# Solved: unable to launch IE



## campostch (Oct 3, 2006)

Im unable to launch IE it keeps crashing. If I login in safe mode i have no problem. I know im infected with something. please take a look at my hijack log and advise. greatly appreciated. I have ran both Spybot S&D, Adaware, and ashampoo spyware removal

Logfile of HijackThis v1.99.1
Scan saved at 7:49:16 PM, on 4/22/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\ctfmon.exe
C:\Documents and Settings\ernestog\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: (no name) - {C3F26EB9-8420-88F7-7000-F21A73CF0AB6} - C:\WINNT\System32\ntargu.dll (file missing)
O3 - Toolbar: (no name) - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [%%DELETE_VALUE%%] CreateCD50
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINNT\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,[email protected]
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Qjcu] C:\WINNT\system32\??stem32\m?iexec.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSIM0003
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166136662813
O20 - AppInit_DLLs: C:\WINNT\System32\systwy.dll
O20 - Winlogon Notify: dlldex - dlldex.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: xcttgs - xcttgs.dll (file missing)
O21 - SSODL: emptins - {588599f4-de26-4c28-ba14-f4eb17e33481} - (no file)
O21 - SSODL: buprestidae - {b59f3ba4-98da-4b5f-8a2d-7b56fb11140b} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINNT\System32\lxbucoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Microsoft NetWork FireWall Services - Unknown owner - Net_Services.exe (file missing)
O23 - Service: Windows Update (WindowsUpdate) - Unknown owner - C:\WINNT\system32\usrinit.exe (file missing)


----------



## Byteman (Jan 24, 2002)

Hi, 
 Click *Start - Control Panel - Add/Remove Programs*
 In the list of installed software, look for:
Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin 
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Cowabanga 
 If you find any:
 Click on it and click *Remove*.
 Reboot and delete the folder *C:\Program Files\PurityScan* (if it's still there).

 If not:
 Download and run the Oiuninstaller
There is a tutorial for the uninstaller available
 When the uninstaller is done, *reboot* and delete the folder *C:\Program Files\PurityScan*


I know you cannot get Internet Explorer to run, but if you can download some things somehow, like using another computer and burning these downloads to CD etc, please be advised that this would be OK to try.
If you are somehow using the infected computer and *can* download, then please do that.

Using the *Safe Mode with Networking* option at startup when pressing the F8 key may allow your IE to run, or at least another browser like Firefox....you could probably download and install Firefox by using the burn to CD method....

If you try and still cannot get the computer to connect online, and have no way to use another computer to download and/or burn files to disc, post back.

Looks to be no antivirus installed, or an expired McAfee one.....you need a good, installed antivirus program, so get AVG installed as soon as you can: *UNinstall McAfee if it has expired or does not work,* etc. Uninstall it before installing AVG. There is a removal tool that may help you remove it here:

*http://www.majorgeeks.com/McAfee_Consumer_Product_Removal_Tool_d5420.html*

If, you are paying for McAfee, by any chance did you remove it from starting up with Windows? You have something set to not startup using Msconfig> I would ask that you re-enable what items you have unchecked so they will show in logs> we can't fix what we cannot see. You will have to restart after using msconfig to re-check items.....do that.

If you need an antivirus program use this free one:

Get AVG Antivirus Free Edition 7.5 here>>>>>http://www.free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-virus-free, install and get it Updated online for the latest detection files.....I would advise *not* running a full scan right now until a few things have been checked.

You have not installed either XP Service Pack One, or SP2....these service packs are pretty much required to prevent malware from getting into your computer. But, there has been or still is some infection present- let's try a few scan tools that may point to something:

First> Run this rootkit detector as the steps show you, and post what it says into a Reply:

Download this tool to your desktop:

*http://www.uploads.ejvindh.net/rootchk.exe*

Run the program. After a short time a logfile will turn up. Copy the contents of the log into the thread.

Next:

Also> Follow these directions. Post the log it aks for into your Reply here, too.

Please download *SmitfraudFix* (by *S!Ri*) to your Desktop.

Double-click *smitfraudfix.exe* 
Select option *#1 - Search* by typing *1* and press *Enter* 
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named *rapport.txt* in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. 
http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!


----------



## campostch (Oct 3, 2006)

Thank you I will go ahead and do all of the above a little later today. One other weird thing that I noticed is when I right click on mycomputer and do properties it says its windows 2000. Since this is a friends computer I do not know to much of its history but could it be that at one point it was windows 2000 and the upgrade did not go so well.


----------



## Byteman (Jan 24, 2002)

Hi, If that is the case, could you please try to find out as much as possible, because it may make a lot of difference! 
You need to get the other things I posted done, but when you do have a minute, look this over:

1. When XP is installed, as a direct Upgrade over 2000, here are some of the problems that can occur- could you have someone familiar with the computer look these over and see if any apply?

*http://labmice.techtarget.com/windowsxp/Install/win2kupgrade.htm*


----------



## campostch (Oct 3, 2006)

Ok here goes the rapport file and then the rootlog
SmitFraudFix v2.171

Scan done at 20:55:17.55, Mon 04/23/2007
Run from C:\Documents and Settings\ernestog\Desktop\New Folder (2)\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINNT\System32\clcl6.exe
C:\WINNT\Mixer.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\ctfmon.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ernestog

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ernestog\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="http://memimage.cardomain.net/member_images/12/web/2040000-2040999/2040839_1_full.jpg"
"SubscribedURL"="http://memimage.cardomain.net/member_images/12/web/2040000-2040999/2040839_1_full.jpg"
"FriendlyName"=""

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINNT\\System32\\systwy.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

pe386 detected, use a Rootkit scanner

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
DNS Server Search Order: 192.168.0.1
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{04DD0050-F810-4C28-B76A-E5A6F05ED30D}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{04DD0050-F810-4C28-B76A-E5A6F05ED30D}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{04DD0050-F810-4C28-B76A-E5A6F05ED30D}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

********************************* ROOTCHK-(23-04-07)-LOG, by ejvindh
Mon 04/23/2007 20:42:50.97

Rootkit driver pe386 (hidden) is present. A rootkit scan is required. Rustbfix or Gmer are recommended
Driver nm (visible) is present. Run COMBOFIX by sUBs.
Driver xcttgs (Possible Haxdoor) is present. Run HAXFIX by Marckie
Driver xcttgm (Possible Haxdoor) is present. Run HAXFIX by Marckie

********************************* ROOTCHK-LOG-end

catchme 0.3.657 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-23 20:42:51
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\Documents and Settings\ernestog\My Documents\stuff\Lyrics\R&B\SEAN PAUL LYRICS - I'm Still In Love With You_files\BABY BASH LYRICS - Suga Suga_files\112 LYRICS - Hot And Wet_files\112 LYRICS - Hot & Wet (Remix)_files\EVANESCENCE LYRICS - Going Under_files\bot.js
C:\Documents and Settings\ernestog\My Documents\stuff\Lyrics\R&B\SEAN PAUL LYRICS - I'm Still In Love With You_files\BABY BASH LYRICS - Suga Suga_files\112 LYRICS - Hot And Wet_files\112 LYRICS - Hot & Wet (Remix)_files\EVANESCENCE LYRICS - Going Under_files\top.js
C:\Documents and Settings\ernestog\My Documents\stuff\Lyrics\R&B\SEAN PAUL LYRICS - I'm Still In Love With You_files\BABY BASH LYRICS - Suga Suga_files\112 LYRICS - Hot And Wet_files\112 LYRICS - Hot & Wet (Remix)_files\EVANESCENCE LYRICS - My Immortal_files\bot.js
C:\Documents and Settings\ernestog\My Documents\stuff\Lyrics\R&B\SEAN PAUL LYRICS - I'm Still In Love With You_files\BABY BASH LYRICS - Suga Suga_files\112 LYRICS - Hot And Wet_files\112 LYRICS - Hot & Wet (Remix)_files\EVANESCENCE LYRICS - My Immortal_files\head.js
C:\Documents and Settings\ernestog\My Documents\stuff\Lyrics\R&B\SEAN PAUL LYRICS - I'm Still In Love With You_files\BABY BASH LYRICS - Suga Suga_files\112 LYRICS - Hot And Wet_files\112 LYRICS - Hot & Wet (Remix)_files\EVANESCENCE LYRICS - My Immortal_files\top.js


