# Internet explorer Blank IM's, Blank e-mail, Blank system restore



## smeginthuhead (Jun 6, 2007)

When I bring up Internet explorer many websites will not display correctly. For instance here http://xbox360.ign.com/ much of the page will display properly, but the headline story will not. Also when the advertisement/redirect page comes up when you first click on the page(sometimes it doesn't) the advertisement will not come up nor will it redirect to the main page. If I click on link buttons nothing happens, a regular link works fine, just not the button style ones(I guess buttons is a good description heck I dunno)

Also when I go to web based mail pages much of the page will display, but the body of e-mails will not. When I use IM, such as Yahoo messenger, I can bring up the program and type in messages but the message window that displays replies remains blank. I can neither see my message or the persons reply.

I tried system restore both in regular windows and safe mode and it is BLANK. I was told to go to RUN and type in "regsvr32 /i mshtml" but when I do it I get "mshtml was loaded, but the DllRegisterServer entry point was not found, mshtml does not appear to be .DLL or .OCX file" So what now???

I know when this started I loaded a game and was asked to load some strange messenger program(something or other X) for chatting with other gamers during online matches. I loaded it by accident and un-installed and deleted it. Since then I cannot use messenger or internet explorer.

I have done a couple of checks for viruses n such, and nothing. I also un-installed and re-installed IE to no avail. For one session I un-installed and re-installed Yahoo Messenger and everything worked. After I restarted the computer though it went back to being blank.

At any rate if I could connect all of the programs to firefox I would not care a lick about IE, but I use yahoo messenger to talk to family out of the country.

Thanks


----------



## Blackmirror (Dec 5, 2006)

Hello try a system restore


----------



## smeginthuhead (Jun 6, 2007)

The system restore page is BLANK also...as stated above.


----------



## Blackmirror (Dec 5, 2006)

smeginthuhead said:


> The system restore page is BLANK also...as stated above.


Im sorry lol i am on the first coffee 
have you tried in safe mode


----------



## smeginthuhead (Jun 6, 2007)

yeah tried tat too still blank


----------



## Blackmirror (Dec 5, 2006)

Can we have a hijack this log posted please

Click here to download HJTsetup.exe
Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## smeginthuhead (Jun 6, 2007)

I am kind of new to this whole "asking for help bit" May I ask what Hijack is??? I am going through the process, but I am wary of posting just anything.


----------



## smeginthuhead (Jun 6, 2007)

Logfile of HijackThis v1.99.1
Scan saved at 7:27:25 AM, on 6/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DefenderPro AntiSpy\TSAntiSpy.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Joeph Madden\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xbox360.ign.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: 84.252.148.18 www.bankone.com
O1 - Hosts: 84.252.148.18 bankone.com
O1 - Hosts: 84.252.148.18 halifax.com
O1 - Hosts: 84.252.148.18 www.halifax.com
O1 - Hosts: 84.252.148.18 halifax.co.uk
O1 - Hosts: 84.252.148.18 www.halifax.co.uk
O1 - Hosts: 84.252.148.18 www.bankofamerica.com
O1 - Hosts: 84.252.148.18 bankofamerica.com
O1 - Hosts: 84.252.148.18 www.paypal.com
O1 - Hosts: 84.252.148.18 paypal.com
O1 - Hosts: 84.252.148.18 www.lloydstsb.com
O1 - Hosts: 84.252.148.18 lloydstsb.com
O1 - Hosts: 84.252.148.18 www.lloydstsb.co.uk
O1 - Hosts: 84.252.148.18 lloydstsb.co.uk
O1 - Hosts: 84.252.148.18 www.garanti.com.tr
O1 - Hosts: 84.252.148.18 garanti.com.tr
O1 - Hosts: 84.252.148.18 www.kocbank.com.tr
O1 - Hosts: 84.252.148.18 kocbank.com.tr
O1 - Hosts: 84.252.148.18 www.disbank.com.tr
O1 - Hosts: 84.252.148.18 disbank.com.tr
O1 - Hosts: 84.252.148.18 www.chase.com
O1 - Hosts: 84.252.148.18 chase.com
O1 - Hosts: 84.252.148.18 www.southtrust.com
O1 - Hosts: 84.252.148.18 southtrust.com
O1 - Hosts: 84.252.148.18 www.wachovia.com
O1 - Hosts: 84.252.148.18 wachovia.com
O1 - Hosts: 84.252.148.18 www.wellsfargo.com
O1 - Hosts: 84.252.148.18 wellsfargo.com
O1 - Hosts: 84.252.148.18 www.barclays.co.uk
O1 - Hosts: 84.252.148.18 barclays.co.uk
O1 - Hosts: 84.252.148.18 www.barclays.com
O1 - Hosts: 84.252.148.18 barclays.com
O1 - Hosts: 84.252.148.18 www.barclays.pt
O1 - Hosts: 84.252.148.18 barclays.pt
O1 - Hosts: 84.252.148.18 www.barclays.pt
O1 - Hosts: 84.252.148.18 barclays.pt
O1 - Hosts: 84.252.148.18 www.citi.com
O1 - Hosts: 84.252.148.18 citi.com
O1 - Hosts: 84.252.148.18 www.citibank.com
O1 - Hosts: 84.252.148.18 citibank.com
O1 - Hosts: 84.252.148.18 www.etrade.com
O1 - Hosts: 84.252.148.18 etrade.com
O1 - Hosts: 84.252.148.18 www.neteller.com
O1 - Hosts: 84.252.148.18 neteller.com
O1 - Hosts: 84.252.148.18 tcfbank.com
O1 - Hosts: 84.252.148.18 www.tcfbank.com
O1 - Hosts: 84.252.148.18 hsbc.com
O1 - Hosts: 84.252.148.18 www.hsbc.com
O1 - Hosts: 84.252.148.18 hsbc.co.uk
O1 - Hosts: 84.252.148.18 www.hsbc.co.uk
O1 - Hosts: 84.252.148.18 aol.com
O1 - Hosts: 84.252.148.18 www.aol.com
O1 - Hosts: 84.252.148.18 comerica.com
O1 - Hosts: 84.252.148.18 www.comerica.com
O1 - Hosts: 84.252.148.18 www.3riversfcu.org
O1 - Hosts: 84.252.148.18 3riversfcu.org
O1 - Hosts: 84.252.148.18 www.53.com
O1 - Hosts: 84.252.148.18 53.com
O1 - Hosts: 84.252.148.18 www.bbt.com
O1 - Hosts: 84.252.148.18 bbt.com
O1 - Hosts: 84.252.148.18 www.boh.com
O1 - Hosts: 84.252.148.18 boh.com
O1 - Hosts: 84.252.148.18 www.capitalone.com
O1 - Hosts: 84.252.148.18 capitalone.com
O1 - Hosts: 84.252.148.18 www.cnbwax.com
O1 - Hosts: 84.252.148.18 cnbwax.com
O1 - Hosts: 84.252.148.18 www.cwbk.com
O1 - Hosts: 84.252.148.18 cwbk.com
O1 - Hosts: 84.252.148.18 www.ebay.com
O1 - Hosts: 84.252.148.18 ebay.com
O1 - Hosts: 84.252.148.18 www.edsefcu.org
O1 - Hosts: 84.252.148.18 edsefcu.org
O1 - Hosts: 84.252.148.18 egold.com
O1 - Hosts: 84.252.148.18 www.egold.com
O1 - Hosts: 84.252.148.18 www.e-gold.com
O1 - Hosts: 84.252.148.18 e-gold.com
O1 - Hosts: 84.252.148.18 www.firstusa.com
O1 - Hosts: 84.252.148.18 firstusa.com
O1 - Hosts: 84.252.148.18 www.frontierbank.com
O1 - Hosts: 84.252.148.18 frontierbank.com
O1 - Hosts: 84.252.148.18 www.gncu.org
O1 - Hosts: 84.252.148.18 gncu.org
O1 - Hosts: 84.252.148.18 www.householdbank.com
O1 - Hosts: 84.252.148.18 householdbank.com
O1 - Hosts: 84.252.148.18 www.icicibank.com
O1 - Hosts: 84.252.148.18 icicibank.com
O1 - Hosts: 84.252.148.18 www.mbna.com
O1 - Hosts: 84.252.148.18 mbna.com
O1 - Hosts: 84.252.148.18 www.mibank.com
O1 - Hosts: 84.252.148.18 mibank.com
O1 - Hosts: 84.252.148.18 www.midamericabank.com
O1 - Hosts: 84.252.148.18 midamericabank.com
O1 - Hosts: 84.252.148.18 www.myindymacbank.com
O1 - Hosts: 84.252.148.18 myindymacbank.com
O1 - Hosts: 84.252.148.18 www.nafcunet.org
O1 - Hosts: 84.252.148.18 nafcunet.org
O1 - Hosts: 84.252.148.18 www.nationalcity.com
O1 - Hosts: 84.252.148.18 nationalcity.com
O1 - Hosts: 84.252.148.18 www.cnb.com
O1 - Hosts: 84.252.148.18 cnb.com
O1 - Hosts: 84.252.148.18 www.nationwide.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: OsbornTech Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LaunchAntiSpy] C:\Program Files\DefenderPro AntiSpy\TSAntiSpy.exe /startup
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [spsbqxkd] C:\WINDOWS\spsbqxkd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSPVideo9] C:\Program Files\pspvideo9\pspVideo9.exe -t
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe 
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [uquk] C:\PROGRA~1\COMMON~1\uquk\uqukm.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O4 - Global Startup: Defender Pro Firewall.lnk = C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: DigiChat Applet - http://host.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139366229656
O16 - DPF: {CA356D79-679B-4B4C-8E49-5AF97014F4C1} - http://files-pl.starware.com/installs/3.1.3.200506101259/323/Starware_323.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe


----------



## Blackmirror (Dec 5, 2006)

smeginthuhead said:


> I am kind of new to this whole "asking for help bit" May I ask what Hijack is??? I am going through the process, but I am wary of posting just anything.


Its just a scan that shows the processes and possible infection
I cant help with the log but it looks like you are infected . 
A member of the security team will be alomg to assist . They have a gold/blue shield next to their name


----------



## smeginthuhead (Jun 6, 2007)

Does it have anything to do with all those bank URL's cause I have not been to any of those sites. Also when I try to go to paypal or Ebay I get this page that is blank and just has this

Èíôîðìàöèÿ äëÿ ïîñåòèòåëåé ñàéòà:
Äàííûé ñàéò âðåìåííî íå ðàáîòàåò.
Èíôîðìàöèÿ äëÿ âëàäåëüöåâ ñàéòà:
Ïîæàëóéñòà, ñâÿæèòåñü ñî ñëóæáîé òåõíè÷åñêîé ïîääåðæêè [email protected]
Ñ óâàæåíèåì, õîñòèíã McHost.Ru


----------



## Blackmirror (Dec 5, 2006)

I am not allowed to help with security matters i am afraid 
due to the rules


----------



## smeginthuhead (Jun 6, 2007)

Well I started clicking on all the URL's that are listed above and all lead to that page....Let me put it this way. If this were on your computer would it concern you?


----------



## JohnWill (Oct 19, 2002)

You most certainly have been infected with something, I've moved you to the security forum for expert help.


----------



## smeginthuhead (Jun 6, 2007)

thank you


----------



## smeginthuhead (Jun 6, 2007)

I went to msconfig and turned everything on restarted and reposted my hijack file...maybe that will help.


----------



## smeginthuhead (Jun 6, 2007)

Anyone????????


