file into combofix:

ComboFix 07-08-30.3 - "Vivky" 2007-09-08 20:12:49.2 - NTFSx86 
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.139 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Vivsky\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINNT\system32\drivers\evgmqxuy.sys
C:\WINNT\system32\d3dimr.dll
C:\WINNT\system32\d3dimr.dll.bak
C:\WINNT\system32\comresu.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINNT\system32\comresu.dll . . . . failed to delete
C:\WINNT\system32\d3dimr.dll . . . . failed to delete
C:\WINNT\system32\d3dimr.dll.bak . . . . failed to delete
C:\WINNT\system32\drivers\evgmqxuy.sys . . . . failed to delete

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_LFFYCJTC
-------\lffycjtc

((((((((((((((((((((((((( Files Created from 2007-08-09 to 2007-09-09 )))))))))))))))))))))))))))))))

2007-09-08 17:55	756,224	--a------	C:\WINNT\system32\ciztyfxy.dll
2007-09-08 17:55	67,584	--a------	C:\WINNT\system32\umtacudx.dll
2007-09-08 17:55	48,640	--a------	C:\WINNT\system32\wsumxgvj.dll
2007-09-08 17:55	46,592	--a------	C:\WINNT\system32\pyuznkpk.dll
2007-09-08 17:55	128,512	--a------	C:\WINNT\system32\lymtafmu.dll
2007-09-08 17:55	102,912	--a------	C:\WINNT\system32\bedazsad.dll
2007-09-07 05:58	51,200	--a------	C:\WINNT\nircmd.exe
2007-09-05 20:41 d--------	C:\WINNT\system32\ActiveScan
2007-09-05 16:58 d--------	C:\Program Files\Trend Micro
2007-09-05 10:40 d--------	C:\Program Files\Browser Hijack Recover
2007-09-04 10:15	684,567	--a------	C:\WINNT\system32\libeay32.dll
2007-09-04 10:15	147,729	--a------	C:\WINNT\system32\libssl32.dll
2007-09-04 09:29	82,944	--a------	C:\WINNT\system32\d3dimr.dll
2007-09-04 09:28	102,037	--a------	C:\WINNT\system32\comresu.dll
2007-09-04 09:26	17,280 C:\WINNT\system32\drivers\evgmqxuy.sys
2007-08-17 21:53 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-08-08 17:55 d--------	C:\DDCMyDocs
2007-08-08 17:54 d--------	C:\Program Files\DDC Training

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-08 20:10	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-09-06 19:13	---------	d--------	C:\Program Files\Norton Password Manager
2007-09-06 19:13	---------	d--------	C:\Program Files\Norton Internet Security
2007-09-06 19:07	---------	d--------	C:\Program Files\Microsoft IntelliType Pro
2007-09-06 19:07	---------	d--------	C:\Program Files\Microsoft IntelliPoint
2007-09-06 18:57	---------	d--------	C:\Program Files\Common Files\Symantec Shared
2007-08-26 08:03	---------	d--------	C:\Program Files\Yahoo!
2007-08-17 22:21	---------	d--------	C:\DOCUME~1\VIVIAN~1\APPLIC~1\Yahoo!
2007-07-30 19:19	92504	--a------	C:\WINNT\system32\dllcache\cdm.dll
2007-07-30 19:19	92504	--a------	C:\WINNT\system32\cdm.dll
2007-07-30 19:19	549720	--a------	C:\WINNT\system32\wuapi.dll
2007-07-30 19:19	53080	--a------	C:\WINNT\system32\wuauclt.exe
2007-07-30 19:19	53080	--a------	C:\WINNT\system32\dllcache\wuauclt.exe
2007-07-30 19:19	43352	--a------	C:\WINNT\system32\wups2.dll
2007-07-30 19:19	325976	--a------	C:\WINNT\system32\wucltui.dll
2007-07-30 19:19	203096	--a------	C:\WINNT\system32\wuweb.dll
2007-07-30 19:19	1712984	--a------	C:\WINNT\system32\wuaueng.dll
2007-07-30 19:19	1712984	--a------	C:\WINNT\system32\dllcache\wuaueng.dll
2007-07-30 19:18	33624	--a------	C:\WINNT\system32\wups.dll
2007-07-30 18:32	---------	d--------	C:\Program Files\quickenw
2003-01-06 17:26	152336	--a------	C:\Program Files\kmd.exe
2002-05-14 18:24	497802	--a------	C:\Program Files\Recover Norton AntiVirus 2002 Pro.exe
2001-08-18 18:00:00	94,784	--sh--w	C:\WINNT\twain.dll
2001-08-18 18:00:00	46,592	--sh--w	C:\WINNT\twain_32.dll
2001-08-18 18:00:00	9,728	--sh--w	C:\WINNT\system32\regsvr32.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{212CC212-DC60-43F8-B877-114B71949415}]
2007-09-08 17:55	67584	--a------	c:\winnt\system32\umtacudx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E62C6B8-D531-4661-B5DC-8248844D7A8A}]
2007-09-07 17:46	82944	--a------	c:\winnt\system32\d3dimr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BA59E75-432C-41E2-A1AC-7C55FB42A2F4}]
2001-08-18 14:00	102037	--a------	C:\WINNT\System32\comresu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"GWMDMMSG"="GWMDMMSG.exe" [2001-08-15 22:25 C:\WINNT\GWMDMMSG.exe]
"Keyboard Preload Check"="C:\OEMDRVRS\KEYB\Preload.exe" []
"GWMDMpi"="C:\WINNT\GWMDMpi.exe" [2001-08-15 22:25]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2001-08-23 18:52]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 12:00]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2001-10-05 21:34]
"CXMon"="C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2000-08-14 17:48]
"HPDJ Taskbar Utility"="C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-23 04:05]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-10-02 20:00]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 19:44]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-07-17 01:19]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 13:36]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-03-30 23:12]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 04:51]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 04:50]
"AcctMgr"="C:\Program Files\Norton Password Manager\AcctMgr.exe" [2004-08-18 12:41]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-02-07 18:39]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [2001-07-25 12:00]
"ctfmon.exe"="C:\WINNT\System32\ctfmon.exe" [2001-08-18 14:00]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe" [2005-05-09 19:16]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hmbdkint] 
d3dimr.dll 2007-09-07 17:46 82944 C:\WINNT\system32\d3dimr.dll