----------



## campostch (Oct 3, 2006)

I checked with my friend in regards to the whole windos OS. He said that at one point he had Windows 2000 and upgraded to windows XP. The reason he upgraded was because he kept getting a pop up that said Windows 2000 system files have changed please insert windows 2000 cd. Since he did not have the windows 2000 cd he upgraded. I am posting a new hijacklog with everything enabled under msconifg. *Should I try to do a windows repair by booting of a windows XP cd? I have removed Mcafee and im going to install the antivirus you sugested

Logfile of HijackThis v1.99.1
Scan saved at 10:10:24 PM, on 4/23/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\ctfmon.exe
C:\Documents and Settings\ernestog\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [{48DBAAE2-05D7-1033-1109-010518010001}] "C:\Program Files\Common Files\{48DBAAE2-05D7-1033-1109-010518010001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [WinAntiVirusPro2006] "C:\Program Files\WinAntiVirus Pro 2006\WinAV.exe" /min
O4 - HKLM\..\Run: [Virus-Bursters] C:\Documents and Settings\ernestog\My Documents\My Downloads\Virus-Bursters\virus-bursters.exe /h
O4 - HKLM\..\Run: [uwa6pcw] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\uwa6pcw.exe" -c
O4 - HKLM\..\Run: [tFmj3ql] spm2bin.exe
O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pjzkzszggv] C:\WINNT\system32\jtdkru.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s
O4 - HKLM\..\Run: [Mwxymgu] C:\Program Files\Ylrlayi\Yumyy.exe
O4 - HKLM\..\Run: [ERS_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe"
O4 - HKLM\..\Run: [ERS] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe" /min
O4 - HKLM\..\Run: [DC6_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\dc6_startupmon.exe"
O4 - HKLM\..\Run: [DC6] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\dc6_startupmon.exe" /min
O4 - HKLM\..\Run: [clcl6] C:\WINNT\System32\clcl6.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WinInit] "C:\DOCUME~1\ernestog\LOCALS~1\Temp\158698276.exe " 
O4 - HKCU\..\Run: [Uart] "C:\PROGRA~1\COMMON~1\FNTS~1\wuauclt.exe" -vt yazr
O4 - HKCU\..\Run: [kuzr] C:\PROGRA~1\COMMON~1\kuzr\kuzrm.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [Fzqvl] C:\Program Files\??curity\s?rvices.exe
O4 - HKCU\..\Run: [co5tRkJmU] soreamci.exe
O4 - HKCU\..\Run: [Axecxv] C:\Documents and Settings\ernestog\My Documents\?icrosoft.NET\??plorer.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166136662813
O20 - AppInit_DLLs: C:\WINNT\System32\systwy.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINNT\System32\lxbucoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Windows Update (WindowsUpdate) - Unknown owner - C:\WINNT\system32\usrinit.exe (file missing)*


----------



## Byteman (Jan 24, 2002)

Hi, Sorry not to have been able to reply here to you.....if you are still needing help with this, post back please.

There are some nasty infections on there which we can help you clear up, but i see you have marked the thread "Solved" so I am wondering what caused you to put Solved up?

If you decided to format and reinstall everything I can't say I'd blame you....but, if you do want to clean things up, please do what is below:

I'm having you re-download SmitfraudFix since it may have been updated in the past days....

Please download *SmitfraudFix* (by *S!Ri*) to your Desktop.

Double-click *smitfraudfix.exe* 
Select option *#1 - Search* by typing *1* and press *Enter* 
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named *rapport.txt* in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. 
http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!

Post that log in a reply please.


----------



## campostch (Oct 3, 2006)

I apologize for closing this thread. I figured you had gotten real busy again I apologize for being impatient. I would still like to get this fixed if possible take a look at the report thanx again.

SmitFraudFix v2.171

Scan done at 7:35:20.46, Thu 04/26/2007
Run from C:\Documents and Settings\ernestog\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINNT\Mixer.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ernestog

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ernestog\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="http://memimage.cardomain.net/member_images/12/web/2040000-2040999/2040839_1_full.jpg"
"SubscribedURL"="http://memimage.cardomain.net/member_images/12/web/2040000-2040999/2040839_1_full.jpg"
"FriendlyName"=""

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINNT\\System32\\systwy.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

pe386 detected, use a Rootkit scanner

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
DNS Server Search Order: 192.168.0.1
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{04DD0050-F810-4C28-B76A-E5A6F05ED30D}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{04DD0050-F810-4C28-B76A-E5A6F05ED30D}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{04DD0050-F810-4C28-B76A-E5A6F05ED30D}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{04DD0050-F810-4C28-B76A-E5A6F05ED30D}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## sjpritch25 (Sep 8, 2005)

campostch, i am going to take the log over for Byteman. Let me look over everything and i will post shortly.


----------



## sjpritch25 (Sep 8, 2005)

Could you post a fresh Hijackthis log. Did you uninstall any of the programs *Byteman* instructed you too????


----------



## campostch (Oct 3, 2006)

I did run the programs that Byteman mentioned. The last thing I ran was the smitfraudfix. I will post the new hijackthis log later. right now I am at work and do not have access to the pc. thank you for giving a lending hand


----------



## campostch (Oct 3, 2006)

here goes the log

Logfile of HijackThis v1.99.1
Scan saved at 6:49:32 PM, on 4/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINNT\Mixer.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\ernestog\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKLM\..\Run: [tFmj3ql] spm2bin.exe
O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe -1 --delay 15
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\tmlsp.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1177544338699
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1177557200283
O20 - AppInit_DLLs: C:\WINNT\System32\systwy.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINNT\System32\lxbucoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: Windows Update (WindowsUpdate) - Unknown owner - C:\WINNT\system32\usrinit.exe (file missing)


----------



## sjpritch25 (Sep 8, 2005)

In the following quote, please copy (Ctrl+C) and Paste (Ctrl+V) the text in Notepad. Save it as *All Files* and name it *ServicesFix.bat*. Save it to your Desktop.


> @echo off
> sc stop "WindowsUpdate"
> sc delete "WindowsUpdate"
> exit


Doubleclick on *ServicesFix.bat*. It will open and close quickly. That is normal.

====================================

You have a file i would like you to get anaylzed. Please go to VirusTotal. On the very top of the Website, you will see a Browse button. Use that to search for this file *C:\WINNT\System32\systwy.dll*. Then Click on Send. This could take between 30 Second-a couple of minutes. When you get the Results, Open Notepad, please highlight the results, copy them to Notepad and save it as "Scan.txt". Save the text file "Scan.txt " to your desktop. Please include the file in your next post.

Note: You may need to unhide hidden files and folders.
*Configure Windows XP to show hide hidden files:*
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select* "Show hidden files and folders". *
Uncheck the *"Hide protected operating system files (recommended)*" option.
Uncheck the *"Hide file extensions for known file types"* option.
Click *Yes* to confirm. Click *OK.*


----------



## campostch (Oct 3, 2006)

that file is not located on the HD. I did a manual search by going to that directory and could not find it. I did a windows search and it did not find the file. I am se to show hidden files and os files. the file is not on the hd.