----------



## cybertech (Apr 16, 2002)

Download the HostsXpert 3.8 - Hosts File Manager.

Unzip HostsXpert 3.8 - Hosts File Manager to a convenient folder such as C:\HostsXpert 3.8 - Hosts File Manager
Run HostsXpert 3.8 - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper right corner (If available).
Click Restore Original Hosts and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

I don't see any anti-virus software running.

Load AVG http://free.grisoft.com/freeweb.php/doc/2/ it's free.

Post a new log after that.


----------



## smeginthuhead (Jun 6, 2007)

I have anti virus right before I ran hijack I turned ant-virus off to see if it was in any way the problem. It gets worse though when I was checking the Hijack file I checked the box in front of (O1 - Hosts: 84.252.148.18 www.paypal.comfront of). I then accidentally deleted the file... Now internet explorer will not bring up anything, i can't even sign in to yahoo messenger, and my firefox had quit working....I had to set my firewall to start up with the computer in msconfig to get it firefox to work which is odd because that was never the case before. 
Anyway now Hijack looks like this
Logfile of HijackThis v1.99.1
Scan saved at 1:26:18 PM, on 6/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DefenderPro AntiSpy\TSAntiSpy.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Joeph Madden\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xbox360.ign.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: 84.252.148.18 paypal.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: OsbornTech Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize
O4 - HKLM\..\Run: [LaunchAntiSpy] C:\Program Files\DefenderPro AntiSpy\TSAntiSpy.exe /startup
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [spsbqxkd] C:\WINDOWS\spsbqxkd.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Defender Pro Firewall.lnk = C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: DigiChat Applet - http://host.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139366229656
O16 - DPF: {CA356D79-679B-4B4C-8E49-5AF97014F4C1} - http://files-pl.starware.com/installs/3.1.3.200506101259/323/Starware_323.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe


----------



## smeginthuhead (Jun 6, 2007)

your link leads to version 4.0 and ther is NO "make host writable" it says make read-only...


----------



## smeginthuhead (Jun 6, 2007)

I tried that still nothing I get page cannot be displayed....messenger is dead.....firefox works though.....ran the program you sent me...nothing
Do I need to try to re-instal IE?


----------



## smeginthuhead (Jun 6, 2007)

I still can't click on any links with IE either it will not even respond to the "Diagnose Connection Problems" link on the "cannot display webpage" page


----------



## cybertech (Apr 16, 2002)

Let's use firefox for now, ok?

Please post your hijackthis log again.


----------



## smeginthuhead (Jun 6, 2007)

The strange thing is now that I deleted that (whatever it was with hijack) I can visit ebay again and paypal again with firefox....couldn't do that before with IE or firefox


----------



## smeginthuhead (Jun 6, 2007)

I am using firefox now, and frankly I do not care about IE so much, the problem is that my messenger and other programs are unusable without IE, and besides if there is a virus or something else I want to be rid of it.


----------



## cybertech (Apr 16, 2002)

Yes I can see why. Please don't get in a panic here and follow through with what I ask for, ok?


----------



## smeginthuhead (Jun 6, 2007)

Logfile of HijackThis v1.99.1
Scan saved at 1:49:01 PM, on 6/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DefenderPro AntiSpy\TSAntiSpy.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Joeph Madden\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xbox360.ign.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: OsbornTech Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize
O4 - HKLM\..\Run: [LaunchAntiSpy] C:\Program Files\DefenderPro AntiSpy\TSAntiSpy.exe /startup
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [spsbqxkd] C:\WINDOWS\spsbqxkd.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Defender Pro Firewall.lnk = C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: DigiChat Applet - http://host.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139366229656
O16 - DPF: {CA356D79-679B-4B4C-8E49-5AF97014F4C1} - http://files-pl.starware.com/installs/3.1.3.200506101259/323/Starware_323.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe


----------



## cybertech (Apr 16, 2002)

Download ComboFix from *Here* or *Here* to your Desktop. 

Double click *combofix.exe * and follow the prompts.
When finished, it shall produce a log for you. Post that log and a *HiJackthis* log in your next reply
*Note: Do not mouseclick combofix's window while its running. That may cause it to stall*


----------



## smeginthuhead (Jun 6, 2007)

nevermind I see what you mean my bad


----------



## smeginthuhead (Jun 6, 2007)

"Joeph Madden" - 2007-06-07 13:59:40 Service Pack 2 NTFS 
ComboFix 07-06-3B - Running from: "C:\Program Files\Mozilla Firefox\"

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\JOEPHM~1\APPLIC~1\Install.dat
C:\DOCUME~1\JOEPHM~1\Desktop.\internet explorer.lnk
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Documents and Settings\All Users.\documents\setup.exe
C:\WINDOWS\system32\1.txt
C:\WINDOWS\system32\2.txt
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\kal.png

((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))

2007-06-07 04:49	786,432	--ah-----	C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-07 04:49 d---s----	C:\DOCUME~1\ADMINI~1\UserData
2007-06-07 04:49 d--------	C:\DOCUME~1\ADMINI~1\WINDOWS
2007-06-07 04:49 d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\Ahead
2007-06-06 10:53	1,156	--a------	C:\WINDOWS\mozver.dat
2007-06-05 01:10 d--------	C:\DOCUME~1\JOEPHM~1\APPLIC~1\My Games
2007-06-05 00:37	 d--------	C:\Program Files\Firaxis Games
2007-06-05 00:36	2,297,552	--a------	C:\WINDOWS\system32\d3dx9_26.dll
2007-06-02 23:31 d--------	C:\Program Files\LimeWire
2007-06-02 10:48 d--------	C:\WINDOWS\AntiSpy
2007-05-25 10:54 d--hs----	C:\found.000
2007-05-14 05:21 d--------	C:\Program Files\CCleaner
2007-05-11 23:47	89,360	--a------	C:\WINDOWS\system32\VB5DB.DLL
2007-05-11 23:47	667,648	--a------	C:\WINDOWS\system32\FreeImage.dll
2007-05-11 23:47	40,448	--a------	C:\WINDOWS\system32\UNACE.DLL
2007-05-11 23:47	352,256	--a------	C:\WINDOWS\system32\ijl15.dll
2007-05-11 23:47	159,744	--a------	C:\WINDOWS\system32\unrar.dll
2007-05-11 23:47	102,400	--a------	C:\WINDOWS\system32\unzip3252.dll
2007-05-11 23:47	1,645,320	--a------	C:\WINDOWS\system32\gdiplus.dll
2007-05-11 23:47 d--------	C:\Program Files\Hyperdyne Software

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-07 08:58:38	--------	d-----w	C:\Program Files\DefenderPro AntiSpy
2007-06-05 05:05:20	--------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-06-05 04:42:50	163,644	----a-w	C:\WINDOWS\system32\drivers\secdrv.sys
2007-06-04 19:01:53	--------	d-----w	C:\Program Files\burst
2007-06-03 03:32:17	--------	d-----w	C:\DOCUME~1\JOEPHM~1\APPLIC~1\LimeWire
2007-06-02 14:48:14	137	----a-w	C:\WINDOWS\tsiwinfile.dat
2007-05-23 19:33:45	--------	d-----w	C:\DOCUME~1\JOEPHM~1\APPLIC~1\Help
2007-05-20 13:10:26	8,444	----a-w	C:\DOCUME~1\JOEPHM~1\APPLIC~1\wklnhst.dat
2007-05-14 09:21:21	--------	d-----w	C:\Program Files\Yahoo!
2007-04-29 04:07:34	--------	d-----w	C:\Program Files\Common Files\Defender Pro Firewall
2007-04-29 04:07:33	--------	d-----w	C:\Program Files\Defender Pro
2007-04-29 03:51:26	737,280	----a-w	C:\WINDOWS\iun6002.exe
2007-04-27 20:32:27	0	----a-w	C:\WINDOWS\nsreg.dat
2007-04-18 16:12:23	2,854,400	----a-w	C:\WINDOWS\system32\msi.dll
2007-04-15 02:21:26	152,064	----a-w	C:\WINDOWS\snap.dat
2007-04-15 02:11:05	--------	d-----w	C:\Program Files\NewSoft
2007-03-17 13:43:01	292,864	----a-w	C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28	577,536	----a-w	C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28	40,960	----a-w	C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28	281,600	----a-w	C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48	1,843,584	----a-w	C:\WINDOWS\system32\win32k.sys
2005-06-11 18:13:12	56	--sh--r	C:\WINDOWS\system32\2CF17CE7EF.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 12:12]
"LaunchAntiSpy"="C:\Program Files\DefenderPro AntiSpy\TSAntiSpy.exe" [2007-02-07 07:05]
"WinTools"="C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 21:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerBar"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AudioDeck.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AudioDeck.lnk
backup=C:\WINDOWS\pss\AudioDeck.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Icatch(VI) SnapDetect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Icatch(VI) SnapDetect.lnk
backup=C:\WINDOWS\pss\Icatch(VI) SnapDetect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Joeph Madden^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\Joeph Madden\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CleanUp]
C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
"C:\Program Files\Internet Optimizer\optimize.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
"C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSPVideo9]
C:\Program Files\pspvideo9\pspVideo9.exe -t

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\salm]
c:\temp\salm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS]
C:\PROGRA~1\Toolbar\TBPS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
C:\Program Files\Trojan Remover\Trjscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
"C:\Program Files\Unlocker\UnlockerAssistant.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uquk]
C:\PROGRA~1\COMMON~1\uquk\uqukm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Media Connect 2]
"C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 14:02:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = [email protected][email protected][email protected][email protected]????? ???????????W?D~??A~??????A~K?A~x???????[?A~???????? ??????????????|x???0???????????? st??A~????????????????,4??????\[email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected]

scanning hidden files ...