R0 lffycjtc;lffycjtc;C:\WINNT\System32\drivers\evgmqxuy.sys
R0 ppa;Iomega Parallel Port Filter Driver;C:\WINNT\System32\DRIVERS\ppa.sys
R1 ATMhelpr;ATMhelpr;C:\WINNT\System32\drivers\ATMhelpr.sys
R1 cdudf_xp;cdudf_xp;C:\WINNT\System32\drivers\cdudf_xp.sys
R1 DCCAM;Kodak Camera Proxy;C:\WINNT\System32\DRIVERS\DcCam.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINNT\System32\drivers\DVDVRRdr_xp.sys
R1 pwd_2k;pwd_2k;C:\WINNT\System32\drivers\pwd_2k.sys
R1 Sk9920nt;PS/2 Keyboard Filter Driver for NT 4.0;C:\WINNT\System32\DRIVERS\Sk9920nt.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINNT\System32\drivers\UdfReadr_xp.sys
R2 ceagovhn;Microsoft IntelliPoint Filter Monitor;C:\WINNT\System32\svchost.exe -k netsvcs
R2 DCFS2K;Kodak DCFS2K Driver;C:\WINNT\System32\drivers\dcfs2k.sys
R2 mrtRate;mrtRate;C:\WINNT\System32\drivers\mrtRate.sys
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINNT\System32\DRIVERS\AN983.sys
R3 GTWModem;GTW V.92 Modem;C:\WINNT\System32\DRIVERS\GWMDM.sys
R3 mmc_2K;mmc_2K;C:\WINNT\System32\drivers\mmc_2K.sys
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINNT\System32\DRIVERS\point32.sys
S1 Exportit;Exportit;C:\WINNT\System32\DRIVERS\exportit.sys
S3 ati2mpaa;ati2mpaa;C:\WINNT\System32\DRIVERS\ati2mpaa.sys
S3 BCMModem;BCM V.90 56K Modem;C:\WINNT\System32\DRIVERS\BCMDM.sys
S3 DCamUSBConexant;Ezonics Ezcam II;C:\WINNT\System32\DRIVERS\Usbcone.sys
S3 DcFpoint;DcFpoint;C:\WINNT\System32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINNT\System32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINNT\System32\DRIVERS\DcPTP.sys
S3 dvd_2K;dvd_2K;C:\WINNT\System32\drivers\dvd_2K.sys
S3 iscFlash;iscFlash;\??\C:\WINNT\SYSTEM32\DRIVERS\iscflash.sys
S3 PCDRDRV;Pcdr Helper Driver;\??\C:\Atf\Qctest\PCDoc\PCDRDRV.sys
S3 Sk99202k;PS/2 Keyboard Filter Driver for Win2000;C:\WINNT\System32\DRIVERS\Sk99202k.sys
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINNT\System32\DRIVERS\netusbxp.sys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ceagovhn

*Newly Created Service* - COMHOST
*Newly Created Service* - LFFYCJTC

Contents of the 'Scheduled Tasks' folder
2007-09-04 02:01:51 C:\WINNT\Tasks\Norton Internet Security - Run Full System Scan - Vivian Brososky.job 
2007-09-08 01:07:40 C:\WINNT\Tasks\Norton Internet Security - Weekly Scan - Vivian Brososky.job - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe
2007-06-30 04:00:02 C:\WINNT\Tasks\Symantec Drmc.job

**************************************************************************

disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

**************************************************************************

Completion time: 2007-09-08 20:24:24 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-08 20:23
C:\ComboFix2.txt ... 2007-09-07 06:21

--- E O F ---


----------



## Vivsky (Sep 5, 2007)

This is the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:13 PM, on 9/8/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINNT\System32\HPZipm12.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {212CC212-DC60-43F8-B877-114B71949415} - c:\winnt\system32\umtacudx.dll
O2 - BHO: (no name) - {2E62C6B8-D531-4661-B5DC-8248844D7A8A} - c:\winnt\system32\d3dimr.dll
O2 - BHO: (no name) - {7BA59E75-432C-41E2-A1AC-7C55FB42A2F4} - C:\WINNT\System32\comresu.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak Picture Easy 3.1 Batch Transfer.lnk = C:\Program Files\Kodak\Picture Easy Software\Program\PezDownload.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://quickplace.pmllp.com/qp2.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://we.pmllp.com/ANAR-LNMail1/iNotes.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://we.pmllp.com/ANAR-LNMAIL1/iNotes6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/20120b8e43bf2d8ea622/netzip/RdxIE601.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.4.0.0) Control) - http://bowwow4.serveftp.com/cab/Live.cab
O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinner.com/games/shared/uninstall.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O20 - Winlogon Notify: hmbdkint - C:\WINNT\SYSTEM32\d3dimr.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10998 bytes


----------



## sjpritch25 (Sep 8, 2005)

Well this a tough little bug. Let try this.

1. Please *download* *The Avenger* by Swandog46 to your *Desktop*.
Click on Avenger.zip to open the file
Extract *avenger.exe* to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (*Ctrl+C*):


> Files to delete:
> C:\WINNT\system32\ciztyfxy.dll
> C:\WINNT\system32\umtacudx.dll
> C:\WINNT\system32\wsumxgvj.dll
> ...


_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, *start The Avenger program* by clicking on its icon on your desktop.
 Under "*Script file to execute*" choose "*Input Script Manually*".
Now click on the *Magnifying Glass icon* which will open a new window titled "*View/edit script*"
 Paste the text copied to clipboard into this window by pressing (*Ctrl+V*).
 Click *Done*
 Now click on the *Green Light* to begin execution of the script
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Unload*", The Avenger will actually *restart your system twice.*)
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avenger&#146;s actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply *along with a fresh HJT log * by using *Add/Reply*


----------



## Vivsky (Sep 5, 2007)

Here you go. I hope this worked!

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ciqrsmdq

*******************

Script file located at: \??\C:\WINNT\System32\drsnljnq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINNT\system32\ciztyfxy.dll deleted successfully.
File C:\WINNT\system32\umtacudx.dll deleted successfully.
File C:\WINNT\system32\wsumxgvj.dll deleted successfully.
File C:\WINNT\system32\pyuznkpk.dll deleted successfully.
File C:\WINNT\system32\lymtafmu.dll deleted successfully.
File C:\WINNT\system32\bedazsad.dll deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:23 PM, on 9/8/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\System32\ctfmon.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Picture Easy Software\Program\PezDownload.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {212CC212-DC60-43F8-B877-114B71949415} - c:\winnt\system32\umtacudx.dll (file missing)
O2 - BHO: (no name) - {2E62C6B8-D531-4661-B5DC-8248844D7A8A} - c:\winnt\system32\d3dimr.dll
O2 - BHO: (no name) - {7BA59E75-432C-41E2-A1AC-7C55FB42A2F4} - C:\WINNT\System32\comresu.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak Picture Easy 3.1 Batch Transfer.lnk = C:\Program Files\Kodak\Picture Easy Software\Program\PezDownload.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://quickplace.pmllp.com/qp2.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://we.pmllp.com/ANAR-LNMail1/iNotes.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://we.pmllp.com/ANAR-LNMAIL1/iNotes6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/20120b8e43bf2d8ea622/netzip/RdxIE601.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.4.0.0) Control) - http://bowwow4.serveftp.com/cab/Live.cab
O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinner.com/games/shared/uninstall.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O20 - Winlogon Notify: hmbdkint - C:\WINNT\SYSTEM32\d3dimr.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10937 bytes


----------



## sjpritch25 (Sep 8, 2005)

Download GMER's application from here:
http://www.majorgeeks.com/GMER_d5198.html
Unzip it and start the *GMER.exe*
Click the *Rootkit* tab and click the *Scan* button.
Once done, click the *Copy* button.
This will copy the results to your clipboard.
Paste the results in your next reply.
Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.


----------



## Vivsky (Sep 5, 2007)

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-09-08 22:27:32
Windows 5.1.2600

---- System - GMER 1.0.13 ----

SSDT 8213A218 ZwConnectPort

Code evgmqxuy.sys ObOpenObjectByName

---- Kernel code sections - GMER 1.0.13 ----

PAGE ntoskrnl.exe!ObOpenObjectByName 8058F9E0 6 Bytes JMP F87B6F56 evgmqxuy.sys
? evgmqxuy.sys The system cannot find the file specified.
? xsvdiwti.sys The system cannot find the file specified.