----------



## sjpritch25 (Sep 8, 2005)

Download GMER's application from here:
http://www.majorgeeks.com/GMER_d5198.html
Unzip it and start the *GMER.exe*
Click the *Rootkit* tab and click the *Scan* button.
Once done, click the *Copy* button.
This will copy the results to your clipboard.
Paste the results in your next reply.
Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.


----------



## campostch (Oct 3, 2006)

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-04-28 10:55:32
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT \??\C:\WINNT\System32:lzx32.sys ZwCreateKey
SSDT \??\C:\WINNT\System32:lzx32.sys ZwDeviceIoControlFile
SSDT \??\C:\WINNT\System32:lzx32.sys ZwEnumerateKey
SSDT \??\C:\WINNT\System32:lzx32.sys ZwOpenKey
SSDT \??\C:\WINNT\System32:lzx32.sys ZwQueryKey
SSDT \??\C:\WINNT\System32:lzx32.sys ZwQuerySystemInformation
SSDT \??\C:\WINNT\System32:lzx32.sys ZwSaveKey
SSDT \??\C:\WINNT\System32:lzx32.sys ZwTerminateProcess

Code \??\C:\WINNT\System32:lzx32.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.12 ----

? C:\WINNT\System32\DRIVERS\update.sys 
? C:\WINNT\System32:lzx32.sys The system cannot find the file specified.
.text tcpip.sys!IPTransmit + 10BC F80F9CFA 6 Bytes CALL F8218F50 \??\C:\WINNT\System32:lzx32.sys
.text tcpip.sys!IPTransmit + 2810  F80FB44E 6 Bytes CALL F8218F50 \??\C:\WINNT\System32:lzx32.sys
.text tcpip.sys!ARPRcv + 506D F81004E0 6 Bytes CALL F8218F50 \??\C:\WINNT\System32:lzx32.sys
.text wanarp.sys F9BD73FD 7 Bytes CALL F8218F5A \??\C:\WINNT\System32:lzx32.sys

---- Registry - GMER 1.0.12 ----

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] \??\C:\WINNT\System32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 0x12 0x2B 0x48 0x32 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386\Security 
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected]  1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] \??\C:\WINNT\System32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 0x12 0x2B 0x48 0x32 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386\Enum 
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] \??\C:\WINNT\System32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected]  0x12 0x2B 0x48 0x32 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected] \??\C:\WINNT\System32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected] 0x12 0x2B 0x48 0x32 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386\Security 
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected]  \??\C:\WINNT\System32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected] 0x12 0x2B 0x48 0x32 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] \??\C:\WINNT\System32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 0x12 0x2B 0x48 0x32 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386\Security 
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected]  1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] \??\C:\WINNT\System32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 0x12 0x2B 0x48 0x32 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] \??\C:\WINNT\System32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected]  0x12 0x2B 0x48 0x32 ...


----------



## campostch (Oct 3, 2006)

here is the res of the log

Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386\Security 
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected]  \??\C:\WINNT\System32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] 0x12 0x2B 0x48 0x32 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] \??\C:\WINNT\System32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 0x12 0x2B 0x48 0x32 ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Security 
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] \??\C:\WINNT\System32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 0x12 0x2B 0x48 0x32 ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Enum 
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] \??\C:\WINNT\System32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 0x12 0x2B 0x48 0x32 ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 1
---- Files - GMER 1.0.12 ----

File C:\Documents and Settings\ernestog\My Documents\stuff\Lyrics\R&B\SEAN PAUL LYRICS - I'm Still In Love With You_files\BABY BASH LYRICS - Suga Suga_files\112 LYRICS - Hot And Wet_files\112 LYRICS - Hot & Wet (Remix)_files\EVANESCENCE LYRICS - Going Under_files\bot.js 
File C:\Documents and Settings\ernestog\My Documents\stuff\Lyrics\R&B\SEAN PAUL LYRICS - I'm Still In Love With You_files\BABY BASH LYRICS - Suga Suga_files\112 LYRICS - Hot And Wet_files\112 LYRICS - Hot & Wet (Remix)_files\EVANESCENCE LYRICS - Going Under_files\top.js 
File C:\Documents and Settings\ernestog\My Documents\stuff\Lyrics\R&B\SEAN PAUL LYRICS - I'm Still In Love With You_files\BABY BASH LYRICS - Suga Suga_files\112 LYRICS - Hot And Wet_files\112 LYRICS - Hot & Wet (Remix)_files\EVANESCENCE LYRICS - My Immortal_files\bot.js 
File C:\Documents and Settings\ernestog\My Documents\stuff\Lyrics\R&B\SEAN PAUL LYRICS - I'm Still In Love With You_files\BABY BASH LYRICS - Suga Suga_files\112 LYRICS - Hot And Wet_files\112 LYRICS - Hot & Wet (Remix)_files\EVANESCENCE LYRICS - My Immortal_files\head.js 
File C:\Documents and Settings\ernestog\My Documents\stuff\Lyrics\R&B\SEAN PAUL LYRICS - I'm Still In Love With You_files\BABY BASH LYRICS - Suga Suga_files\112 LYRICS - Hot And Wet_files\112 LYRICS - Hot & Wet (Remix)_files\EVANESCENCE LYRICS - My Immortal_files\top.js 
ADS C:\RECYCLER\NPROTECT\00411350.ico:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 
ADS C:\WINNT\system32:lzx32.sys <-- ROOTKIT !!!

---- Services - GMER 1.0.12 ----

Service C:\WINNT\System32:lzx32.sys [SYSTEM] pe386 <-- ROOTKIT !!!

---- EOF - GMER 1.0.12 ----


----------



## sjpritch25 (Sep 8, 2005)

Download
http://www.uploads.ejvindh.net/rustbfix.exe
...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.

=====================================

Download Combofix and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Note: It is important that it is saved directly to your desktop

Close any open browsers.

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

*Please post a fresh Hijackthis log*!!!! Thanks.


----------



## campostch (Oct 3, 2006)

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vdrcwxbh

*******************

Script file located at: \??\C:\pkgwugpb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

************************* Rustock.b-fix -- By ejvindh *************************
Sat 04/28/2007 17:19:02.35

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 78222
Total size: 78222 bytes.
Attempting to remove ADS...
system32: deleted 78222 bytes in 1 streams.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************


----------



## campostch (Oct 3, 2006)

HEre goes the combo fix

"ernestog" - 07-04-28 17:27:35 Service Pack 2 
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\ernestog\Desktop\"

((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-28 ))))))))))))))))))))))))))))))))))