C:\WINDOWS\msgsocm.log:KAVICHS 36 bytes hidden from API
C:\WINDOWS\NLSDownlevelMapping.log:KAVICHS 36 bytes hidden from API
C:\WINDOWS\notepad.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\ntdtcsetup.log:KAVICHS 36 bytes hidden from API
C:\WINDOWS\NuNinst.cfg:KAVICHS 36 bytes hidden from API
C:\WINDOWS\NuNinst.exe:KAVICHS 68 bytes hidden from API
C:\WINDOWS\ocgen.log:KAVICHS 36 bytes hidden from API
C:\WINDOWS\ocmsn.log:KAVICHS 36 bytes hidden from API
C:\WINDOWS\ODBC.INI:KAVICHS 36 bytes hidden from API
C:\WINDOWS\ODBCINST.INI:KAVICHS 36 bytes hidden from API
C:\WINDOWS\oeuninst.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\setupapi.log:KAVICHS 164 bytes hidden from API
C:\WINDOWS\ShowBmp.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\slrundll.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\smscfg.ini:KAVICHS 36 bytes hidden from API
C:\WINDOWS\snap.dat:KAVICHS 36 bytes hidden from API
C:\WINDOWS\SOUNDMAN.EXE:KAVICHS 36 bytes hidden from API
C:\WINDOWS\spupdsvc.log:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system.ini:KAVICHS 68 bytes hidden from API
C:\WINDOWS\TASKMAN.EXE:KAVICHS 36 bytes hidden from API
C:\WINDOWS\explorer.exe:KAVICHS 132 bytes hidden from API
C:\WINDOWS\explorer.scf:KAVICHS 36 bytes hidden from API
C:\WINDOWS\FaxSetup.log:KAVICHS 36 bytes hidden from API
C:\WINDOWS\FHGJHFLK.ini:KAVICHS 36 bytes hidden from API
C:\WINDOWS\hh.exe:KAVICHS 68 bytes hidden from API
C:\WINDOWS\hpoins05.dat:KAVICHS 36 bytes hidden from API
C:\WINDOWS\hpomdl05.dat:KAVICHS 36 bytes hidden from API
C:\WINDOWS\IDNMitigationAPIs.log:KAVICHS 36 bytes hidden from API
C:\WINDOWS\ie7.log:KAVICHS 36 bytes hidden from API
C:\WINDOWS\ie7Uninst.log:KAVICHS 36 bytes hidden from API
C:\WINDOWS\ie7_main.log:KAVICHS 36 bytes hidden from API
C:\WINDOWS\ieuninst.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\If42le.ini:KAVICHS 36 bytes hidden from API
C:\WINDOWS\iis6.log:KAVICHS 36 bytes hidden from API
C:\WINDOWS\imsins.log:KAVICHS 36 bytes hidden from API
C:\WINDOWS\vbaddin.ini:KAVICHS 36 bytes hidden from API
C:\WINDOWS\vmmreg32.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\wiaservc.log:KAVICHS 68 bytes hidden from API
C:\WINDOWS\win.ini:KAVICHS 36 bytes hidden from API
C:\WINDOWS\WindowsUpdate.log:KAVICHS 228 bytes hidden from API
C:\WINDOWS\RtlRack.ini:KAVICHS 36 bytes hidden from API
C:\WINDOWS\SchedLgU.Txt:KAVICHS 68 bytes hidden from API
C:\WINDOWS\setdebug.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\clock.avi:KAVICHS 36 bytes hidden from API
C:\WINDOWS\msdfmap.ini:KAVICHS 36 bytes hidden from API
C:\WINDOWS\Setup8a.ini:KAVICHS 36 bytes hidden from API
C:\WINDOWS\vb.ini:KAVICHS 36 bytes hidden from API
C:\WINDOWS\winhelp.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\comsetup.log:KAVICHS 36 bytes hidden from API
C:\WINDOWS\D9H7ADHB.ocx:KAVICHS 36 bytes hidden from API
C:\WINDOWS\IsUninst.exe:KAVICHS 68 bytes hidden from API
C:\WINDOWS\iun6002.exe:KAVICHS 68 bytes hidden from API
C:\WINDOWS\jautoexp.dat:KAVICHS 36 bytes hidden from API
C:\WINDOWS\455373LL.DLL11:KAVICHS 36 bytes hidden from API
C:\WINDOWS\alcrmv.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\alcupd.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\ap561.exe:KAVICHS 68 bytes hidden from API
C:\WINDOWS\ap561.ini:KAVICHS 68 bytes hidden from API
C:\WINDOWS\avrack.ini:KAVICHS 36 bytes hidden from API
C:\WINDOWS\bootstat.dat:KAVICHS 228 bytes hidden from API
C:\WINDOWS\cdplayer.ini:KAVICHS 36 bytes hidden from API
C:\WINDOWS\orun32.ini:KAVICHS 36 bytes hidden from API
C:\WINDOWS\orun32.isu:KAVICHS 36 bytes hidden from API
C:\WINDOWS\patchw32.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\PCDLIB32.DLL:KAVICHS 36 bytes hidden from API
C:\WINDOWS\Pexplore.ini:KAVICHS 36 bytes hidden from API
C:\WINDOWS\pPokerSetup.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\QTFont.for:KAVICHS 68 bytes hidden from API
C:\WINDOWS\QTFont.qfn:KAVICHS 68 bytes hidden from API
C:\WINDOWS\rboy.ini:KAVICHS 36 bytes hidden from API
C:\WINDOWS\regedit.exe:KAVICHS 100 bytes hidden from API
C:\WINDOWS\Thumbs.db:KAVICHS 36 bytes hidden from API
C:\WINDOWS\tsiwinfile.dat:KAVICHS 228 bytes hidden from API
C:\WINDOWS\tsoc.log:KAVICHS 36 bytes hidden from API
C:\WINDOWS\Tw561a.ini:KAVICHS 36 bytes hidden from API
C:\WINDOWS\Tw561a.src:KAVICHS 36 bytes hidden from API
C:\WINDOWS\TWAIN.DLL:KAVICHS 36 bytes hidden from API
C:\WINDOWS\TWAIN_32.DLL:KAVICHS 36 bytes hidden from API
C:\WINDOWS\Twunk_16.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\TWUNK_16.EXE:KAVICHS 36 bytes hidden from API
C:\WINDOWS\Twunk_32.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\TWUNK_32.EXE:KAVICHS 36 bytes hidden from API
C:\WINDOWS\uid.id:KAVICHS 36 bytes hidden from API
C:\WINDOWS\unvise32qt.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\updspapi.log:KAVICHS 36 bytes hidden from API
C:\WINDOWS\KB890046.log:KAVICHS 36 bytes hidden from API
C:\WINDOWS\KB915865.log:KAVICHS 36 bytes hidden from API
C:\WINDOWS\KB929969.log:KAVICHS 36 bytes hidden from API
C:\WINDOWS\LicenceWM.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\license.bin:KAVICHS 36 bytes hidden from API
C:\WINDOWS\ModemLog_Lucent Win Modem.txt:KAVICHS 36 bytes hidden from API
C:\WINDOWS\mozver.dat:KAVICHS 36 bytes hidden from API
C:\WINDOWS\winhlp32.exe:KAVICHS 100 bytes hidden from API
C:\WINDOWS\winnt.bmp:KAVICHS 36 bytes hidden from API
C:\WINDOWS\winnt256.bmp:KAVICHS 36 bytes hidden from API
C:\WINDOWS\WMSysPr9.prx:KAVICHS 36 bytes hidden from API
C:\WINDOWS\WMSysPrx.prx:KAVICHS 36 bytes hidden from API
C:\WINDOWS\_default.pif:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\kbdic.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\perfwci.ini:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\stdole32.tlb:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\$ncsp$.inf:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\$winnt$.inf:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\0:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\12520437.cpx:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\12520850.cpx:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\6to4svc.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\aaaamon.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\acctres.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\acelpdec.ax:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\acledit.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\aclui.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\activeds.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\icwdial.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\icwphbk.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\idndl.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\idq.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\ie4uinit.exe:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\IE7Eula.rtf:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\ieakeng.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\ieaksie.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\ieakui.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\ieapfltr.dat:KAVICHS 228 bytes hidden from API
C:\WINDOWS\system32\ieapfltr.dll:KAVICHS 228 bytes hidden from API
C:\WINDOWS\system32\iedkcs32.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\ieencode.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\ieframe.dll:KAVICHS 228 bytes hidden from API
C:\WINDOWS\system32\ieframe.dll.mui:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\iepeers.dll:KAVICHS 228 bytes hidden from API
C:\WINDOWS\system32\iernonce.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\iertutil.dll:KAVICHS 228 bytes hidden from API
C:\WINDOWS\system32\iesetup.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\ieudinit.exe:KAVICHS 228 bytes hidden from API
C:\WINDOWS\system32\ieui.dll:KAVICHS 228 bytes hidden from API
C:\WINDOWS\system32\ieuinit.inf:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\iexpress.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\ifmon.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\ifsutil.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\igmpagnt.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\ijl15.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\ils.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\imaadp32.acm:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\imagehlp.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\IMAGEPLUSCONTROL.OCX:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\imapi.exe:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\profmap.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\progman.exe:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\proquota.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\proxycfg.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\psapi.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\psbase.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\pschdcnt.h:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\pschdprf.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\pschdprf.ini:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\pscript.sep:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\psisdecd.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\psisrndr.ax:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\psnppagn.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\pstorec.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\pstorsvc.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\ptpusb.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\ptpusd.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\pubprn.vbs:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\unicows.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\unimdm.tsp:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\unimdmat.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\uniplat.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\unlodctr.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\unrar.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\untfs.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\unzip3252.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\upnp.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\upnpcont.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\upnphost.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\upnpui.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\ups.exe:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\ureg.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\url.dll:KAVICHS 164 bytes hidden from API
C:\WINDOWS\system32\urlmon.dll:KAVICHS 228 bytes hidden from API
C:\WINDOWS\system32\usbaptest.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\usbmon.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\usbui.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\user.exe:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\user32.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\userenv.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\userinit.exe:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\usp10.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\usrcntra.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\usrcoina.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\usrdpa.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\usrdtea.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\usrfaxa.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\usrlbva.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\usrlogon.cmd:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\mswmdm.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\mswsock.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\mswstr10.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\msxbde40.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\msxml.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\msxml2.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\msxml2r.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\msxml3.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\msxml3a.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\msxml3r.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\msxmlr.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\msyuv.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\mtxclu.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\mtxdm.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\mtxex.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\mtxlegih.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\mtxoci.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\mtxparhd.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\cnbjmon.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\cnetcfg.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\cnvfat.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\colbact.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\comaddin.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\comcat.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\comct232.ocx:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\comctl32.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\comctl32.ocx:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\comdlg32.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\COMDLG32.OCX:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\comm.drv:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\command.com:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\commdlg.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\comp.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\compact.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\compatui.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\compmgmt.msc:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\activeds.tlb:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\append.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\atkctrs.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\autodisc.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\bootvrfy.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\ccfgnt.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\clb.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\cmutil.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\compobj.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\crtdll.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\c_1257.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_932.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\debug.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\dgrpsetu.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\diskperf.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\dmdskmgr.dll:KAVICHS 68 bytes hidden from API


----------



## smeginthuhead (Jun 6, 2007)

C:\WINDOWS\system32\doskey.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\dpuGUI10.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\ds16gt.dLL:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\dumprep.exe:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\esent97.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\find.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\fsquirt.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\graftabl.com:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\homepage.inf:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\iac25_32.ax:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\iprtprio.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\irclass.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\jgsh400.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\kbddv.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\actmovie.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\actxprxy.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\admparse.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\adptif.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\adsldp.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\adsldpc.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\adsmsext.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\adsnt.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\advapi32.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\advpack.dll:KAVICHS 228 bytes hidden from API
C:\WINDOWS\system32\advpack.dll.mui:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\ahui.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\alg.exe:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\alrsvc.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\ALSNDMGR.CPL:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\ALSNDMGR.WAV:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\amcompat.tlb:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\amstream.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\ansi.sys:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\apcups.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_1258.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_20127.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_20261.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_20866.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_20905.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_21866.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_28591.nls:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\c_28592.nls:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\c_28593.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\C_28594.NLS:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\C_28595.NLS:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\C_28597.NLS:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_28598.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_28599.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_28603.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_28605.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_437.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_500.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_737.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_775.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_850.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_852.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_855.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_857.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_860.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_861.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_863.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_865.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_866.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_869.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_874.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_875.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\autofmt.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\autolfn.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\avicap.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\avicap32.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\avifil32.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\avifile.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\basesrv.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\batmeter.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\batt.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\bdaplgin.ax:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\bidispl.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\bios1.rom:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\bios4.rom:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\bitsprx2.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\bitsprx3.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\blackbox.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\blastcln.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\bootok.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\bootvid.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\cdfview.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\cdm.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\cdmodem.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\cdosys.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\certcli.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\certmgr.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\certmgr.msc:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\cewmdm.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\cfgbkend.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\cfgmgr32.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\chcp.com:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\chkdsk.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\chkntfs.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\ciadmin.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\ciadv.msc:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\cic.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\cidaemon.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\CinemSup.sys:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\ciodm.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\cisvc.exe:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\ckcnv.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\crypt32.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\cryptdlg.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\cryptdll.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\cryptext.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\cryptnet.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\cryptsvc.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\cryptui.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\cscdll.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\cscui.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\csrsrv.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\csrss.exe:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\csseqchk.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\ctfmon.exe:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\ctl3d32.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\ctype.nls:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\c_037.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_10000.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_10006.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_10007.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_10010.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_10017.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_10029.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_10079.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_10081.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_10082.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_1026.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_1250.nls:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\c_1251.nls:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\c_1252.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_1253.nls:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\c_1254.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_1255.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_1256.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_936.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_949.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\c_950.nls:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\d3d8.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\d3d8thk.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\d3d9.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\d3dim.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\d3dim700.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\d3dpmesh.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\d3dramp.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\d3drm.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\d3dx9_26.dll:KAVICHS 228 bytes hidden from API
C:\WINDOWS\system32\d3dxof.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\danim.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\dataclen.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\datime.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\davclnt.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\daxctle.ocx:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\dbgeng.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\dbghelp.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\dbmsadsn.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\dbmsrpcn.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\dbmsvinn.dLL:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\dbnetlib.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\dbnmpntw.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\dcache.bin:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\dciman32.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\dcomcnfg.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\ddeml.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\ddeshare.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\ddraw.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\ddrawex.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\defrag.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\desk.cpl:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\deskadp.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\deskmon.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\deskperf.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\devenum.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\devmgmt.msc:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\devmgr.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\dfrg.msc:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\dfrgfat.exe:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\dfrgntfs.exe:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\dfrgres.dll:KAVICHS 100 bytes hidden from API
C:\WINDOWS\system32\dfrgsnap.dll:KAVICHS 68 bytes hidden from API
C:\WINDOWS\system32\dfrgui.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\dfshim.dll:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\dfsshlex.dll:KAVICHS 36 bytes hidden from API