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F606D8F0] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F606D950] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F606D860] SYMEVENT.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F609D370] SYMTDI.SYS

Device \Device\NTPNP_PCI0003 IRP_MJ_DEVICE_CONTROL [F8536FA8] pci.sys
Device \Device\NTPNP_PCI0003 IRP_MJ_POWER [F8536FA8] pci.sys
Device \Device\NTPNP_PCI0003 IRP_MJ_SYSTEM_CONTROL [F8536FA8] pci.sys
Device \Device\NTPNP_PCI0003 IRP_MJ_PNP [F8536FA8] pci.sys
Device \Device\NTPNP_PCI0005 IRP_MJ_DEVICE_CONTROL [F8536FA8] pci.sys
Device \Device\NTPNP_PCI0005 IRP_MJ_POWER [F8536FA8] pci.sys
Device \Device\NTPNP_PCI0005 IRP_MJ_SYSTEM_CONTROL [F8536FA8] pci.sys
Device \Device\NTPNP_PCI0005 IRP_MJ_PNP [F8536FA8] pci.sys
Device \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CREATE [F84BD76C] atapi.sys
Device \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CLOSE [F84BD76C] atapi.sys
Device \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_DEVICE_CONTROL [F84BD782] atapi.sys
Device \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_INTERNAL_DEVICE_CONTROL [F84BA04A] atapi.sys
Device \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_POWER [F84BD7A2] atapi.sys
Device \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SYSTEM_CONTROL [F84C3AF8] atapi.sys
Device \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_PNP [F84C3ACC] atapi.sys
Device \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE [F84BD76C] atapi.sys
Device \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLOSE [F84BD76C] atapi.sys
Device \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CONTROL [F84BD782] atapi.sys
Device \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL [F84BA04A] atapi.sys
Device \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_POWER [F84BD7A2] atapi.sys
Device \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SYSTEM_CONTROL [F84C3AF8] atapi.sys
Device \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_PNP [F84C3ACC] atapi.sys
Device \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_CREATE [F84BD76C] atapi.sys
Device \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_CLOSE [F84BD76C] atapi.sys
Device \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_DEVICE_CONTROL [F84BD782] atapi.sys
Device \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_INTERNAL_DEVICE_CONTROL [F84BA04A] atapi.sys
Device \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_POWER [F84BD7A2] atapi.sys
Device \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_SYSTEM_CONTROL [F84C3AF8] atapi.sys
Device \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_PNP [F84C3ACC] atapi.sys
Device \Device\NTPNP_PCI0007 IRP_MJ_DEVICE_CONTROL [F8536FA8] pci.sys
Device \Device\NTPNP_PCI0007 IRP_MJ_POWER [F8536FA8] pci.sys
Device \Device\NTPNP_PCI0007 IRP_MJ_SYSTEM_CONTROL [F8536FA8] pci.sys
Device \Device\NTPNP_PCI0007 IRP_MJ_PNP [F8536FA8] pci.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS  [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F609D370] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F609D370] SYMTDI.SYS

Device \Device\0000006b IRP_MJ_CREATE [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_CREATE_NAMED_PIPE [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_CLOSE [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_READ [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_WRITE [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_QUERY_INFORMATION [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_SET_INFORMATION [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_QUERY_EA [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_SET_EA [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_FLUSH_BUFFERS [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_QUERY_VOLUME_INFORMATION [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_SET_VOLUME_INFORMATION [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_DIRECTORY_CONTROL [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_FILE_SYSTEM_CONTROL [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_DEVICE_CONTROL [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_INTERNAL_DEVICE_CONTROL [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_SHUTDOWN [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_LOCK_CONTROL [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_CLEANUP [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_CREATE_MAILSLOT [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_QUERY_SECURITY [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_SET_SECURITY [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_POWER [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_SYSTEM_CONTROL [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_DEVICE_CHANGE  [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_QUERY_QUOTA [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_SET_QUOTA [F84EF72E] ACPI.sys
Device \Device\0000006b IRP_MJ_PNP [F84EF72E] ACPI.sys
Device \Device\0000006b FastIoDetachDevice [F84EFACE] ACPI.sys
Device \Device\0000006c IRP_MJ_CREATE [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_CREATE_NAMED_PIPE [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_CLOSE [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_READ [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_WRITE [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_QUERY_INFORMATION [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_SET_INFORMATION [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_QUERY_EA [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_SET_EA [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_FLUSH_BUFFERS [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_QUERY_VOLUME_INFORMATION [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_SET_VOLUME_INFORMATION [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_DIRECTORY_CONTROL [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_FILE_SYSTEM_CONTROL [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_DEVICE_CONTROL [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_INTERNAL_DEVICE_CONTROL [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_SHUTDOWN [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_LOCK_CONTROL [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_CLEANUP [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_CREATE_MAILSLOT [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_QUERY_SECURITY [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_SET_SECURITY [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_POWER [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_SYSTEM_CONTROL [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_DEVICE_CHANGE [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_QUERY_QUOTA [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_SET_QUOTA [F84EF72E] ACPI.sys
Device \Device\0000006c IRP_MJ_PNP [F84EF72E] ACPI.sys
Device \Device\0000006c FastIoDetachDevice [F84EFACE] ACPI.sys
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_CREATE [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_CREATE_NAMED_PIPE [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_CLOSE [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_READ [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_WRITE [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_QUERY_INFORMATION [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_SET_INFORMATION [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_QUERY_EA [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_SET_EA [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_FLUSH_BUFFERS [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_QUERY_VOLUME_INFORMATION [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_SET_VOLUME_INFORMATION [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_DIRECTORY_CONTROL [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_FILE_SYSTEM_CONTROL [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_DEVICE_CONTROL [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_INTERNAL_DEVICE_CONTROL [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_SHUTDOWN [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_LOCK_CONTROL [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_CLEANUP [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_CREATE_MAILSLOT [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_QUERY_SECURITY [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_SET_SECURITY [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_POWER [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_SYSTEM_CONTROL [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_DEVICE_CHANGE [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_QUERY_QUOTA [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_SET_QUOTA [F609D370] SYMTDI.SYS
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_PNP [F609D370] SYMTDI.SYS

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F606D8F0] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F606D950] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F606D860] SYMEVENT.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F606D860] SYMEVENT.SYS

---- EOF - GMER 1.0.13 ----


----------



## sjpritch25 (Sep 8, 2005)

When you ran avenger did your computer reboot twice???


----------



## Vivsky (Sep 5, 2007)

Yes, it did.


----------



## sjpritch25 (Sep 8, 2005)

Open Gmer --> click on *>>>* and click on *AutoRun*--Click on *Scan and post the log. You may need to attach it because it can be long.*


----------



## Vivsky (Sep 5, 2007)

GMER 1.0.13.12551 - http://www.gmer.net
Autostart scan 2007-09-08 22:42:51
Windows 5.1.2600