2007-04-28 17:23 d--------	C:\avenger
2007-04-28 17:19 d--------	C:\Rustbfix
2007-04-26 22:39 d--------	C:\Program Files\MSXML 6.0
2007-04-26 18:22 d--------	C:\WINNT\system32\drivers\AU_Backup
2007-04-26 18:17 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-04-26 18:11	32,528	--a------	C:\WINNT\system32\drivers\tmpreflt.sys
2007-04-26 18:11	102,800	--a------	C:\WINNT\system32\drivers\tmcomm.sys
2007-04-26 18:11 d--------	C:\Program Files\Trend Micro
2007-04-26 17:02 d--------	C:\Program Files\MSBuild
2007-04-26 16:55 d--------	C:\WINNT\system32\XPSViewer
2007-04-26 16:54 d--------	C:\Program Files\Reference Assemblies
2007-04-26 16:52	14,048	---------	C:\WINNT\system32\spmsg2.dll
2007-04-26 16:50 d--------	C:\Program Files\Windows Media Connect 2
2007-04-26 16:46 d--------	C:\WINNT\system32\LogFiles
2007-04-26 16:46 d--------	C:\WINNT\system32\drivers\UMDF
2007-04-26 16:07 d--------	C:\WINNT\system32\URTTemp
2007-04-26 16:00	36,352	---------	C:\WINNT\system32\tsgqec.dll
2007-04-26 16:00	288,768	---------	C:\WINNT\system32\rhttpaa.dll
2007-04-26 16:00	116,736	---------	C:\WINNT\system32\aaclient.dll
2007-04-26 07:19	664	--a------	C:\WINNT\system32\d3d9caps.dat
2007-04-26 07:19 d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2007-04-25 18:47 d--h-----	C:\WINNT\$hf_mig$
2007-04-25 18:47 d--------	C:\WINNT\system32\PreInstall
2007-04-25 18:42	207,736	--a------	C:\WINNT\system32\muweb.dll
2007-04-25 18:34 d--------	C:\WINNT\Prefetch
2007-04-25 18:24	95,424	---------	C:\WINNT\system32\drivers\slnthal.sys
2007-04-25 18:24	937,984	---------	C:\WINNT\system32\winbrand.dll
2007-04-25 18:24	9,728	---------	C:\WINNT\system32\comsdupd.exe
2007-04-25 18:24	870,784	---------	C:\WINNT\system32\ati3d1ag.dll
2007-04-25 18:24	86,016	---------	C:\WINNT\system32\mdmxsdk.dll
2007-04-25 18:24	81,920	---------	C:\WINNT\system32\ieencode.dll
2007-04-25 18:24	81,408	---------	C:\WINNT\system32\wscsvc.dll
2007-04-25 18:24	8,192	---------	C:\WINNT\system32\smbinst.exe
2007-04-25 18:24	78,464	---------	C:\WINNT\system32\drivers\usbvideo.sys
2007-04-25 18:24	75,776	---------	C:\WINNT\system32\strmfilt.dll
2007-04-25 18:24	73,832	---------	C:\WINNT\system32\slcoinst.dll
2007-04-25 18:24	73,796	---------	C:\WINNT\system32\slserv.exe
2007-04-25 18:24	73,216	---------	C:\WINNT\system32\drivers\atintuxx.sys
2007-04-25 18:24	71,680	---------	C:\WINNT\system32\blastcln.exe
2007-04-25 18:24	701,440	---------	C:\WINNT\system32\drivers\ati2mtag.sys
2007-04-25 18:24	7,680	---------	C:\WINNT\system32\kbdsmsno.dll
2007-04-25 18:24	7,680	---------	C:\WINNT\system32\kbdsmsfi.dll
2007-04-25 18:24	7,168	---------	C:\WINNT\system32\kbdukx.dll
2007-04-25 18:24	7,168	---------	C:\WINNT\system32\kbdno1.dll
2007-04-25 18:24	7,168	---------	C:\WINNT\system32\kbdfi1.dll
2007-04-25 18:24	685,056	---------	C:\WINNT\system32\drivers\hsfcxts2.sys
2007-04-25 18:24	67,584	---------	C:\WINNT\system32\drivers\sdbus.sys
2007-04-25 18:24	63,663	---------	C:\WINNT\system32\drivers\ati1rvxx.sys
2007-04-25 18:24	63,488	---------	C:\WINNT\system32\drivers\atinxsxx.sys
2007-04-25 18:24	60,416	---------	C:\WINNT\system32\fwcfg.dll
2007-04-25 18:24	6,656	---------	C:\WINNT\system32\kbdinmal.dll
2007-04-25 18:24	6,656	---------	C:\WINNT\system32\kbdinben.dll
2007-04-25 18:24	6,144	---------	C:\WINNT\system32\kbdmlt48.dll
2007-04-25 18:24	6,144	---------	C:\WINNT\system32\kbdmlt47.dll
2007-04-25 18:24	6,144	---------	C:\WINNT\system32\kbdinbe1.dll
2007-04-25 18:24	6,016	---------	C:\WINNT\system32\drivers\smbali.sys
2007-04-25 18:24	59,648	---------	C:\WINNT\system32\drivers\rfcomm.sys
2007-04-25 18:24	58,880	--a------	C:\WINNT\system32\pnrpnsp.dll
2007-04-25 18:24	57,856	---------	C:\WINNT\system32\drivers\atinbtxx.sys
2007-04-25 18:24	56,623	---------	C:\WINNT\system32\drivers\ati1btxx.sys
2007-04-25 18:24	553,984	--a------	C:\WINNT\system32\p2psvc.dll
2007-04-25 18:24	52,224	---------	C:\WINNT\system32\drivers\atinraxx.sys
2007-04-25 18:24	516,768	---------	C:\WINNT\system32\ativvaxx.dll
2007-04-25 18:24	50,688	---------	C:\WINNT\system32\btpanui.dll
2007-04-25 18:24	50,176	---------	C:\WINNT\system32\xmlprovi.dll
2007-04-25 18:24	5,632	---------	C:\WINNT\system32\kbdmaori.dll
2007-04-25 18:24	49,152	---------	C:\WINNT\system32\powercfg.exe
2007-04-25 18:24	46,464	---------	C:\WINNT\system32\drivers\gagp30kx.sys
2007-04-25 18:24	452,736	---------	C:\WINNT\system32\drivers\mtxparhm.sys
2007-04-25 18:24	44,928	---------	C:\WINNT\system32\drivers\agpcpq.sys
2007-04-25 18:24	44,672	---------	C:\WINNT\system32\drivers\uagp35.sys
2007-04-25 18:24	44,032	---------	C:\WINNT\system32\twext.dll
2007-04-25 18:24	43,008	---------	C:\WINNT\system32\drivers\amdagp.sys
2007-04-25 18:24	42,752	---------	C:\WINNT\system32\drivers\alim1541.sys
2007-04-25 18:24	42,240	---------	C:\WINNT\system32\drivers\viaagp.sys
2007-04-25 18:24	41,088	---------	C:\WINNT\system32\drivers\sisagp.sys
2007-04-25 18:24	404,990	---------	C:\WINNT\system32\drivers\slntamr.sys
2007-04-25 18:24	40,832	---------	C:\WINNT\system32\drivers\irbus.sys
2007-04-25 18:24	4,274,816	---------	C:\WINNT\system32\nv4_disp.dll
2007-04-25 18:24	4,255	---------	C:\WINNT\system32\drivers\adv01nt5.dll
2007-04-25 18:24	4,096	---------	C:\WINNT\system32\dsprpres.dll
2007-04-25 18:24	397,056	---------	C:\WINNT\system32\s3gnb.dll
2007-04-25 18:24	38,016	---------	C:\WINNT\system32\drivers\bthmodem.sys
2007-04-25 18:24	377,984	---------	C:\WINNT\system32\ati2dvaa.dll
2007-04-25 18:24	37,376	---------	C:\WINNT\system32\drivers\amdk7.sys
2007-04-25 18:24	36,463	---------	C:\WINNT\system32\drivers\ati1tuxx.sys
2007-04-25 18:24	36,096	---------	C:\WINNT\system32\drivers\intelppm.sys
2007-04-25 18:24	35,456	---------	C:\WINNT\system32\drivers\bthprint.sys
2007-04-25 18:24	34,735	---------	C:\WINNT\system32\drivers\ati1xsxx.sys
2007-04-25 18:24	327,040	---------	C:\WINNT\system32\drivers\ati2mtaa.sys
2007-04-25 18:24	32,866	---------	C:\WINNT\system32\slrundll.exe
2007-04-25 18:24	32,866	---------	C:\WINNT\slrundll.exe
2007-04-25 18:24	32,768	---------	C:\WINNT\system32\ativtmxx.dll
2007-04-25 18:24	32,768	---------	C:\WINNT\system32\asr_pfu.exe
2007-04-25 18:24	32,285	---------	C:\WINNT\system32\hsfcisp2.dll
2007-04-25 18:24	313,344	--a------	C:\WINNT\system32\p2pgraph.dll
2007-04-25 18:24	31,744	---------	C:\WINNT\system32\drivers\atinxbxx.sys
2007-04-25 18:24	30,671	---------	C:\WINNT\system32\drivers\ati1raxx.sys
2007-04-25 18:24	30,208	---------	C:\WINNT\system32\bthserv.dll
2007-04-25 18:24	30,080	---------	C:\WINNT\system32\drivers\rndismpx.sys
2007-04-25 18:24	3,967	---------	C:\WINNT\system32\drivers\adv02nt5.dll
2007-04-25 18:24	3,901	---------	C:\WINNT\system32\drivers\siint5.dll
2007-04-25 18:24	3,775	---------	C:\WINNT\system32\drivers\adv11nt5.dll
2007-04-25 18:24	3,711	---------	C:\WINNT\system32\drivers\adv09nt5.dll
2007-04-25 18:24	3,647	---------	C:\WINNT\system32\drivers\adv07nt5.dll
2007-04-25 18:24	3,615	---------	C:\WINNT\system32\drivers\adv05nt5.dll
2007-04-25 18:24	3,135	---------	C:\WINNT\system32\drivers\adv08nt5.dll
2007-04-25 18:24	29,455	---------	C:\WINNT\system32\drivers\ati1xbxx.sys
2007-04-25 18:24	29,184	---------	C:\WINNT\system32\sdhcinst.dll
2007-04-25 18:24	29,056	---------	C:\WINNT\system32\drivers\ip6fw.sys
2007-04-25 18:24	286,792	---------	C:\WINNT\system32\slextspk.dll
2007-04-25 18:24	28,672	---------	C:\WINNT\system32\drivers\atinsnxx.sys
2007-04-25 18:24	274,304	---------	C:\WINNT\system32\drivers\bthport.sys
2007-04-25 18:24	270,848	---------	C:\WINNT\system32\sbe.dll
2007-04-25 18:24	262,784	---------	C:\WINNT\system32\drivers\http.sys
2007-04-25 18:24	26,367	---------	C:\WINNT\system32\drivers\ati1snxx.sys
2007-04-25 18:24	25,600	---------	C:\WINNT\system32\drivers\hidbth.sys
2007-04-25 18:24	25,471	---------	C:\WINNT\system32\drivers\watv10nt.sys
2007-04-25 18:24	25,471	---------	C:\WINNT\system32\drivers\atv04nt5.dll
2007-04-25 18:24	24,576	---------	C:\WINNT\system32\httpapi.dll
2007-04-25 18:24	23,040	--a------	C:\WINNT\system32\fltmc.exe
2007-04-25 18:24	229,376	---------	C:\WINNT\system32\ati2cqag.dll
2007-04-25 18:24	220,032	---------	C:\WINNT\system32\drivers\hsfbs2s2.sys
2007-04-25 18:24	22,271	---------	C:\WINNT\system32\drivers\watv06nt.sys
2007-04-25 18:24	21,343	---------	C:\WINNT\system32\drivers\ati1ttxx.sys
2007-04-25 18:24	21,183	---------	C:\WINNT\system32\drivers\atv01nt5.dll
2007-04-25 18:24	201,728	---------	C:\WINNT\system32\ati2dvag.dll
2007-04-25 18:24	20,992	---------	C:\WINNT\system32\bthci.dll
2007-04-25 18:24	20,480	---------	C:\WINNT\system32\encapi.dll
2007-04-25 18:24	2,113,536	---------	C:\WINNT\system32\dxdiagn.dll
2007-04-25 18:24	193,024	---------	C:\WINNT\system32\fsquirt.exe
2007-04-25 18:24	188,508	---------	C:\WINNT\system32\slgen.dll
2007-04-25 18:24	187,392	---------	C:\WINNT\system32\xpsp1res.dll