----------



## smeginthuhead (Jun 6, 2007)

Logfile of HijackThis v1.99.1
Scan saved at 2:14:55 PM, on 6/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DefenderPro AntiSpy\TSAntiSpy.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Joeph Madden\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xbox360.ign.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: OsbornTech Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [LaunchAntiSpy] C:\Program Files\DefenderPro AntiSpy\TSAntiSpy.exe /startup
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Defender Pro Firewall.lnk = C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: DigiChat Applet - http://host.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139366229656
O16 - DPF: {CA356D79-679B-4B4C-8E49-5AF97014F4C1} - http://files-pl.starware.com/installs/3.1.3.200506101259/323/Starware_323.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe


----------



## cybertech (Apr 16, 2002)

*Run HJT again and put a check in the following:*

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: OsbornTech Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O16 - DPF: {CA356D79-679B-4B4C-8E49-5AF97014F4C1} - http://files-pl.starware.com/install...arware_323.cab

*Close all applications and browser windows before you click "fix checked".*

Please *download* the *OTMoveIt by OldTimer*.

 *Save* it to your *desktop*.
 Please double-click *OTMoveIt.exe* to run it.
*Copy the file paths below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy):

*C:\PROGRA~1\COMMON~1\WinTools
C:\Program Files\Internet Optimizer
c:\temp\salm.exe
C:\PROGRA~1\Toolbar
C:\PROGRA~1\COMMON~1\uquk
*

 Return to OTMoveIt, right click on the *"Paste List of Files/Folders to be moved"* window and choose *Paste*.
Click the red *Moveit!* button.
Close *OTMoveIt*
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

Please download *ATF Cleaner* by Atribune. 
*This program is for XP and Windows 2000 only*
 
Double-click *ATF-Cleaner.exe* to run the program. 
Under *Main* choose: *Select All* 
Click the *Empty Selected* button.

*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt. 
Click *Exit* on the Main menu to close the program. 
For *Technical Support*, double-click the e-mail address located at the bottom of each menu.

*Download and scan with* *SUPERAntiSpyware* Free for Home Users
Double-click *SUPERAntiSpyware.exe* and use the default settings for installation. 
An icon will be created on your desktop. Double-click that icon to launch the program. 
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._) 
Under "*Configuration and Preferences*", click the *Preferences* button. 
Click the *Scanning Control* tab. 
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._ 
_Scan for tracking cookies._ 
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen. 
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*. 
On the left, make sure you check *C:\Fixed Drive*. 
On the right, under "*Complete Scan*", choose *Perform Complete Scan*. 
Click "*Next*" to start the scan. Please be patient while it scans your computer. 
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*". 
Make sure everything has a checkmark next to it and click "*Next*". 
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu. 
If asked if you want to reboot, click "*Yes*". 
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._ 
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._ 
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._ 
_Please copy and paste the Scan Log results in your next reply *with a new hijackthis log*._

Click *Close* to exit the program.


----------



## smeginthuhead (Jun 6, 2007)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/07/2007 at 04:39 PM

Application Version : 3.8.1002

Core Rules Database Version : 3249
Trace Rules Database Version: 1260

Scan type : Complete Scan
Total Scan Time : 01:16:13

Memory items scanned : 482
Memory threats detected : 0
Registry items scanned : 5110
Registry threats detected : 4
File items scanned : 80158
File threats detected : 2

Adware.180solutions/Search Assistant
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaGatewayX.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaGatewayX.dll#.Owner
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaGatewayX.dll#{15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}

Adware.IST/ISTBar (Slotch Bar)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main#BandRest

Adware.Tracking Cookie
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt


----------



## smeginthuhead (Jun 6, 2007)

I know it is late but I hope my case doesn't get abandoned. My internet explorer is completly gone now....and of course no messenger.


----------



## smeginthuhead (Jun 6, 2007)

I went ahead and did another hijack Logfile of HijackThis v1.99.1
Scan saved at 10:00:38 PM, on 6/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\DefenderPro AntiSpy\TSAntiSpy.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Joeph Madden\Desktop\HijackThis.exe
C:\Documents and Settings\Joeph Madden\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xbox360.ign.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [LaunchAntiSpy] C:\Program Files\DefenderPro AntiSpy\TSAntiSpy.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [ypagerps] cmd.exe /C del "C:\Program Files\Yahoo!\Messenger\ypagerps.dll"
O4 - Global Startup: Defender Pro Firewall.lnk = C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: DigiChat Applet - http://host.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139366229656
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe


----------



## cybertech (Apr 16, 2002)

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.
In the *Files Created Within* group click *30 days*
In the *Files Modified Within* group select *30 days*
In the *File String Search* group select *Non-Microsoft*

Now click the *Run Scan* button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please post the resulting log here *as an attachment*.


----------



## smeginthuhead (Jun 6, 2007)

WinPFind3 logfile created on: 6/8/2007 11:26:42 AM
WinPFind3U by OldTimer - Version 1.0.38	Folder = C:\Documents and Settings\Joeph Madden\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)

767.48 Mb Total Physical Memory | 314.59 Mb Available Physical Memory | 40.99% Memory free
1.41 Gb Paging File | 1.04 Gb Available in Paging File | 73.99% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 22.62 Gb Free Space | 30.36% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: OEMTEST-2S4KN5K
Current User Name: Joeph Madden
Logged in as Administrator.
Current Boot Mode: Normal

[Processes - Non-Microsoft Only]
ati2evxx.exe -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4146 | Size = 425984 bytes | Modified Date = 9/26/2006 4:41:54 PM | Attr = ]
ati2evxx.exe -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4146 | Size = 425984 bytes | Modified Date = 9/26/2006 4:41:54 PM | Attr = ]
cli.exe -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> ATI Technologies Inc. [Ver = 1.11.0.0 | Size = 45056 bytes | Modified Date = 1/2/2006 6:41:22 PM | Attr = ]
cli.exe -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> ATI Technologies Inc. [Ver = 1.11.0.0 | Size = 45056 bytes | Modified Date = 1/2/2006 6:41:22 PM | Attr = ]
cli.exe -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> ATI Technologies Inc. [Ver = 1.11.0.0 | Size = 45056 bytes | Modified Date = 1/2/2006 6:41:22 PM | Attr = ]
firefox.exe -> %ProgramFiles%\Mozilla Firefox\firefox.exe -> Mozilla Corporation [Ver = 1.8.1.4: 2007051502 | Size = 7637104 bytes | Modified Date = 6/5/2007 9:54:34 AM | Attr = ]
hpzipm12.exe -> %System32%\HPZipm12.exe -> HP [Ver = 9, 0, 0, 0 | Size = 69632 bytes | Modified Date = 9/29/2004 1:14:36 PM | Attr = ]
incdsrv.exe -> %ProgramFiles%\Ahead\InCD\incdsrv.exe -> Ahead Software AG [Ver = 4, 2, 4, 1 | Size = 929904 bytes | Modified Date = 4/6/2004 10:35:10 PM | Attr = ]
jusched.exe -> %ProgramFiles%\Java\jre1.5.0_01\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 1.5.0.10 | Size = 36975 bytes | Modified Date = 12/6/2004 9:31:50 PM | Attr = ]
kavpf.exe -> %ProgramFiles%\Defender Pro\Defender Pro Firewall\KAVPF.exe -> Defender Pro LLC [Ver = 1.8.0.180 | Size = 1224319 bytes | Modified Date = 9/27/2005 6:31:30 AM | Attr = ]
pastisvc.exe -> %System32%\PAStiSvc.exe -> [Ver = | Size = 53248 bytes | Modified Date = 1/14/2005 9:32:38 AM | Attr = ]
realsched.exe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3492 | Size = 180269 bytes | Modified Date = 1/14/2006 12:04:18 PM | Attr = ]
superantispyware.exe -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 8, 0, 1002 | Size = 1314816 bytes | Modified Date = 5/23/2007 10:12:46 AM | Attr = ]
tsantispy.exe -> %ProgramFiles%\DefenderPro AntiSpy\TSAntiSpy.exe -> Omniquad Ltd. [Ver = 5, 0, 0, 9 | Size = 1552384 bytes | Modified Date = 2/7/2007 7:05:28 AM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.38.0 | Size = 318976 bytes | Modified Date = 5/22/2007 6:27:40 PM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Running] -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4146 | Size = 425984 bytes | Modified Date = 9/26/2006 4:41:54 PM | Attr = ]
(ATI Smart) ATI Smart [Win32_Own | Auto | Stopped] -> %System32%\ati2sgag.exe -> [Ver = 5.13.0025 | Size = 520192 bytes | Modified Date = 9/26/2006 10:05:00 PM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 3:56:48 AM | Attr = ]
(InCDsrv) InCD Helper [Win32_Own | Auto | Running] -> %ProgramFiles%\Ahead\InCD\incdsrv.exe -> Ahead Software AG [Ver = 4, 2, 4, 1 | Size = 929904 bytes | Modified Date = 4/6/2004 10:35:10 PM | Attr = ]
(kavsvc) kavsvc [Win32_Own | Auto | Running] -> %ProgramFiles%\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe -> Defender Pro LLC [Ver = 5.0.390.1 | Size = 917610 bytes | Modified Date = 10/20/2005 10:48:24 AM | Attr = ]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | Auto | Running] -> %System32%\HPZipm12.exe -> HP [Ver = 9, 0, 0, 0 | Size = 69632 bytes | Modified Date = 9/29/2004 1:14:36 PM | Attr = ]
(STI Simulator) STI Simulator [Win32_Own | Auto | Running] -> %System32%\PAStiSvc.exe -> [Ver = | Size = 53248 bytes | Modified Date = 1/14/2005 9:32:38 AM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ATICCC -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLIStart.exe -> [Ver = | Size = 90112 bytes | Modified Date = 5/10/2006 12:12:06 PM | Attr = ]
LaunchAntiSpy -> %ProgramFiles%\DefenderPro AntiSpy\TSAntiSpy.exe -> Omniquad Ltd. [Ver = 5, 0, 0, 9 | Size = 1552384 bytes | Modified Date = 2/7/2007 7:05:28 AM | Attr = ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.5.0_01\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 1.5.0.10 | Size = 36975 bytes | Modified Date = 12/6/2004 9:31:50 PM | Attr = ]
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3492 | Size = 180269 bytes | Modified Date = 1/14/2006 12:04:18 PM | Attr = ]
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PowerBar -> -> File not found
SUPERAntiSpyware -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 8, 0, 1002 | Size = 1314816 bytes | Modified Date = 5/23/2007 10:12:46 AM | Attr = ]
Yahoo! Pager -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe -> Yahoo! Inc. [Ver = 8,1,0,249 | Size = 4670968 bytes | Modified Date = 3/27/2007 3:22:56 PM | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup
%AllUsersStartup%\Defender Pro Firewall.lnk -> %ProgramFiles%\Defender Pro\Defender Pro Firewall\KAVPF.exe -> Defender Pro LLC [Ver = 1.8.0.180 | Size = 1224319 bytes | Modified Date = 9/27/2005 6:31:30 AM | Attr = ]
< AppInit_DLLs [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< SSODL [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
{fbeb8a05-beee-4442-804e-409d6c4515e9} [HKLM] -> Reg Data - Key not found [CDBurn] -> File not found
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 12/20/2006 1:55:48 PM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 4/19/2007 1:41:36 PM | Attr = ]
AtiExtEvent -> %System32%\ati2evxx.dll -> ATI Technologies Inc. [Ver = 6.14.10.4146 | Size = 90112 bytes | Modified Date = 9/26/2006 4:43:12 PM | Attr = ]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 -> 
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 
< HOSTS File > (698 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
127.0.0.1 localhost -> -> 
< Internet Explorer Settings > -> 
HKLM: Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
HKLM: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKLM: Local Page -> %SystemRoot%\system32\blank.htm -> 
HKLM: Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKLM: Start Page -> about:blank -> 
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
HKCU: Default_Search_URL -> http://search.msn.com -> 
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm -> 
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKCU: Start Page -> http://xbox360.ign.com/ -> 
HKCU: SearchAssistant -> http://www.microsoft.com/isapi/redir.dll? -> 
HKCU: ProxyEnable -> 0 -> 
HKCU: ProxyOverride -> 127.0.0.1;localhost -> 
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] -> -> 
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> Adobe Systems Incorporated [Ver = 7.0.0.2004121400 | Size = 63136 bytes | Modified Date = 12/14/2004 1:56:50 AM | Attr = ]
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Yahoo! Toolbar] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{0D555BC6-E331-48b3-A60E-AAC0DF79438A} -> Reg Data - Value does not exist [ButtonText: Popup Blocker] -> File not found
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{D40D203A-8375-4A4D-9AC2-7CC1D7AE6B9C} -> (VIA Rhine II Fast Ethernet Adapter) -> 
{D728F480-C44E-4178-BC02-46C4108EEE3B} -> () -> 
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -> QuickTime Object - CodeBase = http://www.apple.com/qtactivex/qtplugin.cab -> 
{166B1BCA-3F9C-11CF-8075-444553540000} -> Shockwave ActiveX Control - CodeBase = http://active.macromedia.com/director/cabs/sw.cab -> 
{17492023-C23A-453E-A040-C7C580BBF700} -> Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204 -> 
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -> YInstStarter Class - CodeBase = C:\Program Files\Yahoo!\Common\yinsthelper.dll -> 
{33564D57-0000-0010-8000-00AA00389B71} -> - CodeBase = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB -> 
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -> - CodeBase = http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab -> 
{6414512B-B978-451D-A0D8-FCFDF33E833C} -> WUWebControl Class - CodeBase = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139366229656 -> 
{D27CDB6E-AE6D-11CF-9600-000000000000} -> - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab -> 
DigiChat Applet -> - CodeBase = http://host.digichat.com/DigiChat/DigiClasses/Client_IE.cab -> 
DirectAnimation Java Classes -> - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab -> 
Microsoft XML Parser for Java -> - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab -> 
Yahoo! Chat -> - CodeBase = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab ->