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\[email protected] = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\[email protected] = C:\WINNT\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\[email protected] = d3dimr.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Automatic LiveUpdate Scheduler /*Automatic LiveUpdate Scheduler*/@ = "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"
ccSetMgr /*Symantec Settings Manager*/@ = "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
CLTNetCnService /*Symantec Lic NetConnect service*/@ = "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
Creative Service for CDROM Access /*Creative Service for CDROM Access*/@ = C:\WINNT\System32\CTsvcCDA.exe
KodakCCS /*Kodak Camera Connection Software*/@ = %SystemRoot%\system32\drivers\KodakCCS.exe
NVSvc /*NVIDIA Driver Helper Service*/@ = %SystemRoot%\System32\nvsvc32.exe
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
Symantec Core LC /*Symantec Core LC*/@ = C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
SymAppCore /*Symantec AppCore Service*/@ = "C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe"
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINNT\System32\wdfmgr.exe
Viewpoint Manager Service /*Viewpoint Manager Service*/@ = "C:\Program Files\Viewpoint\Common\ViewpointService.exe"
WMDM PMSP Service /*WMDM PMSP Service*/@ = C:\WINNT\System32\MsPMSPSv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@NvCplDaemonRUNDLL32.EXE NvQTwk,NvCplDaemon initialize = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
@GWMDMMSGGWMDMMSG.exe = GWMDMMSG.exe
@Keyboard Preload CheckC:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check" /*file not found*/ = C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check" /*file not found*/
@GWMDMpiC:\WINNT\GWMDMpi.exe = C:\WINNT\GWMDMpi.exe
@Microsoft Works PortfolioC:\Program Files\Microsoft Works\WksSb.exe /AllUsers /*file not found*/ = C:\Program Files\Microsoft Works\WksSb.exe /AllUsers /*file not found*/
@MoneyStartUp10.0"C:\Program Files\Microsoft Money\System\Activation.exe" = "C:\Program Files\Microsoft Money\System\Activation.exe"
@WorksFUDC:\Program Files\Microsoft Works\wkfud.exe = C:\Program Files\Microsoft Works\wkfud.exe
@CXMon"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" = "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
@HPDJ Taskbar UtilityC:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe = C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
@AdaptecDirectCDC:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe = C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
@RoxioEngineUtility"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" = "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
@RoxioDragToDisc"C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
@RoxioAudioCentral"C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" = "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
@mmtaskc:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe = c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
@type32"C:\Program Files\Microsoft IntelliType Pro\type32.exe" = "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
@IntelliPoint"C:\Program Files\Microsoft IntelliPoint\point32.exe" = "C:\Program Files\Microsoft IntelliPoint\point32.exe"
@AcctMgrC:\Program Files\Norton Password Manager\AcctMgr.exe /startup /*file not found*/ = C:\Program Files\Norton Password Manager\AcctMgr.exe /startup /*file not found*/
@HP Component Manager"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" = "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
@HP Software UpdateC:\Program Files\HP\HP Software Update\HPWuSchd2.exe = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
@ccApp- /*file not found*/ = - /*file not found*/
@osCheck"C:\Program Files\Norton Internet Security\osCheck.exe" = "C:\Program Files\Norton Internet Security\osCheck.exe"
[email protected] = /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MoneyAgent"C:\Program Files\Microsoft Money\System\Money Express.exe" = "C:\Program Files\Microsoft Money\System\Money Express.exe"
@ctfmon.exeC:\WINNT\System32\ctfmon.exe = C:\WINNT\System32\ctfmon.exe
@PhotoShow Deluxe Media ManagerC:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe = C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
@Microsoft Works Update DetectionC:\Program Files\Microsoft Works\WkDetect.exe /*file not found*/ = C:\Program Files\Microsoft Works\WkDetect.exe /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{F802F260-519B-11D1-BB5D-0060974C6013} /*ICQ Shell Extension*/(null) = 
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real\RealPlayer\rpshell.dll = C:\Program Files\Real\RealPlayer\rpshell.dll
@{5E44E225-A408-11CF-B581-008029601108} /*Roxio DragToDisc Shell Extension*/C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\shellex.dll = C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\shellex.dll
@{6EE51AA0-77A0-11D7-B4E1-000347126E46} /*Window Washer Shell Shredding Utility*/(null) = 
@{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC} /*My Media*/C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\MediaSX.dll = C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\MediaSX.dll
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MI1933~1\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MI1933~1\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MI1933~1\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MI1933~1\OFFICE11\OLKFSTUB.DLL
@{acb4a560-3606-11d3-aef4-00104bd0f92d} /*KodakShellExtension*/C:\Program Files\Common Files\KODAK\IFSCore\kodakshx.dll = C:\Program Files\Common Files\KODAK\IFSCore\kodakshx.dll
@{97FA8AA2-EE77-4FF2-9449-424D8924EF21} /*IntelliType Pro Zooming Control Panel Property Page*/"C:\Program Files\Microsoft IntelliType Pro\itcplzm.dll" = "C:\Program Files\Microsoft IntelliType Pro\itcplzm.dll"
@{111D8120-25EB-4E1C-A4DF-C9EE5FCA35CB} /*IntelliType Pro Scrolling Control Panel Property Page*/"C:\Program Files\Microsoft IntelliType Pro\itcplwhl.dll" = "C:\Program Files\Microsoft IntelliType Pro\itcplwhl.dll"
@{ED6E87C6-8A83-43aa-8208-8DBC8247F4D2} /*IntelliType Pro Key Settings Control Panel Property Page*/"C:\Program Files\Microsoft IntelliType Pro\itcplkey.dll" = "C:\Program Files\Microsoft IntelliType Pro\itcplkey.dll"
@{A2569D1F-4E06-43EC-9825-0088B471BE47} /*IntelliType Pro Wireless Control Panel Property Page*/"C:\Program Files\Microsoft IntelliType Pro\itcplwir.dll" = "C:\Program Files\Microsoft IntelliType Pro\itcplwir.dll"
@{20082881-FC36-4E47-9A7A-644C95FF749F} /*IntelliPoint Wireless Control Panel Property Page*/"C:\Program Files\Microsoft IntelliPoint\ipcplwir.dll" = "C:\Program Files\Microsoft IntelliPoint\ipcplwir.dll"
@{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE} /*IntelliPoint Wheel Control Panel Property Page*/"C:\Program Files\Microsoft IntelliPoint\ipcplwhl.dll" = "C:\Program Files\Microsoft IntelliPoint\ipcplwhl.dll"
@{653DCCC2-13DB-45B2-A389-427885776CFE} /*IntelliPoint Activities Control Panel Property Page*/"C:\Program Files\Microsoft IntelliPoint\ipcplact.dll" = "C:\Program Files\Microsoft IntelliPoint\ipcplact.dll"
@{124597D8-850A-41AE-849C-017A4FA99CA2} /*IntelliPoint Buttons Control Panel Property Page*/"C:\Program Files\Microsoft IntelliPoint\ipcplbtn.dll" = "C:\Program Files\Microsoft IntelliPoint\ipcplbtn.dll"
@{5464D816-CF16-4784-B9F3-75C0DB52B499} /*Yahoo! Mail*/C:\Program Files\Yahoo!\Common\YMMAPI.dll = C:\Program Files\Yahoo!\Common\YMMAPI.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\[email protected]{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Web Folders*/ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
[email protected]{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll
Yahoo! [email protected]{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\Program Files\Yahoo!\Common\YMMAPI.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\[email protected]{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
@{1E8A6170-7264-4D0F-BEAE-D42A53123C75}C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll = C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
@{212CC212-DC60-43F8-B877-114B71949415}c:\winnt\system32\umtacudx.dll /*file not found*/ = c:\winnt\system32\umtacudx.dll /*file not found*/
@{2E62C6B8-D531-4661-B5DC-8248844D7A8A}c:\winnt\system32\d3dimr.dll = c:\winnt\system32\d3dimr.dll
@{7BA59E75-432C-41E2-A1AC-7C55FB42A2F4}C:\WINNT\System32\comresu.dll = C:\WINNT\System32\comresu.dll
@{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}C:\Program Files\Microsoft Money\System\mnyviewer.dll = C:\Program Files\Microsoft Money\System\mnyviewer.dll

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\[email protected] = C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
@Start Pagehttp://www.msn.com/ = http://www.msn.com/
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.comcast.net/ = http://www.comcast.net/
@Local PageC:\WINNT\System32\blank.htm = C:\WINNT\System32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/[email protected] = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
[email protected] = C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
[email protected] = C:\WINNT\System32\msvidctl.dll
[email protected] = C:\WINNT\wc98pp.dll
[email protected] = C:\WINNT\System32\itss.dll
[email protected] = C:\WINNT\System32\msvidctl.dll
[email protected] = %SystemRoot%\System32\inetcomm.dll
[email protected] = C:\WINNT\System32\itss.dll
[email protected] = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
[email protected] = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
[email protected] = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
[email protected] = C:\WINNT\System32\msvidctl.dll
[email protected] = C:\WINNT\System32\msdxm.ocx

HKLM\Software\Classes\PROTOCOLS\Handler\[email protected] = C:\WINNT\System32\wiascr.dll

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Adobe Gamma Loader.exe.lnk = Adobe Gamma Loader.exe.lnk
Adobe Gamma Loader.lnk = Adobe Gamma Loader.lnk
HP Digital Imaging Monitor.lnk = HP Digital Imaging Monitor.lnk
HP Image Zone Fast Start.lnk = HP Image Zone Fast Start.lnk
Kodak Picture Easy 3.1 Batch Transfer.lnk = Kodak Picture Easy 3.1 Batch Transfer.lnk

---- EOF - GMER 1.0.13 ----


----------



## sjpritch25 (Sep 8, 2005)

Can you do a Windows Search on this file.