2007-04-25 18:24	186,368	---------	C:\WINNT\system32\encdec.dll
2007-04-25 18:24	180,360	---------	C:\WINNT\system32\drivers\ntmtlfax.sys
2007-04-25 18:24	18,944	---------	C:\WINNT\system32\drivers\bthusb.sys
2007-04-25 18:24	17,408	---------	C:\WINNT\system32\winshfhc.dll
2007-04-25 18:24	17,279	---------	C:\WINNT\system32\drivers\atv10nt5.dll
2007-04-25 18:24	17,024	---------	C:\WINNT\system32\drivers\bthenum.sys
2007-04-25 18:24	166,912	---------	C:\WINNT\system32\drivers\s3gnbm.sys
2007-04-25 18:24	16,896	--a------	C:\WINNT\system32\fltlib.dll
2007-04-25 18:24	159,232	---------	C:\WINNT\system32\sbeio.dll
2007-04-25 18:24	153,088	--a------	C:\WINNT\system32\p2p.dll
2007-04-25 18:24	15,872	---------	C:\WINNT\system32\w3ssl.dll
2007-04-25 18:24	15,488	---------	C:\WINNT\system32\drivers\mssmbios.sys
2007-04-25 18:24	15,423	---------	C:\WINNT\system32\drivers\ch7xxnt5.dll
2007-04-25 18:24	15,104	---------	C:\WINNT\system32\drivers\hidir.sys
2007-04-25 18:24	14,336	---------	C:\WINNT\system32\drivers\atinpdxx.sys
2007-04-25 18:24	14,336	---------	C:\WINNT\system32\auditusr.exe
2007-04-25 18:24	14,143	---------	C:\WINNT\system32\drivers\atv06nt5.dll
2007-04-25 18:24	134,656	---------	C:\WINNT\system32\mssap.dll
2007-04-25 18:24	13,824	---------	C:\WINNT\system32\wscntfy.exe
2007-04-25 18:24	13,824	---------	C:\WINNT\system32\drivers\atinttxx.sys
2007-04-25 18:24	13,824	---------	C:\WINNT\system32\drivers\atinmdxx.sys
2007-04-25 18:24	13,824	---------	C:\WINNT\system32\cmsetacl.dll
2007-04-25 18:24	13,776	---------	C:\WINNT\system32\drivers\recagent.sys
2007-04-25 18:24	13,568	---------	C:\WINNT\system32\drivers\wacompen.sys
2007-04-25 18:24	13,240	---------	C:\WINNT\system32\drivers\slwdmsup.sys
2007-04-25 18:24	129,536	---------	C:\WINNT\system32\xmlprov.dll
2007-04-25 18:24	129,535	---------	C:\WINNT\system32\drivers\slnt7554.sys
2007-04-25 18:24	128,896	---------	C:\WINNT\system32\drivers\fltmgr.sys
2007-04-25 18:24	126,686	---------	C:\WINNT\system32\drivers\mtlmnt5.sys
2007-04-25 18:24	12,672	---------	C:\WINNT\system32\drivers\usb8023x.sys
2007-04-25 18:24	12,672	---------	C:\WINNT\system32\drivers\mutohpen.sys
2007-04-25 18:24	12,416	---------	C:\WINNT\system32\drivers\tunmp.sys
2007-04-25 18:24	12,047	---------	C:\WINNT\system32\drivers\ati1pdxx.sys
2007-04-25 18:24	118,784	---------	C:\WINNT\system32\msdadiag.dll
2007-04-25 18:24	116,224	--a------	C:\WINNT\system32\p2pnetsh.dll
2007-04-25 18:24	11,935	---------	C:\WINNT\system32\drivers\wadv11nt.sys
2007-04-25 18:24	11,871	---------	C:\WINNT\system32\drivers\wadv09nt.sys
2007-04-25 18:24	11,868	---------	C:\WINNT\system32\drivers\mdmxsdk.sys
2007-04-25 18:24	11,807	---------	C:\WINNT\system32\drivers\wadv07nt.sys
2007-04-25 18:24	11,615	---------	C:\WINNT\system32\drivers\ati1mdxx.sys
2007-04-25 18:24	11,359	---------	C:\WINNT\system32\drivers\atv02nt5.dll
2007-04-25 18:24	11,325	---------	C:\WINNT\system32\drivers\vchnt5.dll
2007-04-25 18:24	11,295	---------	C:\WINNT\system32\drivers\wadv08nt.sys
2007-04-25 18:24	11,136	---------	C:\WINNT\system32\drivers\sffdisk.sys
2007-04-25 18:24	108,032	---------	C:\WINNT\system32\wshbth.dll
2007-04-25 18:24	104,960	--a------	C:\WINNT\system32\p2pgasvc.dll
2007-04-25 18:24	104,960	---------	C:\WINNT\system32\drivers\atinrvxx.sys
2007-04-25 18:24	100,992	---------	C:\WINNT\system32\drivers\bthpan.sys
2007-04-25 18:24	10,240	---------	C:\WINNT\system32\drivers\sffp_sd.sys
2007-04-25 18:24	1,897,408	---------	C:\WINNT\system32\drivers\nv4_mini.sys
2007-04-25 18:24	1,888,992	---------	C:\WINNT\system32\ati3duag.dll
2007-04-25 18:24	1,737,856	---------	C:\WINNT\system32\mtxparhd.dll
2007-04-25 18:24	1,689,088	---------	C:\WINNT\system32\d3d9.dll
2007-04-25 18:24	1,309,184	---------	C:\WINNT\system32\drivers\mtlstrm.sys
2007-04-25 18:24	1,041,536	---------	C:\WINNT\system32\drivers\hsfdpsp2.sys
2007-04-25 18:24 d--------	C:\WINNT\provisioning
2007-04-25 18:24 d--------	C:\WINNT\peernet
2007-04-25 18:20 d--------	C:\WINNT\ServicePackFiles
2007-04-25 18:16	2,897,920	---------	C:\WINNT\system32\xpsp2res.dll
2007-04-25 18:14 d--------	C:\WINNT\system32\ReinstallBackups
2007-04-25 07:20 d--------	C:\WINNT\EHome
2007-04-24 23:04	221,184	--a------	C:\WINNT\system32\wmpns.dll
2007-04-24 23:04	0	--a------	C:\CONFIG.SYS
2007-04-24 22:59	956,416	--a------	C:\WINNT\system32\msdtctm.dll
2007-04-24 22:59	91,136	--a------	C:\WINNT\system32\mtxoci.dll
2007-04-24 22:59	625,152	--a------	C:\WINNT\system32\catsrvut.dll
2007-04-24 22:59	60,416	--a------	C:\WINNT\system32\colbact.dll
2007-04-24 22:59	58,200	--a------	C:\WINNT\system32\wuauclt.exe
2007-04-24 22:59	540,160	--a------	C:\WINNT\system32\comuid.dll
2007-04-24 22:59	498,688	--a------	C:\WINNT\system32\clbcatq.dll
2007-04-24 22:59	426,496	--a------	C:\WINNT\system32\msdtcprx.dll
2007-04-24 22:59	225,792	--a------	C:\WINNT\system32\catsrv.dll
2007-04-24 22:59	161,280	--a------	C:\WINNT\system32\msdtcuiu.dll
2007-04-24 22:59	110,080	--a------	C:\WINNT\system32\clbcatex.dll
2007-04-24 22:59	1,708,888	--a------	C:\WINNT\system32\wuaueng.dll
2007-04-24 22:59	1,267,200	--a------	C:\WINNT\system32\comsvcs.dll
2007-04-24 22:59 d--------	C:\Program Files\Online Services
2007-04-24 22:56	66,591	--a------	C:\WINNT\system32\drivers\el90xbc5.sys
2007-04-24 22:54	24,661	--a------	C:\WINNT\system32\spxcoins.dll
2007-04-24 22:54	13,312	--a------	C:\WINNT\system32\irclass.dll
2007-04-24 22:19	90,112	--a------	C:\WINNT\system32\RegDACL.exe
2007-04-24 22:19	8,234	--a------	C:\clean.bat
2007-04-24 22:19	4,096	--a------	C:\WINNT\system32\reboot.exe
2007-04-22 21:32	2,048	--a------	C:\WINNT\system32\tmp.reg
2007-04-22 21:26 d--------	C:\Program Files\InterMute
2007-04-22 21:09 d--------	C:\Program Files\CCleaner
2007-04-22 17:33	1,495,552	--a------	C:\WINNT\system32\epoPGPsdk.dll
2007-04-22 17:33 d--------	C:\Program Files\Common Files\Cisco Systems
2007-04-22 11:56	1,040,384	--a------	C:\WINNT\system32\libeay32.dll
2007-04-22 11:55	196,608	--a------	C:\WINNT\system32\ssleay32.dll
2007-04-22 11:45	204,288	--a------	C:\WINNT\system32\clcl6.exe
2007-04-04 19:25 d--------	C:\DOCUME~1\ernestog\APPLIC~1\acccore
2007-04-04 19:24 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-28 10:57	--------	d--------	C:\DOCUME~1\ernestog\APPLIC~1\comcasttoolbar
2007-04-26 10:27	--------	d--------	C:\Program Files\messenger
2007-04-25 18:39	--------	d-ah-----	C:\Program Files\windowsupdate
2007-04-25 18:24	--------	d--------	C:\Program Files\movie maker
2007-04-25 18:19	--------	d--------	C:\Program Files\windows nt
2007-04-25 07:03	--------	d--------	C:\Program Files\google
2007-04-24 23:00	23208	--a------	C:\WINNT\system32\emptyregdb.dat
2007-04-21 18:06	--------	d--------	C:\Program Files\Common Files\companion wizard
2007-04-05 13:20	202584	--a------	C:\WINNT\system32\wuweb.dll
2007-04-03 07:35	--------	d--------	C:\Program Files\lx_cats
2007-03-31 14:30	--------	d--------	C:\Program Files\Common Files\kuzr
2007-03-23 06:07	583504	---------	C:\WINNT\system32\xpsshhdr.dll
2007-03-23 06:07	1683280	---------	C:\WINNT\system32\xpssvcs.dll
2007-03-22 23:08	92504	--a------	C:\WINNT\system32\cdm.dll
2007-03-22 23:08	549720	--a------	C:\WINNT\system32\wuapi.dll
2007-03-22 23:08	43352	--a------	C:\WINNT\system32\wups2.dll
2007-03-22 23:08	325464	--a------	C:\WINNT\system32\wucltui.dll
2007-03-22 23:07	33624	--a------	C:\WINNT\system32\wups.dll
2007-03-22 23:07	270712	--a------	C:\WINNT\system32\mucltui.dll
2007-03-22 20:25	124928	---------	C:\WINNT\system32\prntvpt.dll
2007-03-17 08:43	292864	--a------	C:\WINNT\system32\winsrv.dll
2007-03-08 10:36	577536	--a------	C:\WINNT\system32\user32.dll
2007-03-08 10:36	40960	--a------	C:\WINNT\system32\mf3216.dll
2007-03-08 10:36	281600	--a------	C:\WINNT\system32\gdi32.dll
2007-03-08 08:47	1843584	--a------	C:\WINNT\system32\win32k.sys
2007-03-05 03:38	--------	d--------	C:\Program Files\comcasttoolbar
2007-02-05 15:17	185344	--a------	C:\WINNT\system32\upnphost.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}	C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}	C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
{53707962-6F74-2D53-2644-206D7942484F}	C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe"
"tFmj3ql"="spm2bin.exe"
"tcpipmon"="tcpipmon.exe"
"Synchronization Manager"="mobsync.exe /logon"
"C-Media Mixer"="Mixer.exe /startup"
"AdaptecDirectCD"="C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
"Trend Micro AntiVirus 2007"="C:\\Program Files\\Trend Micro\\AntiVirus 2007\\tavui.exe -1 --delay 15"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINNT\\system32\\ctfmon.exe"
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00
"FlashPlayerUpdate"="C:\\WINNT\\System32\\Macromed\\Flash\\GetFlash.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source	REG_SZ http://memimage.cardomain.net/member_images/12/web/2040000-2040999/2040839_1_full.jpg