[Files/Folders - Created Within 30 days]
found.000 -> %SystemDrive%\found.000 -> [Folder | Created Date = 5/25/2007 9:54:27 AM | Attr = HS]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 804835328 bytes | Created Date = 1/1/1601 5:00:00 AM | Attr = HS]
QooBox -> %SystemDrive%\QooBox -> [Folder | Created Date = 6/7/2007 1:02:14 PM | Attr = ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [Folder | Created Date = 6/7/2007 2:13:14 PM | Attr = ]
$NtUninstallKB903235$ -> %SystemRoot%\$NtUninstallKB903235$ -> [Folder | Created Date = 6/7/2007 11:01:36 PM | Attr = H ]
$NtUninstallKB927891$ -> %SystemRoot%\$NtUninstallKB927891$ -> [Folder | Created Date = 5/24/2007 10:46:27 PM | Attr = H ]
$NtUninstallKB930916$ -> %SystemRoot%\$NtUninstallKB930916$ -> [Folder | Created Date = 5/10/2007 11:03:58 PM | Attr = H ]
AntiSpy -> %SystemRoot%\AntiSpy -> [Folder | Created Date = 6/2/2007 9:48:04 AM | Attr = ]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 87040 bytes | Created Date = 6/7/2007 1:03:40 PM | Attr = ]
ie7 -> %SystemRoot%\ie7 -> [Folder | Created Date = 6/7/2007 4:30:40 AM | Attr = H ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1355 bytes | Created Date = 6/7/2007 4:32:16 AM | Attr = ]
LastGood -> %SystemRoot%\LastGood -> [Folder | Created Date = 6/8/2007 10:14:48 AM | Attr = ]
mozver.dat -> %SystemRoot%\mozver.dat -> [Ver = | Size = 1156 bytes | Created Date = 6/6/2007 9:53:16 AM | Attr = ]
nircmd.exe -> %SystemRoot%\nircmd.exe -> NirSoft [Ver = 1.85 | Size = 49152 bytes | Created Date = 6/7/2007 1:03:40 PM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Created Date = 6/7/2007 10:26:33 AM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Created Date = 6/7/2007 10:26:33 AM | Attr = H ]
Sun -> %SystemRoot%\Sun -> [Folder | Created Date = 6/7/2007 7:45:24 AM | Attr = ]
temp -> %SystemRoot%\temp -> [Folder | Created Date = 6/7/2007 1:03:50 PM | Attr = ]
FreeImage.dll -> %System32%\FreeImage.dll -> [Ver = | Size = 667648 bytes | Created Date = 5/11/2007 10:47:51 PM | Attr = ]
ijl15.dll -> %System32%\ijl15.dll -> Intel Corporation [Ver = 1,51,12,44 | Size = 352256 bytes | Created Date = 5/11/2007 10:47:51 PM | Attr = ]
IMAGEPLUSCONTROL.OCX -> %System32%\IMAGEPLUSCONTROL.OCX -> [Ver = 1.02 | Size = 53248 bytes | Created Date = 5/11/2007 10:47:52 PM | Attr = ]
moveex.exe -> %System32%\moveex.exe -> [Ver = | Size = 38400 bytes | Created Date = 6/7/2007 1:03:39 PM | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.6 | Size = 428032 bytes | Created Date = 6/7/2007 1:03:40 PM | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 6/7/2007 1:03:39 PM | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 6/7/2007 1:03:39 PM | Attr = ]
UNACE.DLL -> %System32%\UNACE.DLL -> [Ver = | Size = 40448 bytes | Created Date = 5/11/2007 10:47:51 PM | Attr = ]
unrar.dll -> %System32%\unrar.dll -> [Ver = | Size = 159744 bytes | Created Date = 5/11/2007 10:47:52 PM | Attr = ]
unzip3252.dll -> %System32%\unzip3252.dll -> Info-ZIP [Ver = 5.52 | Size = 102400 bytes | Created Date = 5/11/2007 10:47:52 PM | Attr = ]
vfind.exe -> %System32%\vfind.exe -> [Ver = | Size = 49152 bytes | Created Date = 6/7/2007 1:03:39 PM | Attr = ]