*xsvdiwti.sys*

my guess is C:\WINDOWS\system32\drivers, but i want to make sure.


----------



## Vivsky (Sep 5, 2007)

Weird. I don't have a Windows folder on C:\. I did a search and results came back with nothing.


----------



## sjpritch25 (Sep 8, 2005)

Sorry it would be WINNT. 

did you try just this 

xsvdiwti.sys


----------



## Vivsky (Sep 5, 2007)

Yes, I searched for that starting at C. While I was waiting, I was looking around in Windows Explorer for the folder you suggested it was in. The search did not find the file at all. Is that a bad thing?


----------



## Vivsky (Sep 5, 2007)

Back in post #36, you gave me some text to put into Avenger. These files from your box:

C:\WINNT\system32\d3dimr.dll
C:\WINNT\system32\comresu.dll
C:\WINNT\system32\drivers\evgmqxuy.sys

still exist. (Just an FYI as I thought I recognized one while browsing in there so I checked them all)


----------



## sjpritch25 (Sep 8, 2005)

I want to rule out a vundo trojan infection, lets see if anything is detected.

Please download *VundoFix.exe* to your desktop.


Double-click *VundoFix.exe* to run it.

Click the *Scan for Vundo* button.

Once it's done scanning, click the *Remove Vundo* button.

You will receive a prompt asking if you want to remove the files, click *YES*

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will reboot your computer, click *OK*.

Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo* button." when VundoFix appears at reboot.

Also, please post the Avenger log again. Its located at C:\Avenger.txt. Thanks.


----------



## Vivsky (Sep 5, 2007)

I've got to go for the night. I'll check back in the AM. Thanks for all your help so far!


----------



## Vivsky (Sep 5, 2007)

I ran Vundo and it said no infected files were found. Here is the HJ log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:41 AM, on 9/9/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\System32\ctfmon.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\devldr32.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {212CC212-DC60-43F8-B877-114B71949415} - c:\winnt\system32\umtacudx.dll (file missing)
O2 - BHO: (no name) - {2E62C6B8-D531-4661-B5DC-8248844D7A8A} - c:\winnt\system32\d3dimr.dll
O2 - BHO: (no name) - {7BA59E75-432C-41E2-A1AC-7C55FB42A2F4} - C:\WINNT\System32\comresu.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak Picture Easy 3.1 Batch Transfer.lnk = C:\Program Files\Kodak\Picture Easy Software\Program\PezDownload.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://quickplace.pmllp.com/qp2.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://we.pmllp.com/ANAR-LNMail1/iNotes.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://we.pmllp.com/ANAR-LNMAIL1/iNotes6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/20120b8e43bf2d8ea622/netzip/RdxIE601.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.4.0.0) Control) - http://bowwow4.serveftp.com/cab/Live.cab
O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinner.com/games/shared/uninstall.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O20 - Winlogon Notify: hmbdkint - C:\WINNT\SYSTEM32\d3dimr.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10956 bytes


----------



## Cookiegal (Aug 27, 2003)

Before we go any further with this, I'm going to have to ask you to validate your Windows please. We are wasting our time working on this machine with no Service packs installed.

Go to the following link and under "Validate Now" click on "Validate Windows" on the right side of the screen and then post a screen shot of the results please.

http://www.microsoft.com/genuine/default.aspx?displaylang=en


----------



## Vivsky (Sep 5, 2007)

Sorry, but for some reason, I can't capture the screen shot with the traditional Alt+PrtScrn. Is there some other way?


----------



## Cookiegal (Aug 27, 2003)

Try using just the Print Screen key please.


----------



## Vivsky (Sep 5, 2007)

I assume after I hit print screen, I just come here and paste? That didn't work either. Nothing pasted.

Was the result screen supposed to have something unique on it? This is the only thing there after I clicked Validate Windows:

Thank you for validating your copy of Microsoft Windows.

Thank you for using the Windows Genuine Advantage program. You may now access resources for genuine Windows users.


----------



## Cookiegal (Aug 27, 2003)

Once you get the print screen you have to paste it in MSPaint, save it and then upload it as an attachment but it won't be necessary now.

By not getting the MS service packs and updates, you've left your machine wide open to exploits and infections. Whoever gave you that advice was seriously mistaken.

Before we can continue, you need to go *here* and install "Service Pack 1a". This will patch numerous security vulnerabilities in IE and Windows. You need to get these updates before we proceed or we will be wasting our time.

*DO NOT* install Service pack 2 yet. If you install SP 2 on an infected machine it will cause serious problems. Just get Service Pack 1a installed then come back here and post a new HijackThis log.


----------



## Vivsky (Sep 5, 2007)

I did what you said using the link provided and after checking my computer for updates, but the following is the screen that comes up, which leads me to believe it wants to install SP2. (I tried to attach the screen shot, but it says the upload failed)

Disregard. I'm doing custom update now (vs. express). I believe I will be able to select 1a at that point.

I'm sorry to be such a problem. Thank you all for your assistance - it's much appreciated!


----------



## Vivsky (Sep 5, 2007)

This will take awhile. I did not get the option for 1a, but for SP1. Tried to install that, but failed. There were a large number of other updates I have to install before I can even get SP1. I'm working on it.


----------



## Cookiegal (Aug 27, 2003)

The link I gave you is for SP1a. Did you click on "express installation"?


----------



## sjpritch25 (Sep 8, 2005)

Please run the MGA Diagnostic Tool and post back the report it creates:
Download *MGADiag* to your desktop.
Double-click on MGADiag.exe to launch the program
Click "Continue"
Ensure that the "Windows" tab is selected (it should be by default).
Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
Paste the MGA Diagnostic Report back here in your next reply.


----------



## Vivsky (Sep 5, 2007)

Cookiegal said:


> The link I gave you is for SP1a. Did you click on "express installation"?


Yes, I did. But when the next screen came up for installation, and I clicked install, it said it was installing SP2, so I cancelled.

I have been trying to run all 20 updates, but when I did them all, only one installed successfully. I then tried all again, and all the rest failed. I then tried installing in the order listed, and the first one failed.

I don't know how to proceed. The only update it installed is 810833: Security Update (Windows XP).


----------



## Vivsky (Sep 5, 2007)

sjpritch25 said:


> Please run the MGA Diagnostic Tool and post back the report it creates:
> Download *MGADiag* to your desktop.
> Double-click on MGADiag.exe to launch the program
> Click "Continue"
> ...