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
Source	REG_SZ http://www.youthink.com/quiz_images/quiz1351outcome3.jpg

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\WINNT\System32\systwy.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages	REG_MULTI_SZ msv1_0\0\0
Security Packages	REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages	REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\xcttgm.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\xcttgs.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Uart"="\"C:\\PROGRA~1\\COMMON~1\\FNTS~1\\wuauclt.exe\" -vt yazr"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss	REG_MULTI_SZ RpcSs\0\0
BITSgroup	REG_MULTI_SZ BITS\0\0
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0
HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup	REG_MULTI_SZ WUDFSvc\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\AppleSoftwareUpdate.job
C:\WINNT\tasks\Norton AntiVirus - Scan my computer.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-28 17:39:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\Documents and Settings\ernestog\My Documents\stuff\Lyrics\R&B\SEAN PAUL LYRICS - I'm Still In Love With You_files\BABY BASH LYRICS - Suga Suga_files\112 LYRICS - Hot And Wet_files\112 LYRICS - Hot & Wet (Remix)_files\EVANESCENCE LYRICS - Going Under_files\bot.js 536 bytes
C:\Documents and Settings\ernestog\My Documents\stuff\Lyrics\R&B\SEAN PAUL LYRICS - I'm Still In Love With You_files\BABY BASH LYRICS - Suga Suga_files\112 LYRICS - Hot And Wet_files\112 LYRICS - Hot & Wet (Remix)_files\EVANESCENCE LYRICS - Going Under_files\top.js 344 bytes
C:\Documents and Settings\ernestog\My Documents\stuff\Lyrics\R&B\SEAN PAUL LYRICS - I'm Still In Love With You_files\BABY BASH LYRICS - Suga Suga_files\112 LYRICS - Hot And Wet_files\112 LYRICS - Hot & Wet (Remix)_files\EVANESCENCE LYRICS - My Immortal_files\bot.js 536 bytes
C:\Documents and Settings\ernestog\My Documents\stuff\Lyrics\R&B\SEAN PAUL LYRICS - I'm Still In Love With You_files\BABY BASH LYRICS - Suga Suga_files\112 LYRICS - Hot And Wet_files\112 LYRICS - Hot & Wet (Remix)_files\EVANESCENCE LYRICS - My Immortal_files\head.js 472 bytes
C:\Documents and Settings\ernestog\My Documents\stuff\Lyrics\R&B\SEAN PAUL LYRICS - I'm Still In Love With You_files\BABY BASH LYRICS - Suga Suga_files\112 LYRICS - Hot And Wet_files\112 LYRICS - Hot & Wet (Remix)_files\EVANESCENCE LYRICS - My Immortal_files\top.js 344 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 5