[Files/Folders - Modified Within 30 days]
boot.ini -> %SystemDrive%\boot.ini -> [Ver = | Size = 211 bytes | Modified Date = 6/7/2007 1:12:06 PM | Attr = HS]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 6/7/2007 3:19:28 PM | Attr = H ]
Documents and Settings -> %SystemDrive%\Documents and Settings -> [Folder | Modified Date = 6/7/2007 4:49:02 AM | Attr = ]
found.000 -> %SystemDrive%\found.000 -> [Folder | Modified Date = 5/25/2007 10:54:28 AM | Attr = HS]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 804835328 bytes | Modified Date = 6/8/2007 11:12:32 AM | Attr = HS]
MyWorks -> %SystemDrive%\MyWorks -> [Folder | Modified Date = 5/23/2007 4:19:46 PM | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 6/7/2007 3:19:22 PM | Attr = ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Modified Date = 6/7/2007 2:02:16 PM | Attr = ]
temp -> %SystemDrive%\temp -> [Folder | Modified Date = 5/30/2007 6:34:14 PM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 6/8/2007 11:14:50 AM | Attr = ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [Folder | Modified Date = 6/7/2007 3:13:16 PM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 6/7/2007 5:26:22 AM | Attr = H ]
$NtUninstallKB903235$ -> %SystemRoot%\$NtUninstallKB903235$ -> [Folder | Modified Date = 6/8/2007 12:01:38 AM | Attr = H ]
$NtUninstallKB927891$ -> %SystemRoot%\$NtUninstallKB927891$ -> [Folder | Modified Date = 5/24/2007 11:46:28 PM | Attr = H ]
$NtUninstallKB930916$ -> %SystemRoot%\$NtUninstallKB930916$ -> [Folder | Modified Date = 5/11/2007 12:04:00 AM | Attr = H ]
AntiSpy -> %SystemRoot%\AntiSpy -> [Folder | Modified Date = 6/2/2007 10:48:06 AM | Attr = ]
assembly -> %SystemRoot%\assembly -> [Folder | Modified Date = 6/5/2007 12:36:50 AM | Attr = R S]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 6/8/2007 11:12:38 AM | Attr = S]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 87040 bytes | Modified Date = 5/28/2007 4:23:12 AM | Attr = ]
cdplayer.ini -> %SystemRoot%\cdplayer.ini -> [Ver = | Size = 1863 bytes | Modified Date = 5/24/2007 11:57:54 AM | Attr = ]
D9H7ADHB.ocx -> %SystemRoot%\D9H7ADHB.ocx -> [Ver = | Size = 3120 bytes | Modified Date = 6/8/2007 11:14:08 AM | Attr = ]
Debug -> %SystemRoot%\Debug -> [Folder | Modified Date = 6/7/2007 5:24:50 AM | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 5/30/2007 6:33:34 PM | Attr = S]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 6/7/2007 5:33:22 AM | Attr = ]
ie7 -> %SystemRoot%\ie7 -> [Folder | Modified Date = 6/7/2007 5:31:44 AM | Attr = H ]
ie7updates -> %SystemRoot%\ie7updates -> [Folder | Modified Date = 6/7/2007 5:21:46 AM | Attr = ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1355 bytes | Modified Date = 6/8/2007 12:01:48 AM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 6/8/2007 11:14:56 AM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 6/7/2007 3:19:32 PM | Attr = HS]
LastGood -> %SystemRoot%\LastGood -> [Folder | Modified Date = 6/8/2007 11:14:50 AM | Attr = ]
Media -> %SystemRoot%\Media -> [Folder | Modified Date = 6/7/2007 5:32:02 AM | Attr = ]
Microsoft.NET -> %SystemRoot%\Microsoft.NET -> [Folder | Modified Date = 6/5/2007 12:36:48 AM | Attr = ]
Minidump -> %SystemRoot%\Minidump -> [Folder | Modified Date = 6/7/2007 10:46:10 AM | Attr = ]
mozver.dat -> %SystemRoot%\mozver.dat -> [Ver = | Size = 1156 bytes | Modified Date = 6/6/2007 10:53:18 AM | Attr = ]
NEWSOFT -> %SystemRoot%\NEWSOFT -> [Folder | Modified Date = 6/7/2007 9:43:54 PM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 6/8/2007 11:22:48 AM | Attr = ]
pss -> %SystemRoot%\pss -> [Folder | Modified Date = 6/7/2007 1:12:06 PM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Modified Date = 6/7/2007 1:12:06 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 6/7/2007 1:12:06 PM | Attr = H ]
Sun -> %SystemRoot%\Sun -> [Folder | Modified Date = 6/7/2007 8:45:26 AM | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 227 bytes | Modified Date = 6/7/2007 1:12:06 PM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 6/8/2007 12:36:46 AM | Attr = ]
temp -> %SystemRoot%\temp -> [Folder | Modified Date = 6/8/2007 11:16:52 AM | Attr = ]
tsiwinfile.dat -> %SystemRoot%\tsiwinfile.dat -> [Ver = | Size = 137 bytes | Modified Date = 6/2/2007 10:48:16 AM | Attr = ]
WBEM -> %SystemRoot%\WBEM -> [Folder | Modified Date = 6/7/2007 5:32:12 AM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 798 bytes | Modified Date = 6/7/2007 1:12:06 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 6/8/2007 11:12:40 AM | Attr = H ]
amcompat.tlb -> %System32%\amcompat.tlb -> [Ver = | Size = 16832 bytes | Modified Date = 5/11/2007 11:47:56 PM | Attr = ]
CatRoot -> %System32%\CatRoot -> [Folder | Modified Date = 6/8/2007 8:55:58 AM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 6/8/2007 11:14:50 AM | Attr = ]
DirectX -> %System32%\DirectX -> [Folder | Modified Date = 6/5/2007 12:36:50 AM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 6/8/2007 12:02:38 AM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 6/7/2007 1:59:44 PM | Attr = ]
en-US -> %System32%\en-US -> [Folder | Modified Date = 6/8/2007 12:02:36 AM | Attr = ]
HAF9SE8J.ocx -> %System32%\HAF9SE8J.ocx -> [Ver = | Size = 3120 bytes | Modified Date = 6/8/2007 11:14:08 AM | Attr = ]
nscompat.tlb -> %System32%\nscompat.tlb -> [Ver = | Size = 23392 bytes | Modified Date = 5/11/2007 11:47:56 PM | Attr = ]
Restore -> %System32%\Restore -> [Folder | Modified Date = 6/6/2007 1:20:02 AM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 1158 bytes | Modified Date = 6/8/2007 11:13:54 AM | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 6/7/2007 10:54:46 AM | Attr = ]
klick.sys -> %System32%\drivers\klick.sys -> Kaspersky Lab [Ver = 2.0.0.410 | Size = 82258 bytes | Modified Date = 5/15/2007 9:11:12 PM | Attr = ]
klin.sys -> %System32%\drivers\klin.sys -> Kaspersky Lab [Ver = 2.0.0.410 | Size = 82258 bytes | Modified Date = 5/15/2007 9:12:08 PM | Attr = ]
secdrv.sys -> %System32%\drivers\secdrv.sys -> Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. [Ver = 4.00.060 | Size = 163644 bytes | Modified Date = 6/5/2007 12:42:52 AM | Attr = ]

[File String Scan - Non-Microsoft Only]
UPX! , WSUD , UPX0 , -> %SystemRoot%\pPokerSetup.exe -> [Ver = | Size = 3335839 bytes | Modified Date = 6/17/2005 7:41:44 PM | Attr = ]
@Alternate Data Stream - 0 bytes -> %SystemRoot%\Thumbs.db:encryptable -> 
WSUD , -> %System32%\ALSNDMGR.CPL -> Realtek Semiconductor Corp. [Ver = 2.2.16 | Size = 14204416 bytes | Modified Date = 12/19/2003 5:54:44 AM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/29/2002 8:00:00 AM | Attr = ]
PEC2 , PECompact2 , -> %System32%\DivX.dll -> DivXNetworks [Ver = 6,0,0,1571 | Size = 692736 bytes | Modified Date = 6/9/2005 4:32:28 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/29/2002 8:00:00 AM | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/4/2004 1:41:38 AM | Attr = ]

< End of report >


----------



## cybertech (Apr 16, 2002)

Start *WinPFind3U*. Copy/Paste the information in the Quotebox below into the pane where it says *"Paste fix here"* and then click the Run Fix button.



> [Registry - Non-Microsoft Only]
> < Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> YN -> PowerBar ->
> [Files/Folders - Created Within 30 days]
> ...


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the *Ok* button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan.

I will review the information when it comes back in.


----------



## smeginthuhead (Jun 6, 2007)

[Registry - Non-Microsoft Only]
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\PowerBar deleted successfully.
[Files/Folders - Created Within 30 days]
C:\WINDOWS\SYSTEM32\moveex.exe moved successfully.
C:\WINDOWS\SYSTEM32\unzip3252.dll moved successfully.
[Files/Folders - Modified Within 30 days]
C:\WINDOWS\D9H7ADHB.ocx moved successfully.
C:\WINDOWS\tsiwinfile.dat moved successfully.
C:\WINDOWS\SYSTEM32\HAF9SE8J.ocx moved successfully.
< End of log >
Created on 06/08/2007 17:15:47


----------



## cybertech (Apr 16, 2002)

*Your Java is out of date.* Older versions have vulnerabilities that malware can use to infect your system.
*Please follow these steps to remove older version Java components and update.*

*Updating Java:* 

Download the latest version of *Java Runtime Environment (JRE) 6u1*. 
Scroll down to where it says "_The J2SE Runtime Environment (JRE) allows end-users to run Java applications_". 
Click the "*Download*" button to the right. 
Check the box that says: "*Accept*_ License Agreement_". 
The page will refresh. 
Click on the link to download _Windows Offline Installation_ with or without Multi-language and save to your desktop. 
Close any programs you may have running - especially your web browser. 
Go to *Start* > *Control Panel* double-click on *Add/Remove* programs and remove all older versions of Java. 
Check any item with Java Runtime Environment (JRE or J2SE) in the name. 
Click the *Remove* or *Change/Remove* button. 
Repeat as many times as necessary to remove each Java versions. 
Reboot your computer once all Java components are removed. 
Then from your desktop double-click on the download to install the newest version.

How is it running now? Any problems?

Please post your hijackthis log again.


----------



## smeginthuhead (Jun 6, 2007)

WinPFind3 logfile created on: 6/8/2007 5:16:33 PM
WinPFind3U by OldTimer - Version 1.0.38	Folder = C:\Documents and Settings\Joeph Madden\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)

767.48 Mb Total Physical Memory | 336.53 Mb Available Physical Memory | 43.85% Memory free
1.41 Gb Paging File | 1.05 Gb Available in Paging File | 74.50% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 21.50 Gb Free Space | 28.86% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: OEMTEST-2S4KN5K
Current User Name: Joeph Madden
Logged in as Administrator.
Current Boot Mode: Normal