Diagnostic Report (1.7.0039.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Detailed Status: N/A
Cached / Grace status: N/A, N/A
Windows Product Key: *****-*****-JQX8J-GYGK3-6X6WD
Windows Product Key Hash: uGUHMlskOcYcAsNQN9VhyjV9b3E=
Windows Product ID: 55277-OEM-2111907-00105
Windows Product ID Type: 2
CSVLK Server: N/A
CSVLK PID: N/A
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.0.0.hom
ID: {1E1E7C96-80E6-4942-8940-F5951E9C31BB}(3)
Is Admin: Yes
Commit / Reboot / BRT: N/A, N/A, N/A
WGA Version: Registered, 1.7.36.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1
Resolution Status: N/A

Notifications Data-->
Cached Result: N/A
File Exists: No
Version: N/A
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
OGA Version: Failed to retrieve file version. - 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: FCEE394C-2993-80070002_025D1FF3-171-1_E2AD56EA-324-8009_E2AD56EA-325-2efd_16E0B333-80-80004005_B4D0AA8B-911-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{1E1E7C96-80E6-4942-8940-F5951E9C31BB}</UGUID><Version>1.7.0039.0</Version><OS>5.1.2600.2.00010300.0.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-6X6WD</PKey><PID>55277-OEM-2111907-00105</PID><PIDType>2</PIDType><SID>S-1-5-21-2167395947-2136417557-3852222622</SID><SYSTEM><Manufacturer>Gateway </Manufacturer><Model>E-4600 </Model></SYSTEM><BIOS><Manufacturer>Intel Corp.</Manufacturer><Version>GB85010A.15A.0046.P13.0108201551</Version><SMBIOSVersion major="2" minor="3"/><Date>20010820******.******+***</Date><SLPBIOS>Gateway,Gateway,Gateway,Gateway</SLPBIOS></BIOS><HWID>EA52338F0184C05E</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Gateway, Inc.</name><model></model></SBID><OEM/></MachineData> <Software><Office><Result>100</Result><Products><Product GUID="{91E30409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>72BAA9BA0E635A2</Val><Hash>phAzxXy1pnnzsYN15zwKxbxNFvY=</Hash><Pid>73931-721-3656134-57538</Pid><PidType>1</PidType></Product></Products></Office></Software></GenuineResults>


----------



## Cookiegal (Aug 27, 2003)

This is what it says on the next screen:

Clicking the Microsoft Update link below will take you to the Microsoft Update Web site to download the Express Installation of SP1a. Microsoft Update will scan your computer and present you with a list of updates available for download. If you do not already have SP1 installed on your computer, it will be listed as one of the updates under Critical Updates and Service Packs. 

You have to select SP1 from the downloads offered.


----------



## Vivsky (Sep 5, 2007)

I am going to try to figure out how to get a screen shot attached. SP1 is not an option when the entire list of updates comes up. Lots of others, including SP2, but no SP1 (not for windows, anyway. There is one for Office).


----------



## Vivsky (Sep 5, 2007)

As directed, I saved the screen shot of the Windows Update window in Paint. However, the reason it wouldn't successfully upload here is the limit is 200KB for a .bmp file. The single screen shot is 2,203KB. Any way to size it down? The screen shot clearly shows that I do not have SP1 as an update option.


----------



## Cookiegal (Aug 27, 2003)

Would you please post a new HijackThis log.


----------



## Vivsky (Sep 5, 2007)

I do see the screen you just referenced, but when I click on Express Update, the attached screen shot is the result.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:05:42 PM, on 9/9/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\System32\ctfmon.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Adobe\Photoshop Elements 2\PhotoshopElements.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {212CC212-DC60-43F8-B877-114B71949415} - c:\winnt\system32\umtacudx.dll (file missing)
O2 - BHO: (no name) - {2E62C6B8-D531-4661-B5DC-8248844D7A8A} - c:\winnt\system32\d3dimr.dll
O2 - BHO: (no name) - {7BA59E75-432C-41E2-A1AC-7C55FB42A2F4} - C:\WINNT\System32\comresu.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak Picture Easy 3.1 Batch Transfer.lnk = C:\Program Files\Kodak\Picture Easy Software\Program\PezDownload.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://quickplace.pmllp.com/qp2.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://we.pmllp.com/ANAR-LNMail1/iNotes.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://we.pmllp.com/ANAR-LNMAIL1/iNotes6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/20120b8e43bf2d8ea622/netzip/RdxIE601.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1189351643484
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.4.0.0) Control) - http://bowwow4.serveftp.com/cab/Live.cab
O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinner.com/games/shared/uninstall.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O20 - Winlogon Notify: hmbdkint - C:\WINNT\SYSTEM32\d3dimr.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11442 bytes


----------



## Cookiegal (Aug 27, 2003)

Go to the following link to download SP1a directly.

http://www.microsoft.com/downloads/...f8-1684-4202-b2d0-c6a43430f12a&DisplayLang=en


----------



## Vivsky (Sep 5, 2007)

Ok, that appears to work. However, while it was extracting, I noticed it was extracting to f:, which is my external hard drive. I never had a choice of where to put it. Shouldn't it be extracting to c:?


----------



## Cookiegal (Aug 27, 2003)

Try disconnecting your external drive.


----------



## Vivsky (Sep 5, 2007)

Guess I spoke too soon. The next thing I did was start over, disconnect the external drive, then begin again. All seemed to be going well, until I got an error saying it could not connect to the server. I clicked retry numerous times with no luck. However, my internet connection was live and working at the time! I'm going to do it again.

This is getting so frustrating - every step of the way, another problem. I know, it's my own fault for not updating, but that doesn't make it less frustrating!


----------



## Vivsky (Sep 5, 2007)

Same thing - when it gets to the downloading files and patches, it can't get a connection. AV software is not running.

Ther error box message says :

If this error persists after you have clicked Retry several times, go the Windows XP Service Pack Web site and select "Problems Downloading the Service Pack". This will give you instructions on how to download a version of the Service Pack that does not require a Web connection during installation.


I tried to find the website and do that, but can't find anything like it. ACK! And I can't even search for it, as I get redirected! I thought I found it, and copied the address from the google result and pasted in the address bar, and still got redirected. I'm going to try Yahoo.


----------



## Vivsky (Sep 5, 2007)

I managed to find this information. My ISP is not timing me out. Should I try clearing the cache as it says: (I'm not sure that would prompt the connection error I got though)


Troubleshooting the Download Process
You may encounter these issues in the Download Center. Try following these suggestions for working around the issues encountered.

Clear Cache
If you cannot complete a download, you may need to clear the cache in Microsoft Internet Explorer, which you can do by following these steps:

1.
On the Tools menu in Internet Explorer, click Internet Options and then click the General tab. 

2.
In the Temporary Internet Files section, click Delete Files and then click the OK button, if you would like to empty your entire cache of temporary internet files. 

3.
In the Temporary Internet Files section, click Settings. In the Settings dialogue box, select Every visit to the page. Then set the size of the Temporary Internet Files folder to a size larger than your intended download. Next, click the View Files button. 

4.
In the Temporary Internet Files window that opens, open the Edit menu and click Select All. Press DELETE. When you are asked if you would like to delete all the cookies you have selected, click Yes. Click the OK buttons until you return to the General tab. 

5.
In the History section of the General tab, click Clear History and then click Yes. When you are asked if you would like to delete the history of the Web sites you have visited, click OK. 


Connection Termination
Another possible reason for your system not being able to complete a download is that your Internet service provider (ISP) may automatically terminate your Internet connection if the ISP determines your connection has been idle for at least a set number of minutes. Please contact your ISP to disable the automatic termination of your connection when downloading files.


----------



## Cookiegal (Aug 27, 2003)

Try the network installation method that does not require an Internet connection once it's downloaded.

http://www.microsoft.com/windowsxp/downloads/updates/sp1/network.mspx

If you still have problems, you can download it to a CD and them install it from there.


----------



## Vivsky (Sep 5, 2007)

I am logged on from my work laptop. In the middle of installing the network SP1, the computer spontaneously rebooted, and continues to reboot, even if safe mode is selected. 

Is it time to say good bye to my computer?


----------



## Cookiegal (Aug 27, 2003)

Can you boot to Last Known Good Configuration?