********************************************************************

Completion time: 07-04-28 17:39:29
C:\ComboFix-quarantined-files.txt ... 07-04-28 17:39


----------



## campostch (Oct 3, 2006)

here goes the new hijack log

Logfile of HijackThis v1.99.1
Scan saved at 5:57:48 PM, on 4/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\ctfmon.exe
C:\Documents and Settings\ernestog\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKLM\..\Run: [tFmj3ql] spm2bin.exe
O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe -1 --delay 15
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\tmlsp.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1177544338699
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1177557200283
O20 - AppInit_DLLs: C:\WINNT\System32\systwy.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINNT\System32\lxbucoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe


----------



## sjpritch25 (Sep 8, 2005)

Looks like you still have some haxdoor services running.

Download haxfix.exe.
Save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark "Create a desktop icon".
Click "Next".
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
Click "Finish".
A red "dos window" (dos box) will open.
Select option 2. Run auto fix by typing 2, and then pressing Enter.
If an infection is found, you'll get a message to close all other open windows.
Close them, except the red dos window from haxfix and then press Enter.
The computer will reboot.
After reboot a logfile will open.
Post the contents of that logfile along with a new hijackthislog.


----------



## campostch (Oct 3, 2006)

Ran Haxfix and no infections were found here is the log and a new hijackthis log
HAXFIX logfile - by Marckie

version 4.39 
Sun 04/29/2007 8:11:09.11

--- Auto Haxdoorfix ---

searching for files:

no infections found

--- Goldunfix ---

searching for files:

checking iexplore.exe
iexplore.exe is not infected

searching for SSODLkeys: 
no SSODLkeys found

searching for notifykeys: 
no notifykeys found

searching for services: 
no services found

Finished

Logfile of HijackThis v1.99.1
Scan saved at 8:13:55 AM, on 4/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINNT\Mixer.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\ernestog\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKLM\..\Run: [tFmj3ql] spm2bin.exe
O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe -1 --delay 15
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\tmlsp.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1177544338699
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1177557200283
O20 - AppInit_DLLs: C:\WINNT\System32\systwy.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINNT\System32\lxbucoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe


----------



## sjpritch25 (Sep 8, 2005)

I am reseaching a couple other suspicious entries, be back soon. Thanks for your patience.


----------



## campostch (Oct 3, 2006)

ok thanx for all your help


----------



## sjpritch25 (Sep 8, 2005)

Please download the attached file named *fixhax.zip*, Unzip/Extract fixhax.reg to your Desktop. Double-Click on fixhax.reg, *Ok* all prompts and allow it to be merged into Windows Registry.

Download GMER's application from here:
http://www.majorgeeks.com/GMER_d5198.html
Unzip it and start the *GMER.exe*
Click the *>>>* tab, click on *AutoStart* and click the *Scan* button.
Once done, click the *Copy* button.
This will copy the results to your clipboard.
Paste the results in your next reply.
Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.


----------



## campostch (Oct 3, 2006)

ok i finally got around to doing the scan here are the results

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-05-02 07:18:43
Windows 5.1.2600 Service Pack 2

---- Kernel code sections - GMER 1.0.12 ----

? C:\WINNT\System32\DRIVERS\update.sys

---- Files - GMER 1.0.12 ----

File C:\Documents and Settings\ernestog\My Documents\stuff\Lyrics\R&B\SEAN PAUL LYRICS - I'm Still In Love With You_files\BABY BASH LYRICS - Suga Suga_files\112 LYRICS - Hot And Wet_files\112 LYRICS - Hot & Wet (Remix)_files\EVANESCENCE LYRICS - Going Under_files\bot.js 
File C:\Documents and Settings\ernestog\My Documents\stuff\Lyrics\R&B\SEAN PAUL LYRICS - I'm Still In Love With You_files\BABY BASH LYRICS - Suga Suga_files\112 LYRICS - Hot And Wet_files\112 LYRICS - Hot & Wet (Remix)_files\EVANESCENCE LYRICS - Going Under_files\top.js 
File C:\Documents and Settings\ernestog\My Documents\stuff\Lyrics\R&B\SEAN PAUL LYRICS - I'm Still In Love With You_files\BABY BASH LYRICS - Suga Suga_files\112 LYRICS - Hot And Wet_files\112 LYRICS - Hot & Wet (Remix)_files\EVANESCENCE LYRICS - My Immortal_files\bot.js 
File C:\Documents and Settings\ernestog\My Documents\stuff\Lyrics\R&B\SEAN PAUL LYRICS - I'm Still In Love With You_files\BABY BASH LYRICS - Suga Suga_files\112 LYRICS - Hot And Wet_files\112 LYRICS - Hot & Wet (Remix)_files\EVANESCENCE LYRICS - My Immortal_files\head.js 
File C:\Documents and Settings\ernestog\My Documents\stuff\Lyrics\R&B\SEAN PAUL LYRICS - I'm Still In Love With You_files\BABY BASH LYRICS - Suga Suga_files\112 LYRICS - Hot And Wet_files\112 LYRICS - Hot & Wet (Remix)_files\EVANESCENCE LYRICS - My Immortal_files\top.js 
ADS C:\RECYCLER\NPROTECT\00411350.ico:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

---- EOF - GMER 1.0.12 ----


----------



## sjpritch25 (Sep 8, 2005)

I needed you to do the AutoStart Scan, not the Rootkit scan. Please look at my instructions again and post the results. Thanks.