[Processes - Non-Microsoft Only]
ati2evxx.exe -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4146 | Size = 425984 bytes | Modified Date = 9/26/2006 4:41:54 PM | Attr = ]
ati2evxx.exe -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4146 | Size = 425984 bytes | Modified Date = 9/26/2006 4:41:54 PM | Attr = ]
cli.exe -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> ATI Technologies Inc. [Ver = 1.11.0.0 | Size = 45056 bytes | Modified Date = 1/2/2006 6:41:22 PM | Attr = ]
cli.exe -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> ATI Technologies Inc. [Ver = 1.11.0.0 | Size = 45056 bytes | Modified Date = 1/2/2006 6:41:22 PM | Attr = ]
cli.exe -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> ATI Technologies Inc. [Ver = 1.11.0.0 | Size = 45056 bytes | Modified Date = 1/2/2006 6:41:22 PM | Attr = ]
firefox.exe -> %ProgramFiles%\Mozilla Firefox\firefox.exe -> Mozilla Corporation [Ver = 1.8.1.4: 2007051502 | Size = 7637104 bytes | Modified Date = 6/5/2007 9:54:34 AM | Attr = ]
hpzipm12.exe -> %System32%\HPZipm12.exe -> HP [Ver = 9, 0, 0, 0 | Size = 69632 bytes | Modified Date = 9/29/2004 1:14:36 PM | Attr = ]
incdsrv.exe -> %ProgramFiles%\Ahead\InCD\incdsrv.exe -> Ahead Software AG [Ver = 4, 2, 4, 1 | Size = 929904 bytes | Modified Date = 4/6/2004 10:35:10 PM | Attr = ]
jusched.exe -> %ProgramFiles%\Java\jre1.5.0_01\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 1.5.0.10 | Size = 36975 bytes | Modified Date = 12/6/2004 9:31:50 PM | Attr = ]
kavpf.exe -> %ProgramFiles%\Defender Pro\Defender Pro Firewall\KAVPF.exe -> Defender Pro LLC [Ver = 1.8.0.180 | Size = 1224319 bytes | Modified Date = 9/27/2005 6:31:30 AM | Attr = ]
pastisvc.exe -> %System32%\PAStiSvc.exe -> [Ver = | Size = 53248 bytes | Modified Date = 1/14/2005 9:32:38 AM | Attr = ]
realsched.exe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3492 | Size = 180269 bytes | Modified Date = 1/14/2006 12:04:18 PM | Attr = ]
tsantispy.exe -> %ProgramFiles%\DefenderPro AntiSpy\TSAntiSpy.exe -> Omniquad Ltd. [Ver = 5, 0, 0, 9 | Size = 1552384 bytes | Modified Date = 2/7/2007 7:05:28 AM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.38.0 | Size = 318976 bytes | Modified Date = 5/22/2007 6:27:40 PM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Running] -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4146 | Size = 425984 bytes | Modified Date = 9/26/2006 4:41:54 PM | Attr = ]
(ATI Smart) ATI Smart [Win32_Own | Auto | Stopped] -> %System32%\ati2sgag.exe -> [Ver = 5.13.0025 | Size = 520192 bytes | Modified Date = 9/26/2006 10:05:00 PM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 3:56:48 AM | Attr = ]
(InCDsrv) InCD Helper [Win32_Own | Auto | Running] -> %ProgramFiles%\Ahead\InCD\incdsrv.exe -> Ahead Software AG [Ver = 4, 2, 4, 1 | Size = 929904 bytes | Modified Date = 4/6/2004 10:35:10 PM | Attr = ]
(kavsvc) kavsvc [Win32_Own | Auto | Running] -> %ProgramFiles%\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe -> Defender Pro LLC [Ver = 5.0.390.1 | Size = 917610 bytes | Modified Date = 10/20/2005 10:48:24 AM | Attr = ]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | Auto | Running] -> %System32%\HPZipm12.exe -> HP [Ver = 9, 0, 0, 0 | Size = 69632 bytes | Modified Date = 9/29/2004 1:14:36 PM | Attr = ]
(STI Simulator) STI Simulator [Win32_Own | Auto | Running] -> %System32%\PAStiSvc.exe -> [Ver = | Size = 53248 bytes | Modified Date = 1/14/2005 9:32:38 AM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ATICCC -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLIStart.exe -> [Ver = | Size = 90112 bytes | Modified Date = 5/10/2006 12:12:06 PM | Attr = ]
LaunchAntiSpy -> %ProgramFiles%\DefenderPro AntiSpy\TSAntiSpy.exe -> Omniquad Ltd. [Ver = 5, 0, 0, 9 | Size = 1552384 bytes | Modified Date = 2/7/2007 7:05:28 AM | Attr = ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.5.0_01\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 1.5.0.10 | Size = 36975 bytes | Modified Date = 12/6/2004 9:31:50 PM | Attr = ]
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3492 | Size = 180269 bytes | Modified Date = 1/14/2006 12:04:18 PM | Attr = ]
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SUPERAntiSpyware -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 8, 0, 1002 | Size = 1314816 bytes | Modified Date = 5/23/2007 10:12:46 AM | Attr = ]
Yahoo! Pager -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe -> Yahoo! Inc. [Ver = 8,1,0,249 | Size = 4670968 bytes | Modified Date = 3/27/2007 3:22:56 PM | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup
%AllUsersStartup%\Defender Pro Firewall.lnk -> %ProgramFiles%\Defender Pro\Defender Pro Firewall\KAVPF.exe -> Defender Pro LLC [Ver = 1.8.0.180 | Size = 1224319 bytes | Modified Date = 9/27/2005 6:31:30 AM | Attr = ]
< AppInit_DLLs [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< SSODL [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
{fbeb8a05-beee-4442-804e-409d6c4515e9} [HKLM] -> Reg Data - Key not found [CDBurn] -> File not found
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 12/20/2006 1:55:48 PM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 4/19/2007 1:41:36 PM | Attr = ]
AtiExtEvent -> %System32%\ati2evxx.dll -> ATI Technologies Inc. [Ver = 6.14.10.4146 | Size = 90112 bytes | Modified Date = 9/26/2006 4:43:12 PM | Attr = ]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 -> 
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 
< HOSTS File > (698 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
127.0.0.1 localhost -> -> 
< Internet Explorer Settings > -> 
HKLM: Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
HKLM: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKLM: Local Page -> %SystemRoot%\system32\blank.htm -> 
HKLM: Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKLM: Start Page -> about:blank -> 
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
HKCU: Default_Search_URL -> http://search.msn.com -> 
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm -> 
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKCU: Start Page -> http://xbox360.ign.com/ -> 
HKCU: SearchAssistant -> http://www.microsoft.com/isapi/redir.dll? -> 
HKCU: ProxyEnable -> 0 -> 
HKCU: ProxyOverride -> 127.0.0.1;localhost -> 
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] -> -> 
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> Adobe Systems Incorporated [Ver = 7.0.0.2004121400 | Size = 63136 bytes | Modified Date = 12/14/2004 1:56:50 AM | Attr = ]
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Yahoo! Toolbar] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{0D555BC6-E331-48b3-A60E-AAC0DF79438A} -> Reg Data - Value does not exist [ButtonText: Popup Blocker] -> File not found
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{D40D203A-8375-4A4D-9AC2-7CC1D7AE6B9C} -> (VIA Rhine II Fast Ethernet Adapter) -> 
{D728F480-C44E-4178-BC02-46C4108EEE3B} -> () -> 
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -> QuickTime Object - CodeBase = http://www.apple.com/qtactivex/qtplugin.cab -> 
{166B1BCA-3F9C-11CF-8075-444553540000} -> Shockwave ActiveX Control - CodeBase = http://active.macromedia.com/director/cabs/sw.cab -> 
{17492023-C23A-453E-A040-C7C580BBF700} -> Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204 -> 
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -> YInstStarter Class - CodeBase = C:\Program Files\Yahoo!\Common\yinsthelper.dll -> 
{33564D57-0000-0010-8000-00AA00389B71} -> - CodeBase = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB -> 
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -> - CodeBase = http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab -> 
{6414512B-B978-451D-A0D8-FCFDF33E833C} -> WUWebControl Class - CodeBase = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139366229656 -> 
{D27CDB6E-AE6D-11CF-9600-000000000000} -> - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab -> 
DigiChat Applet -> - CodeBase = http://host.digichat.com/DigiChat/DigiClasses/Client_IE.cab -> 
DirectAnimation Java Classes -> - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab -> 
Microsoft XML Parser for Java -> - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab -> 
Yahoo! Chat -> - CodeBase = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab ->

[Files/Folders - Created Within 30 days]
found.000 -> %SystemDrive%\found.000 -> [Folder | Created Date = 5/25/2007 9:54:27 AM | Attr = HS]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 804835328 bytes | Created Date = 1/1/1601 5:00:00 AM | Attr = HS]
QooBox -> %SystemDrive%\QooBox -> [Folder | Created Date = 6/7/2007 1:02:14 PM | Attr = ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [Folder | Created Date = 6/7/2007 2:13:14 PM | Attr = ]
$NtUninstallKB903235$ -> %SystemRoot%\$NtUninstallKB903235$ -> [Folder | Created Date = 6/7/2007 11:01:36 PM | Attr = H ]
$NtUninstallKB927891$ -> %SystemRoot%\$NtUninstallKB927891$ -> [Folder | Created Date = 5/24/2007 10:46:27 PM | Attr = H ]
$NtUninstallKB930916$ -> %SystemRoot%\$NtUninstallKB930916$ -> [Folder | Created Date = 5/10/2007 11:03:58 PM | Attr = H ]
AntiSpy -> %SystemRoot%\AntiSpy -> [Folder | Created Date = 6/2/2007 9:48:04 AM | Attr = ]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 87040 bytes | Created Date = 6/7/2007 1:03:40 PM | Attr = ]
ie7 -> %SystemRoot%\ie7 -> [Folder | Created Date = 6/7/2007 4:30:40 AM | Attr = H ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1355 bytes | Created Date = 6/7/2007 4:32:16 AM | Attr = ]
LastGood -> %SystemRoot%\LastGood -> [Folder | Created Date = 6/8/2007 10:14:48 AM | Attr = ]
mozver.dat -> %SystemRoot%\mozver.dat -> [Ver = | Size = 1156 bytes | Created Date = 6/6/2007 9:53:16 AM | Attr = ]
nircmd.exe -> %SystemRoot%\nircmd.exe -> NirSoft [Ver = 1.85 | Size = 49152 bytes | Created Date = 6/7/2007 1:03:40 PM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Created Date = 6/7/2007 10:26:33 AM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Created Date = 6/7/2007 10:26:33 AM | Attr = H ]
Sun -> %SystemRoot%\Sun -> [Folder | Created Date = 6/7/2007 7:45:24 AM | Attr = ]
temp -> %SystemRoot%\temp -> [Folder | Created Date = 6/7/2007 1:03:50 PM | Attr = ]
FreeImage.dll -> %System32%\FreeImage.dll -> [Ver = | Size = 667648 bytes | Created Date = 5/11/2007 10:47:51 PM | Attr = ]
ijl15.dll -> %System32%\ijl15.dll -> Intel Corporation [Ver = 1,51,12,44 | Size = 352256 bytes | Created Date = 5/11/2007 10:47:51 PM | Attr = ]
IMAGEPLUSCONTROL.OCX -> %System32%\IMAGEPLUSCONTROL.OCX -> [Ver = 1.02 | Size = 53248 bytes | Created Date = 5/11/2007 10:47:52 PM | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.6 | Size = 428032 bytes | Created Date = 6/7/2007 1:03:40 PM | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 6/7/2007 1:03:39 PM | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 6/7/2007 1:03:39 PM | Attr = ]
UNACE.DLL -> %System32%\UNACE.DLL -> [Ver = | Size = 40448 bytes | Created Date = 5/11/2007 10:47:51 PM | Attr = ]
unrar.dll -> %System32%\unrar.dll -> [Ver = | Size = 159744 bytes | Created Date = 5/11/2007 10:47:52 PM | Attr = ]
vfind.exe -> %System32%\vfind.exe -> [Ver = | Size = 49152 bytes | Created Date = 6/7/2007 1:03:39 PM | Attr = ]