----------



## Vivsky (Sep 5, 2007)

I've tried safe mode, normal mode, last known good configuration and safe mode with command prompt. The file it always stops at (and reboots) is WINNT/system32/drivers/agp440.sys.

Does that mean anything?


----------



## Cookiegal (Aug 27, 2003)

It looks like an incompatible motherboard chipset video driver problem. Do you have your XP CD?


----------



## Vivsky (Sep 5, 2007)

It came pre-installed on my Gateway. I have all the CD's that came with the computer. There is one labeled Driver, but it says to insert it into the drive while running Windows, which I can't.

AHA. I have one called Operating System. It says to boot with it in the drive and follow on screen instructions. Can you tell me what I will need to look for/do when I boot with it?


----------



## Vivsky (Sep 5, 2007)

I booted with the CD, and I have 3 options to choose from:


Set up Windows XP
Repair a Windows XP installation using Recovery Console
Quite setup without installing Windows XP

Which should I choose?


----------



## sjpritch25 (Sep 8, 2005)

Print this link out and follow the instructions.

http://support.microsoft.com/default.aspx?scid=kb;en-us;324764


----------



## Vivsky (Sep 5, 2007)

Uh-oh. It's asking for the administrator password. I assumed it was MY password, but it's not. Is there a default that is used?


----------



## sjpritch25 (Sep 8, 2005)

I would just press enter. Unless you created a password for your Administrator account in Safe mode. If not then its just enter.


----------



## Vivsky (Sep 5, 2007)

Hitting enter told me it was invalid. Does it look like I will have to just reinstall Windows XP? Are there disadvantages to doing that? I've never done an operating system reinstall, so not sure what it wipes out - programs, documents, etc.


----------



## JohnWill (Oct 19, 2002)

Uhh.... A clean install will wipe out EVERYTHING on the boot partition, so that's not a good option if you haven't backed up all your data in places like My Documents. Also, obviously, ALL programs will have to be re-installed, as well as any configuration you've done to them. See if you can follow this procedure.

How to Perform a Windows XP Repair Install


----------



## sjpritch25 (Sep 8, 2005)

Did you try using your password???


----------



## Vivsky (Sep 5, 2007)

sjpritch25 said:


> Did you try using your password???


Yes, I did. It didn't like it. I tried it again after hitting the Caps Lock key, thinking that perhaps caps lock had been on, and it didn't like that either. I just looked at the link JohnWill provided (I was at that site a bit earlier while searching for help on my own), and it seems a bit ominous in its instructions. Is running a Repair the only option I have left?


----------



## JohnWill (Oct 19, 2002)

It appears to be the best option.


----------



## sjpritch25 (Sep 8, 2005)

Do that, but i don't think it will clean everything up. Please post a fresh Hijackthis log. You will need your product key, so have that handy. If you can't find your product key, its usually on the back of your laptop.


----------



## Vivsky (Sep 5, 2007)

Ok. Doing it now.

The instructions say not to connect to the internet until previous updates are reinstalled. But how can I reinstall them if I can't connect to the internet? Guess I'm putting the cart before the horse. I need to get through this repair first!


----------



## JohnWill (Oct 19, 2002)

I agree, the object of this exercise is to just get it to boot at all, then we'll turn the security guys loose on the original issue.


----------



## Vivsky (Sep 5, 2007)

sjpritch25 said:


> Do that, but i don't think it will clean everything up. Please post a fresh Hijackthis log. You will need your product key, so have that handy. If you can't find your product key, its usually on the back of your laptop.


I have a desktop. Are you talking about the Windows product key? I have no idea what it is. I looked through all my original documentation that I got with the computer, but it doesn't appear to be there anywhere. As I said, it's a Gateway and XP came preinstalled on it, so I don't have the actual MS installation CD.


----------



## JohnWill (Oct 19, 2002)

It should be on a sticker on the side of the case. Without a product key, you couldn't do a clean install either!


----------



## Vivsky (Sep 5, 2007)

Ok. The repair has stopped. I have a blue screen that says:

A problem has been detected and windows has been shut down to prevent damage to your computer.

IRQL_NOT_LESS_OR_EQUAL

If this is the first time you've seen this screen, restart your computer.


I restarted and then the safe mode, etc. option came up, so I went into safe mode. After this is done, should I reboot into regular windows? Should I now remove the OS CD before I reboot?


----------



## sjpritch25 (Sep 8, 2005)

try booting into normal mode. let me know if you can't.


----------



## sjpritch25 (Sep 8, 2005)

yes remove the cd.


----------



## Vivsky (Sep 5, 2007)

No good. I have the option to choose normal mode, but then the blue screen comes back. It also comes back if I choose safe mode.


----------



## Vivsky (Sep 5, 2007)

Let me edit that. It does go into safe mode now.


----------



## Vivsky (Sep 5, 2007)

By the way, the repair of Windows never got to the point to ask for the product key.


----------



## sjpritch25 (Sep 8, 2005)

Okay try this.

Right-Click on your *My Computer* icon on your desktop---> Click on *Properties*---> Click on *hardware* tab---> Click on *Device Manager*---> Click on the *+* next to display adapter---> Right-Click on the device and click on uninstall. Reboot your computer and see if you can boot into normal mode.


----------



## Vivsky (Sep 5, 2007)

I uninstalled the display, and it's still the same story. I can't boot into normal mode.


----------



## Vivsky (Sep 5, 2007)

Any more ideas?

Sorry for my delay. I had to sleep, and then work all day. I've got about 4 hours tonight to work on this. Thanks for any help you can provide.


----------



## Vivsky (Sep 5, 2007)

Anybody out there today?


----------



## Vivsky (Sep 5, 2007)

Not sure if this helps at all, but the Technical information at the blue screen is:

STOP: 0x0000000A (0x00000000, 0x00000002, 0x00000001, 0x804EA568)


----------



## JohnWill (Oct 19, 2002)

One possibility it to remove all the non-essential expansion cards and devices that are plugged in. That error is usually a device driver error. Of course, without being able to boot into safe mode, there are limited options to deal with it.


----------



## Vivsky (Sep 5, 2007)

JohnWill said:


> One possibility it to remove all the non-essential expansion cards and devices that are plugged in. That error is usually a device driver error. Of course, without being able to boot into safe mode, there are limited options to deal with it.


Sorry, I think I posted too many times. I actually CAN boot into safe mode. I'm in there now. And I'm reading about the agp440.sys error at the microsoft website. Now that I have the administrator password, should I try to do as it instructs again?

AGP440.SYS error support


----------



## JohnWill (Oct 19, 2002)

You bet! I was thinking we were in deep when you couldn't boot at all. 

Let us know how that works.


----------



## Vivsky (Sep 5, 2007)

Crap. I set the administrator password while I was in safe mode, logged on as administrator. Now when I enter it for Recovery, it says it is invalid. When I reboot into safe mode, and choose to login as administrator, it accepts it. What gives? When this is all done, I'm renaming this computer on my home network. It's new name? Catch22.


----------



## sjpritch25 (Sep 8, 2005)

Just for kicks try this as the password *administrator*

You have tried to skip the password prompt by pressing enter. Right??


----------



## Vivsky (Sep 5, 2007)

I tried administrator and it didn't work. Yesterday, i tried "password" and it didn't work. So that's why I actually reset the password tonight, and it won't take it. Yes, I left it blank, both yesterday, and tonight twice now. This is crazy! Is is not taking the administrator password change because of safe mode? The MS website says that is the only way to set/change the administrator password. As a sidenote, my own user account IS set up as an administrator. It is the same password.