----------



## campostch (Oct 3, 2006)

i got ahead of myself mybad
GMER 1.0.12.12244 - http://www.gmer.net
Autostart scan 2007-05-02 18:56:58
Windows 5.1.2600 Service Pack 2

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\[email protected] = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\[email protected] = C:\WINNT\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
[email protected] = WgaLogon.dll
[email protected] = wzcdlg.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\[email protected]_DLLs = C:\WINNT\System32\systwy.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AOL ACS /*AOL Connectivity Service*/@ = "C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe" /*file not found*/
Fax /*Fax*/@ = %systemroot%\system32\fxssvc.exe
LexBceS /*LexBce Server*/@ = C:\WINNT\system32\LEXBCES.EXE
McAfeeFramework /*McAfee Framework Service*/@ = "C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart /*file not found*/
MDM /*Machine Debug Manager*/@ = "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"
RpcLocator /*Remote Procedure Call (RPC) Locator*/@ = %SystemRoot%\System32\locator.exe
[email protected] = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
tavsvc /*Trend Micro AntiVirus Protection Service*/@ = C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
tmproxy /*Trend Micro Proxy Service*/@ = C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@iTunesHelper"C:\Program Files\iTunes\iTunesHelper.exe" = "C:\Program Files\iTunes\iTunesHelper.exe"
@SunJavaUpdateSchedC:\Program Files\Java\jre1.5.0_10\bin\jusched.exe = C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
@tFmj3qlspm2bin.exe /*file not found*/ = spm2bin.exe /*file not found*/
@tcpipmontcpipmon.exe /*file not found*/ = tcpipmon.exe /*file not found*/
@Synchronization Managermobsync.exe /logon = mobsync.exe /logon
@C-Media MixerMixer.exe /startup = Mixer.exe /startup
@AdaptecDirectCDC:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe = C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
@Trend Micro AntiVirus 2007C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe -1 --delay 15 /*file not found*/ = C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe -1 --delay 15 /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ctfmon.exeC:\WINNT\system32\ctfmon.exe = C:\WINNT\system32\ctfmon.exe
@Yahoo! PagerC:\Program Files\Yahoo!\Messenger\ypager.exe -quiet /*file not found*/ = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\[email protected] = C:\WINNT\system32\WPDShServiceObj.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{8BEBB290-52D0-11D0-B7F4-00C04FD706EC} /*Thumbnails*/(null) = 
@{1AEB1360-5AFC-11D0-B806-00C04FD706EC} /*Office Graphics Filters Thumbnail Extractor*/(null) = 
@{500202A0-731E-11D0-B829-00C04FD706EC} /*LNK file thumbnail interface delegator*/(null) = 
@{fe1290f0-cfbd-11cf-a330-00aa00c16e65} /*Directory Namespace*/(null) = 
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) = 
@{5E44E225-A408-11CF-B581-008029601108} /*Adaptec DirectCD Shell Extension*/C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll = C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\Office10\msohev.dll = C:\Program Files\Microsoft Office\Office10\msohev.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/(null) = 
@{6EE51AA0-77A0-11D7-B4E1-000347126E46} /*Window Washer Shell Shredding Utility*/(null) = 
@{5464D816-CF16-4784-B9F3-75C0DB52B499} /*Yahoo! Mail*/C:\PROGRA~1\Yahoo!\Common\ymmapi.dll = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Program Files\iTunes\iTunesMiniPlayer.dll = C:\Program Files\iTunes\iTunesMiniPlayer.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINNT\System32\twext.dll = C:\WINNT\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINNT\System32\twext.dll = C:\WINNT\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINNT\System32\extmgr.dll = C:\WINNT\System32\extmgr.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINNT\system32\dfshim.dll = C:\WINNT\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINNT\system32\dfshim.dll = C:\WINNT\system32\dfshim.dll
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{45670FA8-ED97-4F44-BC93-305082590BFB} /*Microsoft.XPS.Shell.Metadata.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
@{44121072-A222-48f2-A58A-6D9AD51EBBE9} /*Microsoft.XPS.Shell.Thumbnail.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\Yahoo! [email protected]{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
@{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL = C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.comcast.net = http://www.comcast.net
@Local PageC:\WINNT\system32\blank.htm = C:\WINNT\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
[email protected] = C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
[email protected] = C:\WINNT\system32\msvidctl.dll
[email protected] = C:\WINNT\System32\itss.dll
[email protected] = C:\WINNT\System32\msvidctl.dll
[email protected] = %SystemRoot%\System32\inetcomm.dll
[email protected] = C:\WINNT\System32\itss.dll
[email protected] = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
[email protected] = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
[email protected] = C:\WINNT\system32\msvidctl.dll
[email protected] = C:\WINNT\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
[email protected] = %SYSTEMROOT%\system32\tmlsp.dll
[email protected] = %SYSTEMROOT%\system32\tmlsp.dll
[email protected] = %SYSTEMROOT%\system32\tmlsp.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\[email protected] = %SYSTEMROOT%\system32\tmlsp.dll

---- EOF - GMER 1.0.12 ----


----------



## sjpritch25 (Sep 8, 2005)

You have a file i would like you to get anaylzed. Please go to VirusTotal. On the very top of the Website, you will see a Browse button. Use that to search for this file *C:\WINNT\System32\systwy.dll*. Then Click on Send. This could take between 30 Second-a couple of minutes. When you get the Results, Open Notepad, please highlight the results, copy them to Notepad and save it as "Scan.txt". Save the text file "Scan.txt" to your desktop. Please include the file in your next post.

Note: You may need to unhide hidden files and folders.
*Configure Windows XP to show hide hidden files:*
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select* "Show hidden files and folders". *
Uncheck the *"Hide protected operating system files (recommended)*" option.
Uncheck the *"Hide file extensions for known file types"* option.
Click *Yes* to confirm. Click *OK.*


----------



## campostch (Oct 3, 2006)

i have Show hidden files and folders set. I also have Hide protected operating system files unchecked. the file is not located on the HD. i have attached a pic of where the file should be and its not


----------



## sjpritch25 (Sep 8, 2005)

Run HijackThis, and press "Do a System Scan Only". 
1. When the scan is complete place a check mark next to the following entries:
*
O20 - AppInit_DLLs: C:\WINNT\System32\systwy.dll
*
2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked." Then, reboot your computer...

How is everything running????


----------



## campostch (Oct 3, 2006)

well things are running a lot better now. although a bit slow but that maybe because i have about 2gigs left of free space. the hd is a 20gb. i was able to remove the file although i received the following message it did remove the file.

An unexpected error has occurred at procedure: cmdFix_Click()
Error #381 - Invalid property array index (0 items in results list)

Please email me at [email protected], reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

everything seems well now


----------



## sjpritch25 (Sep 8, 2005)

That is a progamming error, but it should remove the entry. Could you post a fresh Hijackthis log. Thanks.


----------