[Files/Folders - Modified Within 30 days]
boot.ini -> %SystemDrive%\boot.ini -> [Ver = | Size = 211 bytes | Modified Date = 6/7/2007 1:12:06 PM | Attr = HS]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 6/7/2007 3:19:28 PM | Attr = H ]
Documents and Settings -> %SystemDrive%\Documents and Settings -> [Folder | Modified Date = 6/7/2007 4:49:02 AM | Attr = ]
found.000 -> %SystemDrive%\found.000 -> [Folder | Modified Date = 5/25/2007 10:54:28 AM | Attr = HS]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 804835328 bytes | Modified Date = 6/8/2007 11:12:32 AM | Attr = HS]
MyWorks -> %SystemDrive%\MyWorks -> [Folder | Modified Date = 5/23/2007 4:19:46 PM | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 6/7/2007 3:19:22 PM | Attr = ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Modified Date = 6/7/2007 2:02:16 PM | Attr = ]
temp -> %SystemDrive%\temp -> [Folder | Modified Date = 5/30/2007 6:34:14 PM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 6/8/2007 5:15:48 PM | Attr = ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [Folder | Modified Date = 6/7/2007 3:13:16 PM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 6/7/2007 5:26:22 AM | Attr = H ]
$NtUninstallKB903235$ -> %SystemRoot%\$NtUninstallKB903235$ -> [Folder | Modified Date = 6/8/2007 12:01:38 AM | Attr = H ]
$NtUninstallKB927891$ -> %SystemRoot%\$NtUninstallKB927891$ -> [Folder | Modified Date = 5/24/2007 11:46:28 PM | Attr = H ]
$NtUninstallKB930916$ -> %SystemRoot%\$NtUninstallKB930916$ -> [Folder | Modified Date = 5/11/2007 12:04:00 AM | Attr = H ]
AntiSpy -> %SystemRoot%\AntiSpy -> [Folder | Modified Date = 6/2/2007 10:48:06 AM | Attr = ]
assembly -> %SystemRoot%\assembly -> [Folder | Modified Date = 6/5/2007 12:36:50 AM | Attr = R S]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 6/8/2007 11:12:38 AM | Attr = S]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 87040 bytes | Modified Date = 5/28/2007 4:23:12 AM | Attr = ]
cdplayer.ini -> %SystemRoot%\cdplayer.ini -> [Ver = | Size = 1863 bytes | Modified Date = 5/24/2007 11:57:54 AM | Attr = ]
Debug -> %SystemRoot%\Debug -> [Folder | Modified Date = 6/7/2007 5:24:50 AM | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 5/30/2007 6:33:34 PM | Attr = S]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 6/7/2007 5:33:22 AM | Attr = ]
ie7 -> %SystemRoot%\ie7 -> [Folder | Modified Date = 6/7/2007 5:31:44 AM | Attr = H ]
ie7updates -> %SystemRoot%\ie7updates -> [Folder | Modified Date = 6/7/2007 5:21:46 AM | Attr = ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1355 bytes | Modified Date = 6/8/2007 12:01:48 AM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 6/8/2007 11:14:56 AM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 6/7/2007 3:19:32 PM | Attr = HS]
LastGood -> %SystemRoot%\LastGood -> [Folder | Modified Date = 6/8/2007 11:14:50 AM | Attr = ]
Media -> %SystemRoot%\Media -> [Folder | Modified Date = 6/7/2007 5:32:02 AM | Attr = ]
Microsoft.NET -> %SystemRoot%\Microsoft.NET -> [Folder | Modified Date = 6/5/2007 12:36:48 AM | Attr = ]
Minidump -> %SystemRoot%\Minidump -> [Folder | Modified Date = 6/7/2007 10:46:10 AM | Attr = ]
mozver.dat -> %SystemRoot%\mozver.dat -> [Ver = | Size = 1156 bytes | Modified Date = 6/6/2007 10:53:18 AM | Attr = ]
NEWSOFT -> %SystemRoot%\NEWSOFT -> [Folder | Modified Date = 6/7/2007 9:43:54 PM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 6/8/2007 5:12:22 PM | Attr = ]
pss -> %SystemRoot%\pss -> [Folder | Modified Date = 6/7/2007 1:12:06 PM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Modified Date = 6/7/2007 1:12:06 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 6/7/2007 1:12:06 PM | Attr = H ]
Sun -> %SystemRoot%\Sun -> [Folder | Modified Date = 6/7/2007 8:45:26 AM | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 227 bytes | Modified Date = 6/7/2007 1:12:06 PM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 6/8/2007 5:15:48 PM | Attr = ]
temp -> %SystemRoot%\temp -> [Folder | Modified Date = 6/8/2007 5:14:14 PM | Attr = ]
WBEM -> %SystemRoot%\WBEM -> [Folder | Modified Date = 6/7/2007 5:32:12 AM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 798 bytes | Modified Date = 6/7/2007 1:12:06 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 6/8/2007 11:12:40 AM | Attr = H ]
amcompat.tlb -> %System32%\amcompat.tlb -> [Ver = | Size = 16832 bytes | Modified Date = 5/11/2007 11:47:56 PM | Attr = ]
CatRoot -> %System32%\CatRoot -> [Folder | Modified Date = 6/8/2007 8:55:58 AM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 6/8/2007 11:14:50 AM | Attr = ]
DirectX -> %System32%\DirectX -> [Folder | Modified Date = 6/5/2007 12:36:50 AM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 6/8/2007 12:02:38 AM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 6/7/2007 1:59:44 PM | Attr = ]
en-US -> %System32%\en-US -> [Folder | Modified Date = 6/8/2007 12:02:36 AM | Attr = ]
nscompat.tlb -> %System32%\nscompat.tlb -> [Ver = | Size = 23392 bytes | Modified Date = 5/11/2007 11:47:56 PM | Attr = ]
Restore -> %System32%\Restore -> [Folder | Modified Date = 6/6/2007 1:20:02 AM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 1158 bytes | Modified Date = 6/8/2007 11:13:54 AM | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 6/7/2007 10:54:46 AM | Attr = ]
klick.sys -> %System32%\drivers\klick.sys -> Kaspersky Lab [Ver = 2.0.0.410 | Size = 82258 bytes | Modified Date = 5/15/2007 9:11:12 PM | Attr = ]
klin.sys -> %System32%\drivers\klin.sys -> Kaspersky Lab [Ver = 2.0.0.410 | Size = 82258 bytes | Modified Date = 5/15/2007 9:12:08 PM | Attr = ]
secdrv.sys -> %System32%\drivers\secdrv.sys -> Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. [Ver = 4.00.060 | Size = 163644 bytes | Modified Date = 6/5/2007 12:42:52 AM | Attr = ]

[File String Scan - Non-Microsoft Only]
UPX! , WSUD , UPX0 , -> %SystemRoot%\pPokerSetup.exe -> [Ver = | Size = 3335839 bytes | Modified Date = 6/17/2005 7:41:44 PM | Attr = ]
@Alternate Data Stream - 0 bytes -> %SystemRoot%\Thumbs.db:encryptable -> 
WSUD , -> %System32%\ALSNDMGR.CPL -> Realtek Semiconductor Corp. [Ver = 2.2.16 | Size = 14204416 bytes | Modified Date = 12/19/2003 5:54:44 AM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/29/2002 8:00:00 AM | Attr = ]
PEC2 , PECompact2 , -> %System32%\DivX.dll -> DivXNetworks [Ver = 6,0,0,1571 | Size = 692736 bytes | Modified Date = 6/9/2005 4:32:28 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/29/2002 8:00:00 AM | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/4/2004 1:41:38 AM | Attr = ]

< End of report >


----------



## cybertech (Apr 16, 2002)

I'll look at that log too but what I wanted was a hijackthis log.


----------



## smeginthuhead (Jun 6, 2007)

my bad man I hit the wrong icon...they are starting to run together.


----------



## smeginthuhead (Jun 6, 2007)

Logfile of HijackThis v1.99.1
Scan saved at 5:47:57 PM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DefenderPro AntiSpy\TSAntiSpy.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Joeph Madden\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xbox360.ign.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [LaunchAntiSpy] C:\Program Files\DefenderPro AntiSpy\TSAntiSpy.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Defender Pro Firewall.lnk = C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: DigiChat Applet - http://host.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139366229656
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe


----------



## smeginthuhead (Jun 6, 2007)

I appreciate you help by the way


----------



## cybertech (Apr 16, 2002)

That's ok, my threads are hard to keep up with too! Have to re-read them every time to see what's been done. 

You're welcome!!


See post #40, your java is still out of date.

I don't see any anti-virus running...

Any problems??


----------



## smeginthuhead (Jun 6, 2007)

well I have no Internet explorer now, and as far as anti-virus goes it shows up in the corner of my screen(the desktop tray I think) and it says it is running, but you are right it doesn't show as being on. I cannot use messenger at all either. There is NO trace of IE at all.


----------



## smeginthuhead (Jun 6, 2007)

Help???


----------



## cybertech (Apr 16, 2002)

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and choose *Install* to extract it to its own folder on the Desktop. Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer 
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; 
Instead of Windows loading as normal, a menu with options should appear; 
Select the first option, to run Windows in Safe Mode, then press "Enter". 
Choose your usual account. 

 In Safe Mode, right click the SDFix.zip folder and choose *Extract All*, 
 Open the extracted folder and double click *RunThis.bat* to start the script. 
 Type *Y* to begin the script. 
 It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. 
 Press any Key and it will restart the PC. 
 Your system will take longer that normal to restart as the fixtool will be running and removing files. 
 When the desktop loads the Fixtool will complete the removal and display *Finished*, then press any key to end the script and load your desktop icons. 
 Finally open the SDFix folder on your desktop and copy and paste the contents of the results file *Report.txt* back onto the forum with a new HijackThis log


----------



## smeginthuhead (Jun 6, 2007)

SDFix: Version 1.86

Run by Joeph Madden - Mon 06/11/2007 - 6:00:18.90

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\JOEPHM~1\Desktop\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File 
Restoring Missing SharedAccess Service

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder 
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking if ADS is attached to ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

Remaining Files:
---------------

Listing Files with Hidden Attributes:

C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\index.htm
C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\e-books\morals-dogma\albert_pike1r.jpg
C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\e-books\morals-dogma\albert_pike2r.jpg
C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\e-books\morals-dogma\apike.htm
C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\e-books\morals-dogma\apike01.htm
C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\e-books\morals-dogma\apike02.htm
C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\e-books\morals-dogma\apike03.htm
C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\e-books\morals-dogma\apike04.htm
C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\e-books\morals-dogma\apike05.htm
C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\e-books\morals-dogma\apike06.htm
C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\e-books\morals-dogma\apike07.htm
C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\e-books\morals-dogma\apike08.htm
C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\e-books\morals-dogma\apike09.htm
C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\e-books\morals-dogma\apike10.htm
C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\e-books\morals-dogma\apike11.htm
C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\e-books\morals-dogma\apike12.htm
C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\e-books\morals-dogma\apike12a.htm
C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\e-books\morals-dogma\apike12b.htm
C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\e-books\morals-dogma\apike12c.htm
C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\e-books\morals-dogma\apike13.htm
C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\e-books\morals-dogma\apikeintro.html
C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\e-books\morals-dogma\APikeMDfront.jpg
C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\e-books\morals-dogma\aqc.html
C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\e-books\morals-dogma\ode.html
C:\Documents and Settings\All Users\Documents\Books 3\freemasonry - Albert Pike - Morals and Dogma (Complete)\Morals-and-Dogma\www.illuminati-news.com\e-books\morals-dogma\pikecoverR.jpg
C:\WINDOWS\455373LL.DLL11
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\2CF17CE7EF.sys
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp

Listing User Accounts:

User accounts for \\OEMTEST-2S4KN5K

Administrator ASPNET Guest 
HelpAssistant Joeph Madden SUPPORT_388945a0

Finished


----------



## smeginthuhead (Jun 6, 2007)

Logfile of HijackThis v1.99.1
Scan saved at 6:10:39 AM, on 6/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\DefenderPro AntiSpy\TSAntiSpy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\All Users\Documents\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xbox360.ign.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [LaunchAntiSpy] C:\Program Files\DefenderPro AntiSpy\TSAntiSpy.exe /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Defender Pro Firewall.lnk = C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: DigiChat Applet - http://host.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139366229656
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe


----------



## cybertech (Apr 16, 2002)

Please *download* the *OTMoveIt by OldTimer*.

 *Save* it to your *desktop*.
 Please double-click *OTMoveIt.exe* to run it.
*Copy the file paths below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy):

* C:\WINDOWS\455373LL.DLL11*

 Return to OTMoveIt, right click on the *"Paste List of Files/Folders to be moved"* window and choose *Paste*.
Click the red *Moveit!* button.
Close *OTMoveIt*
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

*Click here* to download *Dr.Web CureIt* and save it to your desktop.

Doubleclick the *drweb-cureit.exe* file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the *green arrow* at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:








If so, click it and then click the next icon right below and select *Move incurable* as you'll see in next image:








This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click *file* and choose *save report list*
Save the report to your desktop. The report will be called *DrWeb.csv*
Close Dr.Web Cureit.
*Reboot* your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new Hijack This log.


----------



## smeginthuhead (Jun 6, 2007)

The Dr. Web.cvs file will not open. It asks for the program to open it. I have tried every program on the list it will not open.


----------



## cybertech (Apr 16, 2002)

Just post it here as an attachment.


----------



## smeginthuhead (Jun 6, 2007)

Yo is there any chance of my still finishing what we were doing I have been gone, but this mess is driving me up the wall I still cannot use IE or messenger and any programs connected to IE are iffy.


----------



## cybertech (Apr 16, 2002)

Yes we can continue. Post a new HJT log please.


----------



## smeginthuhead (Jun 6, 2007)

Logfile of HijackThis v1.99.1
Scan saved at 8:08:09 PM, on 7/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\DefenderPro AntiSpy\TSAntiSpy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\All Users\Documents\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xbox360.ign.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [LaunchAntiSpy] C:\Program Files\DefenderPro AntiSpy\TSAntiSpy.exe /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Defender Pro Firewall.lnk = C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: DigiChat Applet - http://host.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139366229656
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe


----------



## cybertech (Apr 16, 2002)

Looks fine. How is it running now? Any problems?


----------