----------



## sjpritch25 (Sep 8, 2005)

Give some of these a try

http://support.microsoft.com/kb/308402


----------



## Vivsky (Sep 5, 2007)

I thought I was getting somewhere, as I was able to install Recovery from the CD per the instructions. However, the next time I booted, it went straight to the blue screen. Then I rebooted again and was able to select Recover Console as the system to log into. But now I'm right back where I was - it won't take any passwords! 

Will I have to call Microsoft as per the Step 3 instructions:

"3. Contact Microsoft Product Support Services to obtain and install the Q308402 hotfix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site: 
http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS (http://support.microsoft.com/default.aspx?scid=fh;en-us;cntactms)"

Sorry, but am going to be away again until tomorrow evening.


----------



## Vivsky (Sep 5, 2007)

I'm back. sjpritch25, I tried your workaround, and it has partially worked. But have PM'ed you a question.


----------



## Vivsky (Sep 5, 2007)

I was able to disable the agp440 service, however, I still cannot boot into normal mode. The blue screen still comes up with the same message and technical information as before. The directions for disabling the agp440 indicate I should boot into Normal Mode if asked. I have tried twice now, and still the blue screen. 

FYI - This is the cycle of events: On first reboot, it doesn't even get to the option of safe or normal mode, as the blue screen comes up. When I shut down, then power back on, I will get the safe/normal mode option. When I choose normal, the blue screen then comes up. I must shut down. Upon restart, will go straight to blue screen. 

This is me with no hair left.  I have pulled it all out.  

Is there anything left, short of reinstalling Windows?


----------



## Vivsky (Sep 5, 2007)

Bump!


----------



## sjpritch25 (Sep 8, 2005)

While in Safe Mode

Please right-click on your *My Computer* icon---> Click on *Manage*---> Click on on *Event Viewer*---> Click on the *System* icon. Please write down all the Red entries and post the errors. Thanks. This will take sometime, but it will let us see what is preventing boot up in Normal mode. Thanks.


----------



## Vivsky (Sep 5, 2007)

sjpritch25 said:


> While in Safe Mode
> 
> Please right-click on your *My Computer* icon---> Click on *Manage*---> Click on on *Event Viewer*---> Click on the *System* icon. Please write down all the Red entries and post the errors. Thanks. *This will take sometime*, but it will let us see what is preventing boot up in Normal mode. Thanks.


There are way over 500 error entries there! Is there any particular information you are looking for? For examples, on one date, there are at least 100 Service Control Manager errors, one every 5 seconds or so. And exactly what information do you need? The date, time source, category, event, user?

Can I burn to a CD in safe mode? Perhaps I can do some screen captures, save them to a CD, put them in this laptop, and upload the file here as an attachment?

Here is the contents of a few of the most repeated errors:

Service Control Manager Error

The following boot-start or system-start driver(s) failed to load:
ATMhelpr
eeCtrl
Fips
i8042prt
IPSec
MRxSmb
NetBIOS
Processor
RasAcd
Rdbss
SRTSPX
Tcpip

Service Control Manager

The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
A device attached to the system is not functioning.

DCOM Error

DCOM got error "This service cannot be started in Safe Mode" attempting to start the service EventSystem with argument"" in order to run the server.
{1BE1F766-5536-11D1-B726-OOCO4FB26AF}

Service Control Manager

The Messenger service depends on the NetBIOS Interface service which failed to start because of the following error:
A device attached to the system in not functioning.


----------



## Vivsky (Sep 5, 2007)

Bump!


----------



## Vivsky (Sep 5, 2007)

On another note, while I'm in the Computer Management screen, I decided to look around in Device Manager. Under System Devices, the Intel Processor to AGP Controller has the yellow circle with a ! in it. Does that relate to any existing problem?


----------



## sjpritch25 (Sep 8, 2005)

yes that yellow icons means that there is a problem with that device. Right-click on that device and post the description from here *Device Status*.

Also, navigate to this file *C:\WINNT\Minidump* and save the last five minidumps. Save them and posts the results. If not found don't worry about it.

Does your Desktop have a floppy drive???


----------



## Vivsky (Sep 5, 2007)

The device not working says:

A driver (service) for this device has been disabled. An alternate driver may be providing functionality. (Code 32).

Yes, my desktop has a floppy drive. I'll have to hunt down an actual disk to use though.

The most recent minidump is dated 8/15/04. The four before that are all in May and June of 2003. Still valuable information for you?


----------



## Vivsky (Sep 5, 2007)

Bump!


----------



## Vivsky (Sep 5, 2007)

Can someone at least tell me if this is a lost cause so I can move on and start looking for another system? Thank you.


----------



## sjpritch25 (Sep 8, 2005)

Go to this link and create the Setup floppy disks.
http://support.microsoft.com/kb/310994/

Once they are created
After you create all six disks, insert the first disk in the floppy disk drive, and then restart the computer. Note that the computer must be configured to boot from the floppy disk drive. In some cases, you may need to modify your computer's BIOS settings to do this.

The Setup process starts. Insert the other floppy disks as you are prompted to do so. Go ahead and try the Repair installation again. Let me know if you succeeded.


----------



## Vivsky (Sep 5, 2007)

Well, the laptop I'm using now does not have a floppy drive. Only a CD drive. Can I do this process by saving to a CD?


----------



## Vivsky (Sep 5, 2007)

I am beginning to wonder if this is worth everyone's time. I really don't have a lot of thiings on my PC that I care about, program wise. I've already saved all other items to my external hard drive. 

What do you think about reinstalling Windows, and then getting all the Windows updates? Do you think I would be able to get the updates then?


----------



## Vivsky (Sep 5, 2007)

Hello?


----------



## sjpritch25 (Sep 8, 2005)

Yes i would i agree formating and re-installing is probably the best thing to do.

When you have completed the re-install, go here to install service pack2
http://www.microsoft.com/windowsxp/sp2/default.mspx

After installing service pack 2, you will have a lot more updates to install.

Make sure you install a Anti-Virus program and Firewall. If you have any questions, just let me know.


----------



## Vivsky (Sep 5, 2007)

Well, the installation seemed to be going ok. But now about halfway into it. I have:

PAGE_FAULT_IN_NONPAGED_AREA

Stop info, I think, was 0x00000005. 

It just rebooted, so I didn't get to see it long enough. It was doing a physical memory dump.

On reboot, I got to choose to go into Windows, or Recovery Console. Choosing RC, then choosing which windows installation I wanted to go into, it only brought me to the C:\WINNT> prompt.

I disabled the AGP440 again, and rebooted. It then said Windows Set up was continuing. I'm now back to the Windows installation process, starting from the beginning. 


UPDATE: This time through, it got through the entire installation process, rebooted, and then I got the BSOD with the IRQL NOT LESS OR EQUAL message.

Is this a physical hardware problem??


----------



## Vivsky (Sep 5, 2007)

Anyone?


----------



## Vivsky (Sep 5, 2007)

Since this appears to no longer be a virus/malware issue (well, at this point a anyway), perhaps I could get more help if it were moved to a different forum? 

Thanks for the help so far, though.


----------



## Cookiegal (Aug 27, 2003)

I'm sorry it turned out this way for you.  

I think because of the number of posts in this thread, you'd probably have more success getting assistance if you were to start a new thread in the XP forum for help with your reformat and those errors.

At first glance on Google, the errors you're getting could be hardware or RAM related.

Once you've started your new thread, I'll post a link to it here and close this one.


----------



## Vivsky (Sep 5, 2007)

Thanks for the sympathy, Cookiegal. It's a sad day when our computers go kaput!

I will start a new thread. Thanks!


----------



## Cookiegal (Aug 27, 2003)

Here's a link to the new thread.

Good luck to you. 

http://forums.techguy.org/windows-nt-2000-xp/624967-reformat-issue-s.html


----------

